Hi, Looking for some help with this issue, been struggling for a few weeks We run a file server using Samba 4.9.5 (openSUSE Leap 15.2 4.9.5+git.343.4bc358522a9-lp151.2.27.1). Active Directory using Windows Server 2016. The Samba server is a member of the domain. Windows 10 desktops and Linux desktops are also domain members. Windows 10 desktops map network drives to the Samba server, no issues seen. Everything appears to be working. Linux desktops map shares using GVFS `gio mount` command and authenticate with user's kerberos ticket. After 10 hours or so, the gio mounts become inaccessible. GNOME Nautilus gives error "invalid argument". GVFS debug log shows smbc_stat(smb://fileserver.domain.co.uk/share) SMBC_getatr: sending qpathinfo map_errno_from_nt_status: 32 bit codes: code=c000035c smbc errno NT_STATUS_NETWORK_SESSION_EXPIRED -> 22 smb: send_reply(0x7fb930002840), failed=1 (Invalid argument) smb: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=24714) smb: Queued new job 0x7fb924007700 (GVfsJobQueryInfo) These Linux desktops also mount shares from a Windows Server 2012 server, using gio mount, and do not experience the same issue. Only when Linux desktops map to the Samba server do we see this issue Thanks This e-mail and any files transmitted with it are confidential and may be legally privileged. If you receive it in error or are not the intended recipient you must not copy, distribute or take any action in reliance upon it. Instead, please notify us immediately by telephoning +44 (20) 7482 0077 and delete the material from your systems. Smartodds is a business carried on by Smartodds Limited, a company registered with the Registrar of Companies for England and Wales with number 05108548. Registered office: Unit 540 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
Check /etc/krb5.conf [libdefaults] default_realm = YOUR.INTERNAL.REALM # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 < this one best is to match the windows defaults. (see: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket ) forwardable = true proxiable = true And, is keyutils installed? Pam settings correct to use cached passwords? All i can say here, because i dont know Suse that good. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > David Mace via samba > Verzonden: maandag 7 september 2020 10:51 > Aan: samba at lists.samba.org > Onderwerp: [Samba] NT_STATUS_NETWORK_SESSION_EXPIRED > > Hi, > > Looking for some help with this issue, been struggling for a few weeks > > We run a file server using Samba 4.9.5 (openSUSE Leap 15.2 > 4.9.5+git.343.4bc358522a9-lp151.2.27.1). > > Active Directory using Windows Server 2016. The Samba server is a > member of the domain. Windows 10 desktops and Linux desktops are also > domain members. > > Windows 10 desktops map network drives to the Samba server, no issues > seen. Everything appears to be working. > > Linux desktops map shares using GVFS `gio mount` command and > authenticate with user's kerberos ticket. > > After 10 hours or so, the gio mounts become inaccessible. GNOME > Nautilus gives error "invalid argument". > > GVFS debug log shows > > smbc_stat(smb://fileserver.domain.co.uk/share) > SMBC_getatr: sending qpathinfo > map_errno_from_nt_status: 32 bit codes: code=c000035c > smbc errno NT_STATUS_NETWORK_SESSION_EXPIRED -> 22 > smb: send_reply(0x7fb930002840), failed=1 (Invalid argument) > smb: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=24714) > smb: Queued new job 0x7fb924007700 (GVfsJobQueryInfo) > > > These Linux desktops also mount shares from a Windows Server 2012 > server, using gio mount, and do not experience the same issue. Only > when Linux desktops map to the Samba server do we see this issue > > Thanks > This e-mail and any files transmitted with it are > confidential and may be legally privileged. If you receive it > in error or are not the intended recipient you must not copy, > distribute or take any action in reliance upon it. Instead, > please notify us immediately by telephoning +44 (20) 7482 > 0077 and delete the material from your systems. Smartodds is > a business carried on by Smartodds Limited, a company > registered with the Registrar of Companies for England and > Wales with number 05108548. Registered office: Unit 540 > Highgate Studios, 53-79 Highgate Road, London NW5 1TL > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 07/09/2020 09:51, David Mace via samba wrote:> Hi, > > Looking for some help with this issue, been struggling for a few weeks > > We run a file server using Samba 4.9.5 (openSUSE Leap 15.2 > 4.9.5+git.343.4bc358522a9-lp151.2.27.1). > > Active Directory using Windows Server 2016. The Samba server is a > member of the domain. Windows 10 desktops and Linux desktops are also > domain members. > > Windows 10 desktops map network drives to the Samba server, no issues > seen. Everything appears to be working. > > Linux desktops map shares using GVFS `gio mount` command and > authenticate with user's kerberos ticket. > > After 10 hours or so, the gio mounts become inaccessible. GNOME > Nautilus gives error "invalid argument". > > GVFS debug log shows > > smbc_stat(smb://fileserver.domain.co.uk/share) > SMBC_getatr: sending qpathinfo > map_errno_from_nt_status: 32 bit codes: code=c000035c > smbc errno NT_STATUS_NETWORK_SESSION_EXPIRED -> 22 > smb: send_reply(0x7fb930002840), failed=1 (Invalid argument) > smb: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=24714) > smb: Queued new job 0x7fb924007700 (GVfsJobQueryInfo) > > > These Linux desktops also mount shares from a Windows Server 2012 > server, using gio mount, and do not experience the same issue. Only > when Linux desktops map to the Samba server do we see this issue > > Thanks > This e-mail and any files transmitted with it are confidential and may be legally privileged. If you receive it in error or are not the intended recipient you must not copy, distribute or take any action in reliance upon it. Instead, please notify us immediately by telephoning +44 (20) 7482 0077 and delete the material from your systems. Smartodds is a business carried on by Smartodds Limited, a company registered with the Registrar of Companies for England and Wales with number 05108548. Registered office: Unit 540 Highgate Studios, 53-79 Highgate Road, London NW5 1TLSounds like the ticket is expiring, can we see your smb.conf Rowland
Hi Thanks, This is my /etc/krb5.conf from the client and the server (they are the same). [libdefaults] default_realm = DOMAIN.CO.UK clockskew = 300 default_ccache_name = FILE:/tmp/krb5cc_%{uid} [realms] DOMAIN.CO.UK = { kdc = ad05.DOMAIN.co.uk kdc = ad06.DOMAIN.co.uk default_domain = DOMAIN.co.uk admin_server = ad05.DOMAIN.co.uk auth_to_local RULE:[1:$0#$1](^DOMAIN.CO.UK#.*)s/^.*#/DOMAIN\/ auth_to_local = DEFAULT } [logging] kdc = FILE:/var/log/krb5/krb5kdc.log admin_server = FILE:/var/log/krb5/kadmind.log default = SYSLOG:NOTICE:DAEMON [domain_realm] .DOMAIN.co.uk = DOMAIN.CO.UK [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false minimum_uid = 1 } This is my /etc/samba/smb.conf from client and server (the same apart from the "Group" share defined on the server [global] workgroup = DOMAIN passdb backend = tdbsam printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = No idmap config * : backend = tdb idmap config * : range = 5000-9999 idmap config SMARTODDS : backend = rid idmap config SMARTODDS : range = 10000-999999 idmap config SMARTBAPPS : backend = rid idmap config SMARTBAPPS : range = 1000000-9999999 template shell = /bin/bash template homedir = /home/%D/%U kerberos method = secrets and keytab realm = DOMAIN.CO.UK security = ADS template shell = /bin/bash usershare max shares = 100 winbind offline logon = yes winbind refresh tickets = yes rpc_daemon:fssd = fork registry shares = yes include = registry load printers = no disable spoolss = yes map acl inherit = yes store dos attributes = yes deadtime = 15 bind interfaces only = yes interfaces = eth0 [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes [profiles] comment = Network Profiles Service path = %H read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 [users] comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/ [groups] comment = All groups path = /home/groups read only = No inherit acls = Yes [printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0775 [Group] comment = Group Drive path = /data/Group read only = no browseable = yes inherit owner = unix only inherit acls = yes dos filemode = yes acl group control = yes acl_xattr:ignore system acls = yes vfs objects = acl_xattr btrfs snapper This is my /etc/security/pam_winbind.conf (the same on client and server) [global] cached_login = yes krb5_auth = yes krb5_ccache_type = FILE require_membership_of = S-1-5-21-1634878560-3557012951- 3523748453-17244 # omit pam conversations silent = yes Thanks David -----Original Message----- From: Rowland penny via samba <samba at lists.samba.org> Reply-To: Rowland penny <rpenny at samba.org> To: samba at lists.samba.org Subject: Re: [Samba] NT_STATUS_NETWORK_SESSION_EXPIRED Date: Mon, 07 Sep 2020 10:41:55 +0100 On 07/09/2020 09:51, David Mace via samba wrote:> Hi, > > Looking for some help with this issue, been struggling for a few > weeks > > We run a file server using Samba 4.9.5 (openSUSE Leap 15.2 > 4.9.5+git.343.4bc358522a9-lp151.2.27.1). > > Active Directory using Windows Server 2016. The Samba server is a > member of the domain. Windows 10 desktops and Linux desktops are also > domain members. > > Windows 10 desktops map network drives to the Samba server, no issues > seen. Everything appears to be working. > > Linux desktops map shares using GVFS `gio mount` command and > authenticate with user's kerberos ticket. > > After 10 hours or so, the gio mounts become inaccessible. GNOME > Nautilus gives error "invalid argument". > > GVFS debug log shows > > smbc_stat(smb://fileserver.domain.co.uk/share) > SMBC_getatr: sending qpathinfo > map_errno_from_nt_status: 32 bit codes: code=c000035c > smbc errno NT_STATUS_NETWORK_SESSION_EXPIRED -> 22 > smb: send_reply(0x7fb930002840), failed=1 (Invalid argument) > smb: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=24714) > smb: Queued new job 0x7fb924007700 (GVfsJobQueryInfo) > > > These Linux desktops also mount shares from a Windows Server 2012 > server, using gio mount, and do not experience the same issue. Only > when Linux desktops map to the Samba server do we see this issue > > Thanks > This e-mail and any files transmitted with it are confidential and > may be legally privileged. If you receive it in error or are not the > intended recipient you must not copy, distribute or take any action > in reliance upon it. Instead, please notify us immediately by > telephoning +44 (20) 7482 0077 and delete the material from your > systems. Smartodds is a business carried on by Smartodds Limited, a > company registered with the Registrar of Companies for England and > Wales with number 05108548. Registered office: Unit 540 Highgate > Studios, 53-79 Highgate Road, London NW5 1TLSounds like the ticket is expiring, can we see your smb.conf Rowland This e-mail and any files transmitted with it are confidential and may be legally privileged. If you receive it in error or are not the intended recipient you must not copy, distribute or take any action in reliance upon it. Instead, please notify us immediately by telephoning +44 (20) 7482 0077 and delete the material from your systems. Smartodds is a business carried on by Smartodds Limited, a company registered with the Registrar of Companies for England and Wales with number 05108548. Registered office: Unit 540 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
Hi, Keyutils is installed and PAM settings appear correct, and cached credentials do work I did add winbind refresh tickets = yes After joining the Samba server to the domain. I did restart the machine after adding this setting. I am assuming this is enough? I am also wondering if this is acceptable? pam = { ticket_lifetime = 1d renew_lifetime = 1d Should the ticket lifetime and renew lifetime be the same? Wondering what the best practice is here Thanks David -----Original Message----- From: L.P.H. van Belle via samba <samba at lists.samba.org<mailto:%22L.P.H.%20van%20Belle%20via%20samba%22%20%3csamba at lists.samba.org%3e>> Reply-To: L.P.H. van Belle <belle at bazuin.nl<mailto:%22L.P.H.%20van%20Belle%22%20%3cbelle at bazuin.nl%3e>> To: samba at lists.samba.org <samba at lists.samba.org<mailto:%22samba at lists.samba.org%22%20%3csamba at lists.samba.org%3e>> Subject: Re: [Samba] NT_STATUS_NETWORK_SESSION_EXPIRED Date: Mon, 07 Sep 2020 11:23:49 +0200 Check /etc/krb5.conf [libdefaults] default_realm = YOUR.INTERNAL.REALM # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 < this one best is to match the windows defaults. (see: <https://eu-west-1.protection.sophos.com?d=microsoft.com&u=aHR0cHM6Ly9kb2NzLm1pY3Jvc29mdC5jb20vZW4tdXMvd2luZG93cy9zZWN1cml0eS90aHJlYXQtcHJvdGVjdGlvbi9zZWN1cml0eS1wb2xpY3ktc2V0dGluZ3MvbWF4aW11bS1saWZldGltZS1mb3Itc2VydmljZS10aWNrZXQ=&i=NWNhNWZmZWYwNzBlM2MxNmQzYTQ1ZGM1&t=QUVqSWdWRzMvRFYvNCszWUp5bEdKMjVQVm9mRUV0N1NGRUhCc0ZOeXpwQT0=&h=a928a399969c4f10ba8bfe61e14bdec6> https://eu-west-1.protection.sophos.com?d=microsoft.com&u=aHR0cHM6Ly9kb2NzLm1pY3Jvc29mdC5jb20vZW4tdXMvd2luZG93cy9zZWN1cml0eS90aHJlYXQtcHJvdGVjdGlvbi9zZWN1cml0eS1wb2xpY3ktc2V0dGluZ3MvbWF4aW11bS1saWZldGltZS1mb3Itc2VydmljZS10aWNrZXQ=&i=NWNhNWZmZWYwNzBlM2MxNmQzYTQ1ZGM1&t=QUVqSWdWRzMvRFYvNCszWUp5bEdKMjVQVm9mRUV0N1NGRUhCc0ZOeXpwQT0=&h=a928a399969c4f10ba8bfe61e14bdec6 ) forwardable = true proxiable = true And, is keyutils installed? Pam settings correct to use cached passwords? All i can say here, because i dont know Suse that good. Greetz, Louis -----Oorspronkelijk bericht----- Van: samba [mailto: <mailto:samba-bounces at lists.samba.org> samba-bounces at lists.samba.org ] Namens David Mace via samba Verzonden: maandag 7 september 2020 10:51 Aan: <mailto:samba at lists.samba.org> samba at lists.samba.org Onderwerp: [Samba] NT_STATUS_NETWORK_SESSION_EXPIRED Hi, Looking for some help with this issue, been struggling for a few weeks We run a file server using Samba 4.9.5 (openSUSE Leap 15.2 4.9.5+git.343.4bc358522a9-lp151.2.27.1). Active Directory using Windows Server 2016. The Samba server is a member of the domain. Windows 10 desktops and Linux desktops are also domain members. Windows 10 desktops map network drives to the Samba server, no issues seen. Everything appears to be working. Linux desktops map shares using GVFS `gio mount` command and authenticate with user's kerberos ticket. After 10 hours or so, the gio mounts become inaccessible. GNOME Nautilus gives error "invalid argument". GVFS debug log shows smbc_stat(smb://fileserver.domain.co.uk/share) SMBC_getatr: sending qpathinfo map_errno_from_nt_status: 32 bit codes: code=c000035c smbc errno NT_STATUS_NETWORK_SESSION_EXPIRED -> 22 smb: send_reply(0x7fb930002840), failed=1 (Invalid argument) smb: backend_dbus_handler org.gtk.vfs.Mount:QueryInfo (pid=24714) smb: Queued new job 0x7fb924007700 (GVfsJobQueryInfo) These Linux desktops also mount shares from a Windows Server 2012 server, using gio mount, and do not experience the same issue. Only when Linux desktops map to the Samba server do we see this issue Thanks This e-mail and any files transmitted with it are confidential and may be legally privileged. If you receive it in error or are not the intended recipient you must not copy, distribute or take any action in reliance upon it. Instead, please notify us immediately by telephoning +44 (20) 7482 0077 and delete the material from your systems. Smartodds is a business carried on by Smartodds Limited, a company registered with the Registrar of Companies for England and Wales with number 05108548. Registered office: Unit 540 Highgate Studios, 53-79 Highgate Road, London NW5 1TL -- To unsubscribe from this list go to the following URL and read the instructions: <https://eu-west-1.protection.sophos.com?d=samba.org&u=aHR0cHM6Ly9saXN0cy5zYW1iYS5vcmcvbWFpbG1hbi9vcHRpb25zL3NhbWJh&i=NWNhNWZmZWYwNzBlM2MxNmQzYTQ1ZGM1&t=SU1BUUNmcWlyeUJwZnBvVGh6YkdtRUhJL2Y1bk45RGlQeVo1ZEJvTHNpWT0=&h=a928a399969c4f10ba8bfe61e14bdec6> https://eu-west-1.protection.sophos.com?d=samba.org&u=aHR0cHM6Ly9saXN0cy5zYW1iYS5vcmcvbWFpbG1hbi9vcHRpb25zL3NhbWJh&i=NWNhNWZmZWYwNzBlM2MxNmQzYTQ1ZGM1&t=SU1BUUNmcWlyeUJwZnBvVGh6YkdtRUhJL2Y1bk45RGlQeVo1ZEJvTHNpWT0=&h=a928a399969c4f10ba8bfe61e14bdec6 This e-mail and any files transmitted with it are confidential and may be legally privileged. If you receive it in error or are not the intended recipient you must not copy, distribute or take any action in reliance upon it. Instead, please notify us immediately by telephoning +44 (20) 7482 0077 and delete the material from your systems. Smartodds is a business carried on by Smartodds Limited, a company registered with the Registrar of Companies for England and Wales with number 05108548. Registered office: Unit 540 Highgate Studios, 53-79 Highgate Road, London NW5 1TL