Stefan Kania
2023-Dec-12 18:32 UTC
[Samba] samba fails to connect to windows file share joined to domain
Am 12.12.23 um 17:46 schrieb jacek burghardt via samba:> I am using arch linux > This is my fstab entry using cred for windows domain user > > //winnas/radio /radio cifs > credentials=/etc/samba/credentials/radiorec,vers=2.0,uid=1000,gid=1000,iocharset=utf8,sec=krb5i,nofail > 0 0 > > I run hardening kitty scripts . > > Windows and osx clients can mount the shares but linux has an issue. > > > [global] > > netbios name = radiorec > > socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 > > winbind sealed pipes = false > > require strong key = false > > winbind sealed pipes:HEBE = true > > require strong key:HEBE = true > > lanman auth = no > > ntlm auth = yes > > ntlm auth = mschapv2-and-ntlmv2-only > > client signing = auto > > server signing = auto > > winbind enum users = yes > > winbind gid = 10000-20000 > > workgroup = hebe > > os level = 20 > > winbind enum groups = yes > > password server = den-dc01.hebe.us > > preferred master = no > > winbind separator = + > > max log size = 50 > > log file = /var/log/samba/log.%m > > dns proxy = no > > realm = hebe.us > > security = ADS > > wins server = 192.168.1.8 > > wins proxy = no > > client signing = auto > > server signing = auto > > domain master = auto > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > > idmap_ldb:use rfc2307 = yes > > ldap server require strong auth = No > > idmap config * : backend = tdb > > idmap config * : range = 10000-20000 > > winbind use default domain = Yes > > winbind enum users = Yes > > winbind enum groups = Yes > > winbind nested groups = Yes > > winbind separator = + > > winbind refresh tickets = yes > > winbind offline logon = yes > > winbind cache time = 300 > > template shell = /bin/bash > > template homedir = /home/%D/%U > > > inherit acls = Yes > > map acl inherit = Yes > > acl group control = yes > > > load printers = no > > debug level = 3 > > use sendfile = no > > vfs objects = acl_xattr shadow_copy2 > > [sysvol] > > path = /usr/share/samba/sysvol > > read only = No > > [netlogon] > > On Tue, Dec 12, 2023 at 1:26?AM Rowland Penny via samba < > samba at lists.samba.org> wrote: > >> On Mon, 11 Dec 2023 19:07:47 -0700 >> jacek burghardt via samba <samba at lists.samba.org> wrote: >> >>> After running hardening scripts samba cant mount windows shares. >> >> What 'hardening scripts', what did they do ? >> Samba doesn't mount anything, it provides the shares to mount. >> >>> I get error trying to mount share >>> >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and keyutils >>> is installed >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126 >>> [72860.509158] CIFS: VFS: cifs_mount failed w/return code = -126 >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and keyutils >>> is installed >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126 >>> >> >> That is actually coming from mount.cifs and '-126' is 'Required key not >> available', so does the user that is doing the mount have a kerberos >> ticket ? >> >>> I get following errors: >>> >>> [root at radiorec admin]# smbclient -k -L winnas >>> WARNING: The option -k|--kerberos is deprecated! >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is >>> deprecated >>> gensec_spnego_client_negTokenInit_step: Could not find a suitable >>> mechtype in NEG_TOKEN_INIT >>> session setup failed: NT_STATUS_INVALID_PARAMETER >>> >>> [root at radiorec admin]# smbclient -L winnas >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is >>> deprecated >>> Password for [HEBE\root]: >>> >>> [root at radiorec admin]# smbclient -L winnas -U jacek >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is >>> deprecated >>> Password for [HEBE\jacek]: >>> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE >>> >>> Is there gpo I need to disable or I can change config in samba to get >>> shares to mount? >>> >>> I see domain relationship failure but wbinfo works >> >> I think you need to give us more information: >> What OS ? >> What version of Samba ? >> The contents of your smb.conf >> The mount command you are using >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>Yoiu did not told us, if you could join the domain ( I think with your smb.conf "NO" "NEVER"). If you Linux-Client (I think that's what you are talking about) is not a domain member, you can't use Kerberos. Your smb.conf is (let's be kind) not working. This could be a start for your smb.conf: ----------------------- [global] workgroup = hebe realm = hebe.us security = ADS winbind refresh tickets = Yes winbind use default domain = yes idmap config * : range = 10000 - 19999 idmap config hebe : backend = rid idmap config hebe : range = 100000 - 199999 ----------------------- Then join the domain with "net ads join -U administrator" (or any other user who is member of "domain admins" group. Then to mount the share you can try it via fstab and credential-file but every time you chage your password the mount will fail. Better use libpam-mount. (You will find a lot of info's about configure libpam-mount with google. With libpam-mount AND as a domainmember your linux-client can mount shares using Kerberos for authetnication. Stefan
Rowland Penny
2023-Dec-12 18:50 UTC
[Samba] samba fails to connect to windows file share joined to domain
On Tue, 12 Dec 2023 19:32:10 +0100 Stefan Kania via samba <samba at lists.samba.org> wrote:> > > Am 12.12.23 um 17:46 schrieb jacek burghardt via samba: > > I am using arch linux > > This is my fstab entry using cred for windows domain user > > > > //winnas/radio /radio cifs > > credentials=/etc/samba/credentials/radiorec,vers=2.0,uid=1000,gid=1000,iocharset=utf8,sec=krb5i,nofail > > 0 0 > > > > I run hardening kitty scripts . > > > > Windows and osx clients can mount the shares but linux has an issue. > > > > > > [global] > > > > netbios name = radiorec > > > > socket options = TCP_NODELAY SO_RCVBUF=16384 > > SO_SNDBUF=16384 > > > > winbind sealed pipes = false > > > > require strong key = false > > > > winbind sealed pipes:HEBE = true > > > > require strong key:HEBE = true > > > > lanman auth = no > > > > ntlm auth = yes > > > > ntlm auth = mschapv2-and-ntlmv2-only > > > > client signing = auto > > > > server signing = auto > > > > winbind enum users = yes > > > > winbind gid = 10000-20000 > > > > workgroup = hebe > > > > os level = 20 > > > > winbind enum groups = yes > > > > password server = den-dc01.hebe.us > > > > preferred master = no > > > > winbind separator = + > > > > max log size = 50 > > > > log file = /var/log/samba/log.%m > > > > dns proxy = no > > > > realm = hebe.us > > > > security = ADS > > > > wins server = 192.168.1.8 > > > > wins proxy = no > > > > client signing = auto > > > > server signing = auto > > > > domain master = auto > > > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > > drepl, winbindd, ntp_signd, kcc, dnsupdate > > > > idmap_ldb:use rfc2307 = yes > > > > ldap server require strong auth = No > > > > idmap config * : backend = tdb > > > > idmap config * : range = 10000-20000 > > > > winbind use default domain = Yes > > > > winbind enum users = Yes > > > > winbind enum groups = Yes > > > > winbind nested groups = Yes > > > > winbind separator = + > > > > winbind refresh tickets = yes > > > > winbind offline logon = yes > > > > winbind cache time = 300 > > > > template shell = /bin/bash > > > > template homedir = /home/%D/%U > > > > > > inherit acls = Yes > > > > map acl inherit = Yes > > > > acl group control = yes > > > > > > load printers = no > > > > debug level = 3 > > > > use sendfile = no > > > > vfs objects = acl_xattr shadow_copy2 > > > > [sysvol] > > > > path = /usr/share/samba/sysvol > > > > read only = No > > > > [netlogon] > > > > On Tue, Dec 12, 2023 at 1:26?AM Rowland Penny via samba < > > samba at lists.samba.org> wrote: > > > >> On Mon, 11 Dec 2023 19:07:47 -0700 > >> jacek burghardt via samba <samba at lists.samba.org> wrote: > >> > >>> After running hardening scripts samba cant mount windows shares. > >> > >> What 'hardening scripts', what did they do ? > >> Samba doesn't mount anything, it provides the shares to mount. > >> > >>> I get error trying to mount share > >>> > >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and > >>> keyutils is installed > >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126 > >>> [72860.509158] CIFS: VFS: cifs_mount failed w/return code = -126 > >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and > >>> keyutils is installed > >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126 > >>> > >> > >> That is actually coming from mount.cifs and '-126' is 'Required > >> key not available', so does the user that is doing the mount have > >> a kerberos ticket ? > >> > >>> I get following errors: > >>> > >>> [root at radiorec admin]# smbclient -k -L winnas > >>> WARNING: The option -k|--kerberos is deprecated! > >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is > >>> deprecated > >>> gensec_spnego_client_negTokenInit_step: Could not find a suitable > >>> mechtype in NEG_TOKEN_INIT > >>> session setup failed: NT_STATUS_INVALID_PARAMETER > >>> > >>> [root at radiorec admin]# smbclient -L winnas > >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is > >>> deprecated > >>> Password for [HEBE\root]: > >>> > >>> [root at radiorec admin]# smbclient -L winnas -U jacek > >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is > >>> deprecated > >>> Password for [HEBE\jacek]: > >>> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE > >>> > >>> Is there gpo I need to disable or I can change config in samba to > >>> get shares to mount? > >>> > >>> I see domain relationship failure but wbinfo works > >> > >> I think you need to give us more information: > >> What OS ? > >> What version of Samba ? > >> The contents of your smb.conf > >> The mount command you are using > >> > >> Rowland > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > Yoiu did not told us, if you could join the domain ( I think with > your smb.conf "NO" "NEVER"). If you Linux-Client (I think that's what > you are talking about) is not a domain member, you can't use > Kerberos. Your smb.conf is (let's be kind) not working. > > This could be a start for your smb.conf: > ----------------------- > [global] > workgroup = hebe > realm = hebe.us > security = ADS > winbind refresh tickets = Yes > winbind use default domain = yes > idmap config * : range = 10000 - 19999 > idmap config hebe : backend = rid > idmap config hebe : range = 100000 - 199999 > ----------------------- > > Then join the domain with "net ads join -U administrator" (or any > other user who is member of "domain admins" group. > > Then to mount the share you can try it via fstab and credential-file > but every time you chage your password the mount will fail. Better > use libpam-mount. (You will find a lot of info's about configure > libpam-mount with google. > > With libpam-mount AND as a domainmember your linux-client can mount > shares using Kerberos for authetnication. > > Stefan > >Hi Stefan, Whilst I cannot argue with anything you have written and would agree your setup will work, I still feel we need more information, it seems we are only being told half the story. Rowland