samba - Aug 2022 - authn timeouts enumerating (and connecting to) shares

Thanks for the swift response, Rowland!  I?ve added
'myserver.mydomain.myorg.com? to /etc/hosts; restarted smbd, nmbd, and
winbind; tried smblclient -L ? again; and don?t see any difference in the
results.

I?m happy to share the sanitized logs if that would make a difference.  (Would
have done at the outset, but didn?t see people sending more than brief excerpts
as I browsed the archives.)

From: samba <samba-bounces at lists.samba.org> on behalf of Rowland Penny
via samba <samba at lists.samba.org>
Date: Monday, August 22, 2022 at 1:28 PM
To: samba at lists.samba.org <samba at lists.samba.org>
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] authn timeouts enumerating (and connecting to) shares
Caution: This email is from an external sender. Please do not click links or
open attachments unless you recognize the sender and know the content is safe.
Forward suspicious emails to isitbad at .



On Mon, 2022-08-22 at 18:56 +0000, Aaron Johnson via samba
wrote:
> Hello Samba users!
>
> I?m experiencing an odd (hopefully, it?s odd to everyone and not just
> me) issue with Alma Linux 8.6?s samba-4.15.5-8.el8_6.x86_64 (and
> related) release.
>
> In short, I have a domain member Samba server with just the magic
> [homes] share defined in smb.conf.  Mildly sanitized ?testparm -s?
> output:
>
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> Weak crypto is allowed
>
> Server role: ROLE_DOMAIN_MEMBER
>
> # Global parameters
> [global]
>                 ldap connection timeout = 3
>                 ldap timeout = 3
>                 load printers = No
>                 log file = /var/log/samba/%m.log
> log level = kerberos:10 auth:10 auth_audit:10 winbind:10
>                 ntlm auth = ntlmv1-permitted
>                 printcap name = /dev/null
>                 realm = MYDOMAIN.MYORG.COM
>                 security = ADS
>                 server role = member server
>                 winbind max domain connections = 10
>                 workgroup = MYDOMAIN
>                 idmap config MYDOMAIN : range = 100000-9999999
>                 idmap config MYDOMAIN : schema_mode = rfc2307
>                 idmap config MYDOMAIN : backend = ad
>                 idmap config * : range = 0-99999
>                 idmap config * : backend = tdb
>
> [homes]
>                 browseable = No
>                 comment = Home Directories
>                 inherit acls = Yes
>                read only = No
>                 valid users = %S %D%w%S
>
> (I?ve added the ?log level? setting in there as testparm didn?t print
> it.)
>
> Trying to list out any shares on this server results in an
> NT_STATUS_IO_TIMEOUT like so:
>
> [myuser at myserver ~]$ time smbclient -d 2 -U MYDOMAIN\\myuser -L
> myserver.myorg.com
That command is interesting, you are trying to connect to
'myserver.myorg.com' , yet your realm is 'MYDOMAIN.MYORG.COM',
so
presumably your dns domain will be 'mydomain.myorg.com'. I think you
should be connecting to 'myserver.mydomain.myorg.com'

Rowland





--
To unsubscribe from this list go to the following URL and read the
instructions: 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Foptions%2Fsamba&amp;data=05%7C01%7Cajohnson1%40godaddy.com%7C96bb747298024c7fd5e508da847478ca%7Cd5f1622b14a345a6b069003f8dc4851f%7C0%7C0%7C637967933026433906%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=9fCHup9kWhFPvGGQ3sH9I4uWeGpVW38iN%2BXHXnWZVGU%3D&amp;reserved=0

On Mon, 2022-08-22 at 19:42 +0000, Aaron Johnson via samba
wrote:
> Thanks for the swift response, Rowland!  I?ve added
> 'myserver.mydomain.myorg.com? to /etc/hosts; restarted smbd, nmbd,
> and winbind; tried smblclient -L ? again; and don?t see any
> difference in the results.
What are you connecting to ? 
A Samba AD DC or a Windows DC ?

What dns domain is the DC in ?
is it 'mydomain.myorg.com' or 'myorg.com' ?
Your Unix domain member must be in the same dns domain, you should not
need to add anything to /etc/hosts, it should use dns to find
'myserver'.

This is what I get:

pi at rpidc1:~ $ time smbclient -d 2 -U SAMDOM\\rowland -L
devstation.samdom.example.com
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface eth0 ip=192.168.0.10 bcast=192.168.0.255
netmask=255.255.255.0
tdb(/run/samba/gencache.tdb): tdb_open_ex: could not open file
/run/samba/gencache.tdb: Permission denied
Password for [SAMDOM\rowland]:

	Sharename       Type      Comment
	---------       ----      -------
	data            Disk      
	dfs             Disk      
	public          Disk      
	acltest1        Disk      
	acltest2        Disk      
	acltest3        Disk      
	acltest4        Disk      
	IPC$            IPC       IPC Service (Samba Client devstation)
	rowland         Disk      Home Directories
SMB1 disabled -- no workgroup available

real	0m6.758s
user	0m0.102s
sys	0m0.041s

If I embed the password, I get this:

real	0m0.300s
user	0m0.092s
sys	0m0.046s
> I?m happy to share the sanitized logs if that would make a
> difference.  (Would have done at the outset, but didn?t see people
> sending more than brief excerpts as I browsed the archives.)
We will cross that bridge when we come to it and if required, it will
probably need to be posted somewhere, this list strips attachments.

Rowland