Hi, Looking for some help with this issue, been struggling for a few weeks We run a file server using Samba 4.9.5 (openSUSE Leap 15.2 4.9.5+git.343.4bc358522a9-lp151.2.27.1). Active Directory using Windows Server 2016. The Samba server is a member of the domain. Windows 10 desktops and Linux desktops are also domain members. Windows 10 desktops map network drives to the Samba server, no issues seen. Everything appears to be working. Linux desktops map shares using GVFS `gio mount` command and authenticate with user's kerberos ticket. After 10 hours or so, the gio mounts become inaccessible. GNOME Nautilus gives error "invalid argument". GVFS debug log shows smbc_stat(smb://fileserver.domain.co.uk/share) SMBC_getatr: sending qpathinfo map_errno_from_nt_status: 32 bit codes: code=c000035c smbc errno NT_STATUS_NETWORK_SESSION_EXPIRED -> 22 smb: send_reply(0x7fb930002840), failed=1 (Invalid argument) smb: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=24714) smb: Queued new job 0x7fb924007700 (GVfsJobQueryInfo) These Linux desktops also mount shares from a Windows Server 2012 server, using gio mount, and do not experience the same issue. Only when Linux desktops map to the Samba server do we see this issue Thanks This e-mail and any files transmitted with it are confidential and may be legally privileged. If you receive it in error or are not the intended recipient you must not copy, distribute or take any action in reliance upon it. Instead, please notify us immediately by telephoning +44 (20) 7482 0077 and delete the material from your systems. Smartodds is a business carried on by Smartodds Limited, a company registered with the Registrar of Companies for England and Wales with number 05108548. Registered office: Unit 540 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
Check
/etc/krb5.conf
[libdefaults]
default_realm = YOUR.INTERNAL.REALM
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4 < this one best is to match the windows defaults.
(see:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket
)
forwardable = true
proxiable = true
And, is keyutils installed?
Pam settings correct to use cached passwords?
All i can say here, because i dont know Suse that good.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> David Mace via samba
> Verzonden: maandag 7 september 2020 10:51
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] NT_STATUS_NETWORK_SESSION_EXPIRED
>
> Hi,
>
> Looking for some help with this issue, been struggling for a few weeks
>
> We run a file server using Samba 4.9.5 (openSUSE Leap 15.2
> 4.9.5+git.343.4bc358522a9-lp151.2.27.1).
>
> Active Directory using Windows Server 2016. The Samba server is a
> member of the domain. Windows 10 desktops and Linux desktops are also
> domain members.
>
> Windows 10 desktops map network drives to the Samba server, no issues
> seen. Everything appears to be working.
>
> Linux desktops map shares using GVFS `gio mount` command and
> authenticate with user's kerberos ticket.
>
> After 10 hours or so, the gio mounts become inaccessible. GNOME
> Nautilus gives error "invalid argument".
>
> GVFS debug log shows
>
> smbc_stat(smb://fileserver.domain.co.uk/share)
> SMBC_getatr: sending qpathinfo
> map_errno_from_nt_status: 32 bit codes: code=c000035c
> smbc errno NT_STATUS_NETWORK_SESSION_EXPIRED -> 22
> smb: send_reply(0x7fb930002840), failed=1 (Invalid argument)
> smb: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=24714)
> smb: Queued new job 0x7fb924007700 (GVfsJobQueryInfo)
>
>
> These Linux desktops also mount shares from a Windows Server 2012
> server, using gio mount, and do not experience the same issue. Only
> when Linux desktops map to the Samba server do we see this issue
>
> Thanks
> This e-mail and any files transmitted with it are
> confidential and may be legally privileged. If you receive it
> in error or are not the intended recipient you must not copy,
> distribute or take any action in reliance upon it. Instead,
> please notify us immediately by telephoning +44 (20) 7482
> 0077 and delete the material from your systems. Smartodds is
> a business carried on by Smartodds Limited, a company
> registered with the Registrar of Companies for England and
> Wales with number 05108548. Registered office: Unit 540
> Highgate Studios, 53-79 Highgate Road, London NW5 1TL
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
On 07/09/2020 09:51, David Mace via samba wrote:> Hi, > > Looking for some help with this issue, been struggling for a few weeks > > We run a file server using Samba 4.9.5 (openSUSE Leap 15.2 > 4.9.5+git.343.4bc358522a9-lp151.2.27.1). > > Active Directory using Windows Server 2016. The Samba server is a > member of the domain. Windows 10 desktops and Linux desktops are also > domain members. > > Windows 10 desktops map network drives to the Samba server, no issues > seen. Everything appears to be working. > > Linux desktops map shares using GVFS `gio mount` command and > authenticate with user's kerberos ticket. > > After 10 hours or so, the gio mounts become inaccessible. GNOME > Nautilus gives error "invalid argument". > > GVFS debug log shows > > smbc_stat(smb://fileserver.domain.co.uk/share) > SMBC_getatr: sending qpathinfo > map_errno_from_nt_status: 32 bit codes: code=c000035c > smbc errno NT_STATUS_NETWORK_SESSION_EXPIRED -> 22 > smb: send_reply(0x7fb930002840), failed=1 (Invalid argument) > smb: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=24714) > smb: Queued new job 0x7fb924007700 (GVfsJobQueryInfo) > > > These Linux desktops also mount shares from a Windows Server 2012 > server, using gio mount, and do not experience the same issue. Only > when Linux desktops map to the Samba server do we see this issue > > Thanks > This e-mail and any files transmitted with it are confidential and may be legally privileged. If you receive it in error or are not the intended recipient you must not copy, distribute or take any action in reliance upon it. Instead, please notify us immediately by telephoning +44 (20) 7482 0077 and delete the material from your systems. Smartodds is a business carried on by Smartodds Limited, a company registered with the Registrar of Companies for England and Wales with number 05108548. Registered office: Unit 540 Highgate Studios, 53-79 Highgate Road, London NW5 1TLSounds like the ticket is expiring, can we see your smb.conf Rowland
Hi Thanks,
This is my /etc/krb5.conf from the client and the server (they are the
same).
[libdefaults]
default_realm = DOMAIN.CO.UK
clockskew = 300
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
[realms]
DOMAIN.CO.UK = {
kdc = ad05.DOMAIN.co.uk
kdc = ad06.DOMAIN.co.uk
default_domain = DOMAIN.co.uk
admin_server = ad05.DOMAIN.co.uk
auth_to_local RULE:[1:$0#$1](^DOMAIN.CO.UK#.*)s/^.*#/DOMAIN\/
auth_to_local = DEFAULT
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.DOMAIN.co.uk = DOMAIN.CO.UK
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
}
This is my /etc/samba/smb.conf from client and server (the same apart
from the "Group" share defined on the server
[global]
workgroup = DOMAIN
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap config * : backend = tdb
idmap config * : range = 5000-9999
idmap config SMARTODDS : backend = rid
idmap config SMARTODDS : range = 10000-999999
idmap config SMARTBAPPS : backend = rid
idmap config SMARTBAPPS : range = 1000000-9999999
template shell = /bin/bash
template homedir = /home/%D/%U
kerberos method = secrets and keytab
realm = DOMAIN.CO.UK
security = ADS
template shell = /bin/bash
usershare max shares = 100
winbind offline logon = yes
winbind refresh tickets = yes
rpc_daemon:fssd = fork
registry shares = yes
include = registry
load printers = no
disable spoolss = yes
map acl inherit = yes
store dos attributes = yes
deadtime = 15
bind interfaces only = yes
interfaces = eth0
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
[Group]
comment = Group Drive
path = /data/Group
read only = no
browseable = yes
inherit owner = unix only
inherit acls = yes
dos filemode = yes
acl group control = yes
acl_xattr:ignore system acls = yes
vfs objects = acl_xattr btrfs snapper
This is my /etc/security/pam_winbind.conf (the same on client and
server)
[global]
cached_login = yes
krb5_auth = yes
krb5_ccache_type = FILE
require_membership_of = S-1-5-21-1634878560-3557012951-
3523748453-17244
# omit pam conversations
silent = yes
Thanks
David
-----Original Message-----
From: Rowland penny via samba <samba at lists.samba.org>
Reply-To: Rowland penny <rpenny at samba.org>
To: samba at lists.samba.org
Subject: Re: [Samba] NT_STATUS_NETWORK_SESSION_EXPIRED
Date: Mon, 07 Sep 2020 10:41:55 +0100
On 07/09/2020 09:51, David Mace via samba wrote:> Hi,
>
> Looking for some help with this issue, been struggling for a few
> weeks
>
> We run a file server using Samba 4.9.5 (openSUSE Leap 15.2
> 4.9.5+git.343.4bc358522a9-lp151.2.27.1).
>
> Active Directory using Windows Server 2016. The Samba server is a
> member of the domain. Windows 10 desktops and Linux desktops are also
> domain members.
>
> Windows 10 desktops map network drives to the Samba server, no issues
> seen. Everything appears to be working.
>
> Linux desktops map shares using GVFS `gio mount` command and
> authenticate with user's kerberos ticket.
>
> After 10 hours or so, the gio mounts become inaccessible. GNOME
> Nautilus gives error "invalid argument".
>
> GVFS debug log shows
>
> smbc_stat(smb://fileserver.domain.co.uk/share)
> SMBC_getatr: sending qpathinfo
> map_errno_from_nt_status: 32 bit codes: code=c000035c
> smbc errno NT_STATUS_NETWORK_SESSION_EXPIRED -> 22
> smb: send_reply(0x7fb930002840), failed=1 (Invalid argument)
> smb: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=24714)
> smb: Queued new job 0x7fb924007700 (GVfsJobQueryInfo)
>
>
> These Linux desktops also mount shares from a Windows Server 2012
> server, using gio mount, and do not experience the same issue. Only
> when Linux desktops map to the Samba server do we see this issue
>
> Thanks
> This e-mail and any files transmitted with it are confidential and
> may be legally privileged. If you receive it in error or are not the
> intended recipient you must not copy, distribute or take any action
> in reliance upon it. Instead, please notify us immediately by
> telephoning +44 (20) 7482 0077 and delete the material from your
> systems. Smartodds is a business carried on by Smartodds Limited, a
> company registered with the Registrar of Companies for England and
> Wales with number 05108548. Registered office: Unit 540 Highgate
> Studios, 53-79 Highgate Road, London NW5 1TL
Sounds like the ticket is expiring, can we see your smb.conf
Rowland
This e-mail and any files transmitted with it are confidential and may be
legally privileged. If you receive it in error or are not the intended recipient
you must not copy, distribute or take any action in reliance upon it. Instead,
please notify us immediately by telephoning +44 (20) 7482 0077 and delete the
material from your systems. Smartodds is a business carried on by Smartodds
Limited, a company registered with the Registrar of Companies for England and
Wales with number 05108548. Registered office: Unit 540 Highgate Studios, 53-79
Highgate Road, London NW5 1TL
Hi,
Keyutils is installed and PAM settings appear correct, and cached credentials do
work
I did add
winbind refresh tickets = yes
After joining the Samba server to the domain. I did restart the machine after
adding this setting. I am assuming this is enough?
I am also wondering if this is acceptable?
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
Should the ticket lifetime and renew lifetime be the same? Wondering what the
best practice is here
Thanks
David
-----Original Message-----
From: L.P.H. van Belle via samba <samba at
lists.samba.org<mailto:%22L.P.H.%20van%20Belle%20via%20samba%22%20%3csamba at
lists.samba.org%3e>>
Reply-To: L.P.H. van Belle <belle at
bazuin.nl<mailto:%22L.P.H.%20van%20Belle%22%20%3cbelle at
bazuin.nl%3e>>
To: samba at lists.samba.org <samba at lists.samba.org<mailto:%22samba at
lists.samba.org%22%20%3csamba at lists.samba.org%3e>>
Subject: Re: [Samba] NT_STATUS_NETWORK_SESSION_EXPIRED
Date: Mon, 07 Sep 2020 11:23:49 +0200
Check
/etc/krb5.conf
[libdefaults]
default_realm = YOUR.INTERNAL.REALM
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4 < this one best is to match the windows
defaults.
(see:
<https://eu-west-1.protection.sophos.com?d=microsoft.com&u=aHR0cHM6Ly9kb2NzLm1pY3Jvc29mdC5jb20vZW4tdXMvd2luZG93cy9zZWN1cml0eS90aHJlYXQtcHJvdGVjdGlvbi9zZWN1cml0eS1wb2xpY3ktc2V0dGluZ3MvbWF4aW11bS1saWZldGltZS1mb3Itc2VydmljZS10aWNrZXQ=&i=NWNhNWZmZWYwNzBlM2MxNmQzYTQ1ZGM1&t=QUVqSWdWRzMvRFYvNCszWUp5bEdKMjVQVm9mRUV0N1NGRUhCc0ZOeXpwQT0=&h=a928a399969c4f10ba8bfe61e14bdec6>
https://eu-west-1.protection.sophos.com?d=microsoft.com&u=aHR0cHM6Ly9kb2NzLm1pY3Jvc29mdC5jb20vZW4tdXMvd2luZG93cy9zZWN1cml0eS90aHJlYXQtcHJvdGVjdGlvbi9zZWN1cml0eS1wb2xpY3ktc2V0dGluZ3MvbWF4aW11bS1saWZldGltZS1mb3Itc2VydmljZS10aWNrZXQ=&i=NWNhNWZmZWYwNzBlM2MxNmQzYTQ1ZGM1&t=QUVqSWdWRzMvRFYvNCszWUp5bEdKMjVQVm9mRUV0N1NGRUhCc0ZOeXpwQT0=&h=a928a399969c4f10ba8bfe61e14bdec6
)
forwardable = true
proxiable = true
And, is keyutils installed?
Pam settings correct to use cached passwords?
All i can say here, because i dont know Suse that good.
Greetz,
Louis
-----Oorspronkelijk bericht-----
Van: samba [mailto:
<mailto:samba-bounces at lists.samba.org>
samba-bounces at lists.samba.org
] Namens
David Mace via samba
Verzonden: maandag 7 september 2020 10:51
Aan:
<mailto:samba at lists.samba.org>
samba at lists.samba.org
Onderwerp: [Samba] NT_STATUS_NETWORK_SESSION_EXPIRED
Hi,
Looking for some help with this issue, been struggling for a few weeks
We run a file server using Samba 4.9.5 (openSUSE Leap 15.2
4.9.5+git.343.4bc358522a9-lp151.2.27.1).
Active Directory using Windows Server 2016. The Samba server is a
member of the domain. Windows 10 desktops and Linux desktops are also
domain members.
Windows 10 desktops map network drives to the Samba server, no issues
seen. Everything appears to be working.
Linux desktops map shares using GVFS `gio mount` command and
authenticate with user's kerberos ticket.
After 10 hours or so, the gio mounts become inaccessible. GNOME
Nautilus gives error "invalid argument".
GVFS debug log shows
smbc_stat(smb://fileserver.domain.co.uk/share)
SMBC_getatr: sending qpathinfo
map_errno_from_nt_status: 32 bit codes: code=c000035c
smbc errno NT_STATUS_NETWORK_SESSION_EXPIRED -> 22
smb: send_reply(0x7fb930002840), failed=1 (Invalid argument)
smb: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=24714)
smb: Queued new job 0x7fb924007700 (GVfsJobQueryInfo)
These Linux desktops also mount shares from a Windows Server 2012
server, using gio mount, and do not experience the same issue. Only
when Linux desktops map to the Samba server do we see this issue
Thanks
This e-mail and any files transmitted with it are
confidential and may be legally privileged. If you receive it
in error or are not the intended recipient you must not copy,
distribute or take any action in reliance upon it. Instead,
please notify us immediately by telephoning +44 (20) 7482
0077 and delete the material from your systems. Smartodds is
a business carried on by Smartodds Limited, a company
registered with the Registrar of Companies for England and
Wales with number 05108548. Registered office: Unit 540
Highgate Studios, 53-79 Highgate Road, London NW5 1TL
--
To unsubscribe from this list go to the following URL and read the
instructions:
<https://eu-west-1.protection.sophos.com?d=samba.org&u=aHR0cHM6Ly9saXN0cy5zYW1iYS5vcmcvbWFpbG1hbi9vcHRpb25zL3NhbWJh&i=NWNhNWZmZWYwNzBlM2MxNmQzYTQ1ZGM1&t=SU1BUUNmcWlyeUJwZnBvVGh6YkdtRUhJL2Y1bk45RGlQeVo1ZEJvTHNpWT0=&h=a928a399969c4f10ba8bfe61e14bdec6>
https://eu-west-1.protection.sophos.com?d=samba.org&u=aHR0cHM6Ly9saXN0cy5zYW1iYS5vcmcvbWFpbG1hbi9vcHRpb25zL3NhbWJh&i=NWNhNWZmZWYwNzBlM2MxNmQzYTQ1ZGM1&t=SU1BUUNmcWlyeUJwZnBvVGh6YkdtRUhJL2Y1bk45RGlQeVo1ZEJvTHNpWT0=&h=a928a399969c4f10ba8bfe61e14bdec6
This e-mail and any files transmitted with it are confidential and may be
legally privileged. If you receive it in error or are not the intended recipient
you must not copy, distribute or take any action in reliance upon it. Instead,
please notify us immediately by telephoning +44 (20) 7482 0077 and delete the
material from your systems. Smartodds is a business carried on by Smartodds
Limited, a company registered with the Registrar of Companies for England and
Wales with number 05108548. Registered office: Unit 540 Highgate Studios, 53-79
Highgate Road, London NW5 1TL