jacek burghardt
2023-Dec-12 16:46 UTC
[Samba] samba fails to connect to windows file share joined to domain
I am using arch linux
This is my fstab entry using cred for windows domain user
//winnas/radio /radio cifs
credentials=/etc/samba/credentials/radiorec,vers=2.0,uid=1000,gid=1000,iocharset=utf8,sec=krb5i,nofail
0 0
I run hardening kitty scripts .
Windows and osx clients can mount the shares but linux has an issue.
[global]
netbios name = radiorec
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
winbind sealed pipes = false
require strong key = false
winbind sealed pipes:HEBE = true
require strong key:HEBE = true
lanman auth = no
ntlm auth = yes
ntlm auth = mschapv2-and-ntlmv2-only
client signing = auto
server signing = auto
winbind enum users = yes
winbind gid = 10000-20000
workgroup = hebe
os level = 20
winbind enum groups = yes
password server = den-dc01.hebe.us
preferred master = no
winbind separator = +
max log size = 50
log file = /var/log/samba/log.%m
dns proxy = no
realm = hebe.us
security = ADS
wins server = 192.168.1.8
wins proxy = no
client signing = auto
server signing = auto
domain master = auto
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
ldap server require strong auth = No
idmap config * : backend = tdb
idmap config * : range = 10000-20000
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = yes
winbind offline logon = yes
winbind cache time = 300
template shell = /bin/bash
template homedir = /home/%D/%U
inherit acls = Yes
map acl inherit = Yes
acl group control = yes
load printers = no
debug level = 3
use sendfile = no
vfs objects = acl_xattr shadow_copy2
[sysvol]
path = /usr/share/samba/sysvol
read only = No
[netlogon]
On Tue, Dec 12, 2023 at 1:26?AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 11 Dec 2023 19:07:47 -0700
> jacek burghardt via samba <samba at lists.samba.org> wrote:
>
> > After running hardening scripts samba cant mount windows shares.
>
> What 'hardening scripts', what did they do ?
> Samba doesn't mount anything, it provides the shares to mount.
>
> > I get error trying to mount share
> >
> > [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and keyutils
> > is installed
> > [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126
> > [72860.509158] CIFS: VFS: cifs_mount failed w/return code = -126
> > [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and keyutils
> > is installed
> > [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126
> >
>
> That is actually coming from mount.cifs and '-126' is 'Required
key not
> available', so does the user that is doing the mount have a kerberos
> ticket ?
>
> > I get following errors:
> >
> > [root at radiorec admin]# smbclient -k -L winnas
> > WARNING: The option -k|--kerberos is deprecated!
> > lpcfg_do_global_parameter: WARNING: The "lanman auth" option
is
> > deprecated
> > gensec_spnego_client_negTokenInit_step: Could not find a suitable
> > mechtype in NEG_TOKEN_INIT
> > session setup failed: NT_STATUS_INVALID_PARAMETER
> >
> > [root at radiorec admin]# smbclient -L winnas
> > lpcfg_do_global_parameter: WARNING: The "lanman auth" option
is
> > deprecated
> > Password for [HEBE\root]:
> >
> > [root at radiorec admin]# smbclient -L winnas -U jacek
> > lpcfg_do_global_parameter: WARNING: The "lanman auth" option
is
> > deprecated
> > Password for [HEBE\jacek]:
> > session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
> >
> > Is there gpo I need to disable or I can change config in samba to get
> > shares to mount?
> >
> > I see domain relationship failure but wbinfo works
>
> I think you need to give us more information:
> What OS ?
> What version of Samba ?
> The contents of your smb.conf
> The mount command you are using
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Rowland Penny
2023-Dec-12 17:15 UTC
[Samba] samba fails to connect to windows file share joined to domain
On Tue, 12 Dec 2023 09:46:51 -0700 jacek burghardt via samba <samba at lists.samba.org> wrote:> I am using arch linux > This is my fstab entry using cred for windows domain user > > //winnas/radio /radio cifs > credentials=/etc/samba/credentials/radiorec,vers=2.0,uid=1000,gid=1000,iocharset=utf8,sec=krb5i,nofail > 0 0 > > I run hardening kitty scripts .Can you provide a link to those scripts ?> > Windows and osx clients can mount the shares but linux has an issue. > > > [global] > > netbios name = radiorec > > socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 > winbind sealed pipes = false > require strong key = false > winbind sealed pipes:HEBE = true > require strong key:HEBE = true > lanman auth = no > ntlm auth = yes > ntlm auth = mschapv2-and-ntlmv2-only > client signing = auto > server signing = auto > winbind enum users = yes > winbind gid = 10000-20000 > workgroup = hebe > os level = 20 > winbind enum groups = yes > password server = den-dc01.hebe.us > preferred master = no > winbind separator = + > max log size = 50 > log file = /var/log/samba/log.%m > dns proxy = no > realm = hebe.us > security = ADS > wins server = 192.168.1.8 > wins proxy = no > client signing = auto > server signing = auto > domain master = auto > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > ldap server require strong auth = No > idmap config * : backend = tdb > idmap config * : range = 10000-20000 > winbind use default domain = Yes > winbind enum users = Yes > winbind enum groups = Yes > winbind nested groups = Yes > winbind separator = + > winbind refresh tickets = yes > winbind offline logon = yes > winbind cache time = 300 > template shell = /bin/bash > template homedir = /home/%D/%U > inherit acls = Yes > map acl inherit = Yes > acl group control = yes > load printers = no > debug level = 3 > use sendfile = no > vfs objects = acl_xattr shadow_copy2 > > [sysvol] > path = /usr/share/samba/sysvol > read only = No > > [netlogon] >To be honest, I am surprised anything can mount the shares (which you haven't provided), but I am more worried about your smb.conf, it appears to be partially for a Unix domain member (but not complete), the other part appears to be for a DC, but again not complete, what do you think it is ? Rowland
Stefan Kania
2023-Dec-12 18:32 UTC
[Samba] samba fails to connect to windows file share joined to domain
Am 12.12.23 um 17:46 schrieb jacek burghardt via samba:> I am using arch linux > This is my fstab entry using cred for windows domain user > > //winnas/radio /radio cifs > credentials=/etc/samba/credentials/radiorec,vers=2.0,uid=1000,gid=1000,iocharset=utf8,sec=krb5i,nofail > 0 0 > > I run hardening kitty scripts . > > Windows and osx clients can mount the shares but linux has an issue. > > > [global] > > netbios name = radiorec > > socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 > > winbind sealed pipes = false > > require strong key = false > > winbind sealed pipes:HEBE = true > > require strong key:HEBE = true > > lanman auth = no > > ntlm auth = yes > > ntlm auth = mschapv2-and-ntlmv2-only > > client signing = auto > > server signing = auto > > winbind enum users = yes > > winbind gid = 10000-20000 > > workgroup = hebe > > os level = 20 > > winbind enum groups = yes > > password server = den-dc01.hebe.us > > preferred master = no > > winbind separator = + > > max log size = 50 > > log file = /var/log/samba/log.%m > > dns proxy = no > > realm = hebe.us > > security = ADS > > wins server = 192.168.1.8 > > wins proxy = no > > client signing = auto > > server signing = auto > > domain master = auto > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > > idmap_ldb:use rfc2307 = yes > > ldap server require strong auth = No > > idmap config * : backend = tdb > > idmap config * : range = 10000-20000 > > winbind use default domain = Yes > > winbind enum users = Yes > > winbind enum groups = Yes > > winbind nested groups = Yes > > winbind separator = + > > winbind refresh tickets = yes > > winbind offline logon = yes > > winbind cache time = 300 > > template shell = /bin/bash > > template homedir = /home/%D/%U > > > inherit acls = Yes > > map acl inherit = Yes > > acl group control = yes > > > load printers = no > > debug level = 3 > > use sendfile = no > > vfs objects = acl_xattr shadow_copy2 > > [sysvol] > > path = /usr/share/samba/sysvol > > read only = No > > [netlogon] > > On Tue, Dec 12, 2023 at 1:26?AM Rowland Penny via samba < > samba at lists.samba.org> wrote: > >> On Mon, 11 Dec 2023 19:07:47 -0700 >> jacek burghardt via samba <samba at lists.samba.org> wrote: >> >>> After running hardening scripts samba cant mount windows shares. >> >> What 'hardening scripts', what did they do ? >> Samba doesn't mount anything, it provides the shares to mount. >> >>> I get error trying to mount share >>> >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and keyutils >>> is installed >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126 >>> [72860.509158] CIFS: VFS: cifs_mount failed w/return code = -126 >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and keyutils >>> is installed >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126 >>> >> >> That is actually coming from mount.cifs and '-126' is 'Required key not >> available', so does the user that is doing the mount have a kerberos >> ticket ? >> >>> I get following errors: >>> >>> [root at radiorec admin]# smbclient -k -L winnas >>> WARNING: The option -k|--kerberos is deprecated! >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is >>> deprecated >>> gensec_spnego_client_negTokenInit_step: Could not find a suitable >>> mechtype in NEG_TOKEN_INIT >>> session setup failed: NT_STATUS_INVALID_PARAMETER >>> >>> [root at radiorec admin]# smbclient -L winnas >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is >>> deprecated >>> Password for [HEBE\root]: >>> >>> [root at radiorec admin]# smbclient -L winnas -U jacek >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is >>> deprecated >>> Password for [HEBE\jacek]: >>> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE >>> >>> Is there gpo I need to disable or I can change config in samba to get >>> shares to mount? >>> >>> I see domain relationship failure but wbinfo works >> >> I think you need to give us more information: >> What OS ? >> What version of Samba ? >> The contents of your smb.conf >> The mount command you are using >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>Yoiu did not told us, if you could join the domain ( I think with your smb.conf "NO" "NEVER"). If you Linux-Client (I think that's what you are talking about) is not a domain member, you can't use Kerberos. Your smb.conf is (let's be kind) not working. This could be a start for your smb.conf: ----------------------- [global] workgroup = hebe realm = hebe.us security = ADS winbind refresh tickets = Yes winbind use default domain = yes idmap config * : range = 10000 - 19999 idmap config hebe : backend = rid idmap config hebe : range = 100000 - 199999 ----------------------- Then join the domain with "net ads join -U administrator" (or any other user who is member of "domain admins" group. Then to mount the share you can try it via fstab and credential-file but every time you chage your password the mount will fail. Better use libpam-mount. (You will find a lot of info's about configure libpam-mount with google. With libpam-mount AND as a domainmember your linux-client can mount shares using Kerberos for authetnication. Stefan