L.P.H. van Belle
2021-Dec-30 10:15 UTC
[Samba] Domain admin can't access share on samba dm-server
That a good point yes.. ( the : min domain uid=0 options in smb.conf ) Thanks Christian for pointing it out. Stefan i commented a bit below also.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > cn--- via samba > Verzonden: woensdag 29 december 2021 19:37 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Domain admin can't access share on > samba dm-server > > Maybe it is the resent security updates? Have you tried > setting min domain uid=0? > > Regards > > > Am 29. Dezember 2021 17:49:31 MEZ schrieb "Stefan G. > Weichinger via samba" <samba at lists.samba.org>: > >Am 29.12.21 um 15:07 schrieb L.P.H. van Belle via samba: > >> First.. > >> > >> Use FQDN's in you shares. > > > >But ... it worked like this for years ;-)And.. After some big security updates it stopped working. It happens ;-)> > > >> Server 2019, (Guest access in SMB2 and SMB3 disabled by > default in Windows) > >> > https://docs.microsoft.com/en-us/troubleshoot/windows-server/n > etworking/guest-access-in-smb2-is-disabled-by-default > > > >I am not guest, I am the domain admin in this context. > > > >> klist -ke shows? Can you show the full output. > > > >here you are: > > > >Keytab name: FILE:/etc/krb5.keytab > > > >KVNO Principal > > > >---- > -------------------------------------------------------------- > ------------ > > > > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-crc) > > > > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-md5) > > > > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:des-cbc-crc) > > > > 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:des-cbc-md5) > > > > 5 host/pre01svdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 5 host/pre01svdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:des-cbc-crc) > > > > 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:des-cbc-md5) > > > > 2 PRE01SVDEB01$@MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 2 PRE01SVDEB01$@MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-crc) > > > > 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-md5) > > > > 2 host/server.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 2 host/server.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 2 host/server at MYDOM.AT (DEPRECATED:des-cbc-crc) > > > > 2 host/server at MYDOM.AT (DEPRECATED:des-cbc-md5) > > > > 2 host/server at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 2 host/server at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 2 host/server at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 2 SERVER$@MYDOM.AT (DEPRECATED:des-cbc-crc) > > > > 2 SERVER$@MYDOM.AT (DEPRECATED:des-cbc-md5) > > > > 2 SERVER$@MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 2 SERVER$@MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 2 SERVER$@MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 2 host/SERVER at MYDOM.AT (DEPRECATED:des-cbc-crc) > > > > 3 host/server at MYDOM.AT (DEPRECATED:des-cbc-crc) > > > > 2 host/SERVER at MYDOM.AT (DEPRECATED:des-cbc-md5) > > > > 3 host/server at MYDOM.AT (DEPRECATED:des-cbc-md5) > > > > 2 host/SERVER at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 3 host/server at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 2 host/SERVER at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 3 host/server at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 2 host/SERVER at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 3 host/server at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 2 cifs/SERVER at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 2 cifs/SERVER at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 2 cifs/SERVER at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 2 cifs/server.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 2 cifs/server.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 2 cifs/server.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 2 cifs/PRE01SVdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 2 cifs/PRE01SVdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 2 cifs/PRE01SVdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > > 2 cifs/pre01svdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96) > > > > 2 cifs/pre01svdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96) > > > > 2 cifs/pre01svdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac) > > > >All the entries look fine, i only dont get why i see KVNO 2 and 3 But thats me, i just dont know that..> > > > > > > > > >> For cifs (and nfs) you need the spn format like this. > >> cifs/hostname.internal.domain.tld at REALM.TLD > >> (net ads adds the REALM part automaticly) > >> > >> If your host is using an CNAME for cifs then you need to add, > >> cifs/cname.internal.domain.tld at REALM.TLD also > > > > > >And WHY do I have to set that up again? I understand that > kerberos has to work behind the curtains, but it doesn't > sound efficient to me that this isn't negotiated by the > machines themselves.Did i say setup again? I'll rephrase it next time. I only shows the options and what to set. For example, none of my servers have. cifs/hostname all use FQDN. *( for cifs and nfs that at least)> > > >I mean, in the start I didn't do that either, correct? > > > >> And its really adviced to give these server a PTR record. > > > >There is a PTRGreat, that always helps.> > > >> How i do it. > >> And ALWAYS backup you krb5.keytab file first. > >> Dont know why sometimes ( in my case ) the KNVO is off > >> When that happens i restore the original keytab file. > >> > >> cp /etc/krb5.keytab{,.backup} > >> kinit Administrator > >> net ads keytab add_update_ads cifs/$(hostname -f) > >> > >> Removing wrong entries i do like this, and maybe > >> someone has beter ideas on this, please add it.. > >> > >> !! MAKE THAT BACKUP FIRST !! > >> ktutil > >> rkt /etc/krb5.keytab > >> ? For help. > >> wkt /etc/krb5.keytab.new > >> > >> cp /etc/krb5.keytab.new /etc/krb5.keytab > >> > >> !! If you write the keytab as show above directly into > /etc/krb5.keytab > >> You get everything double. > >> > >> When you use delent nr and you have 1-40 entries. Lets say > entry 21 to 40 are wrong. > >> delent 21 << only one you need.. Just repeat it untill > its all gone. > >> > >> Hope this helped a bit. > > > >Sure, thanks. > > > >I see the path but have to think twice before I touch this > production file server. users use it 24/7 ... my access from > that windows server isn't that important right now > (transferred my ISO via another server ...).Hahah, you know, i had this problem also, 2 weeks ago.. I suggest, first try that min domain uid=0 option.> > > >> Ps. Im picky but.. > >>> idmap config buero:range = 10000-99999 > >>> idmap config buero:backend = rid > >> > >> bero should be BUERO > > > >sigh > > > >I showed the smb.conf-files of that site maybe 10 times here > and every time I get another parameter pointed out as wrong. > I wonder if it ever gets finished ;-)Hihi.. Yeah, or you missed a comment ;-) At least it wasnt wrong, it was good and now its perfect. :-))> > > >Thanks anyway, I appreciate it!Your welkom.
Stefan G. Weichinger
2021-Dec-30 11:15 UTC
[Samba] Domain admin can't access share on samba dm-server
Am 30.12.21 um 11:15 schrieb L.P.H. van Belle via samba:> That a good point yes.. ( the : min domain uid=0 options in smb.conf ) > Thanks Christian for pointing it out.Thanks also. Although it didn't help so far.> Stefan i commented a bit below also.fine>>> I see the path but have to think twice before I touch this >> production file server. users use it 24/7 ... my access from >> that windows server isn't that important right now >> (transferred my ISO via another server ...). > > Hahah, you know, i had this problem also, 2 weeks ago.. > I suggest, first try that min domain uid=0 option.I did, as mentioned above.>>>> Ps. Im picky but.. >>>>> idmap config buero:range = 10000-99999 >>>>> idmap config buero:backend = rid >>>> >>>> bero should be BUERO >>> >>> sigh >>> >>> I showed the smb.conf-files of that site maybe 10 times here >> and every time I get another parameter pointed out as wrong. >> I wonder if it ever gets finished ;-) > > Hihi.. Yeah, or you missed a comment ;-) > At least it wasnt wrong, it was good and now its perfect. :-))Now look at that: # grep idmap /etc/samba/smb.conf # idmap config for domain BUERO idmap config BUERO:backend = rid idmap config BUERO:range = 10000-99999 it already IS perfect I quoted "testparm" (yes, outdated, my fault .. why is it there still if it shouldn't be used anymore?) and testparm shows it in lowercase.