Rowland Penny
2023-Dec-12 18:50 UTC
[Samba] samba fails to connect to windows file share joined to domain
On Tue, 12 Dec 2023 19:32:10 +0100 Stefan Kania via samba <samba at lists.samba.org> wrote:> > > Am 12.12.23 um 17:46 schrieb jacek burghardt via samba: > > I am using arch linux > > This is my fstab entry using cred for windows domain user > > > > //winnas/radio /radio cifs > > credentials=/etc/samba/credentials/radiorec,vers=2.0,uid=1000,gid=1000,iocharset=utf8,sec=krb5i,nofail > > 0 0 > > > > I run hardening kitty scripts . > > > > Windows and osx clients can mount the shares but linux has an issue. > > > > > > [global] > > > > netbios name = radiorec > > > > socket options = TCP_NODELAY SO_RCVBUF=16384 > > SO_SNDBUF=16384 > > > > winbind sealed pipes = false > > > > require strong key = false > > > > winbind sealed pipes:HEBE = true > > > > require strong key:HEBE = true > > > > lanman auth = no > > > > ntlm auth = yes > > > > ntlm auth = mschapv2-and-ntlmv2-only > > > > client signing = auto > > > > server signing = auto > > > > winbind enum users = yes > > > > winbind gid = 10000-20000 > > > > workgroup = hebe > > > > os level = 20 > > > > winbind enum groups = yes > > > > password server = den-dc01.hebe.us > > > > preferred master = no > > > > winbind separator = + > > > > max log size = 50 > > > > log file = /var/log/samba/log.%m > > > > dns proxy = no > > > > realm = hebe.us > > > > security = ADS > > > > wins server = 192.168.1.8 > > > > wins proxy = no > > > > client signing = auto > > > > server signing = auto > > > > domain master = auto > > > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > > drepl, winbindd, ntp_signd, kcc, dnsupdate > > > > idmap_ldb:use rfc2307 = yes > > > > ldap server require strong auth = No > > > > idmap config * : backend = tdb > > > > idmap config * : range = 10000-20000 > > > > winbind use default domain = Yes > > > > winbind enum users = Yes > > > > winbind enum groups = Yes > > > > winbind nested groups = Yes > > > > winbind separator = + > > > > winbind refresh tickets = yes > > > > winbind offline logon = yes > > > > winbind cache time = 300 > > > > template shell = /bin/bash > > > > template homedir = /home/%D/%U > > > > > > inherit acls = Yes > > > > map acl inherit = Yes > > > > acl group control = yes > > > > > > load printers = no > > > > debug level = 3 > > > > use sendfile = no > > > > vfs objects = acl_xattr shadow_copy2 > > > > [sysvol] > > > > path = /usr/share/samba/sysvol > > > > read only = No > > > > [netlogon] > > > > On Tue, Dec 12, 2023 at 1:26?AM Rowland Penny via samba < > > samba at lists.samba.org> wrote: > > > >> On Mon, 11 Dec 2023 19:07:47 -0700 > >> jacek burghardt via samba <samba at lists.samba.org> wrote: > >> > >>> After running hardening scripts samba cant mount windows shares. > >> > >> What 'hardening scripts', what did they do ? > >> Samba doesn't mount anything, it provides the shares to mount. > >> > >>> I get error trying to mount share > >>> > >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and > >>> keyutils is installed > >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126 > >>> [72860.509158] CIFS: VFS: cifs_mount failed w/return code = -126 > >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and > >>> keyutils is installed > >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126 > >>> > >> > >> That is actually coming from mount.cifs and '-126' is 'Required > >> key not available', so does the user that is doing the mount have > >> a kerberos ticket ? > >> > >>> I get following errors: > >>> > >>> [root at radiorec admin]# smbclient -k -L winnas > >>> WARNING: The option -k|--kerberos is deprecated! > >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is > >>> deprecated > >>> gensec_spnego_client_negTokenInit_step: Could not find a suitable > >>> mechtype in NEG_TOKEN_INIT > >>> session setup failed: NT_STATUS_INVALID_PARAMETER > >>> > >>> [root at radiorec admin]# smbclient -L winnas > >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is > >>> deprecated > >>> Password for [HEBE\root]: > >>> > >>> [root at radiorec admin]# smbclient -L winnas -U jacek > >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is > >>> deprecated > >>> Password for [HEBE\jacek]: > >>> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE > >>> > >>> Is there gpo I need to disable or I can change config in samba to > >>> get shares to mount? > >>> > >>> I see domain relationship failure but wbinfo works > >> > >> I think you need to give us more information: > >> What OS ? > >> What version of Samba ? > >> The contents of your smb.conf > >> The mount command you are using > >> > >> Rowland > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > Yoiu did not told us, if you could join the domain ( I think with > your smb.conf "NO" "NEVER"). If you Linux-Client (I think that's what > you are talking about) is not a domain member, you can't use > Kerberos. Your smb.conf is (let's be kind) not working. > > This could be a start for your smb.conf: > ----------------------- > [global] > workgroup = hebe > realm = hebe.us > security = ADS > winbind refresh tickets = Yes > winbind use default domain = yes > idmap config * : range = 10000 - 19999 > idmap config hebe : backend = rid > idmap config hebe : range = 100000 - 199999 > ----------------------- > > Then join the domain with "net ads join -U administrator" (or any > other user who is member of "domain admins" group. > > Then to mount the share you can try it via fstab and credential-file > but every time you chage your password the mount will fail. Better > use libpam-mount. (You will find a lot of info's about configure > libpam-mount with google. > > With libpam-mount AND as a domainmember your linux-client can mount > shares using Kerberos for authetnication. > > Stefan > >Hi Stefan, Whilst I cannot argue with anything you have written and would agree your setup will work, I still feel we need more information, it seems we are only being told half the story. Rowland
jacek burghardt
2023-Dec-13 15:44 UTC
[Samba] samba fails to connect to windows file share joined to domain
I see this in logs what is causing it ? [2023/12/13 07:38:25.104382, 1] ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - NT_STATUS_LOGON_FAILURE [2023/12/13 07:38:55.142864, 1] ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - NT_STATUS_LOGON_FAILURE [2023/12/13 07:39:25.152964, 1] ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - NT_STATUS_LOGON_FAILURE [2023/12/13 07:39:55.130647, 1] ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - NT_STATUS_LOGON_FAILURE [2023/12/13 07:40:25.150802, 1] ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - NT_STATUS_LOGON_FAILURE [2023/12/13 07:40:55.162914, 1] ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) On Tue, Dec 12, 2023 at 11:51?AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 12 Dec 2023 19:32:10 +0100 > Stefan Kania via samba <samba at lists.samba.org> wrote: > > > > > > > Am 12.12.23 um 17:46 schrieb jacek burghardt via samba: > > > I am using arch linux > > > This is my fstab entry using cred for windows domain user > > > > > > //winnas/radio /radio cifs > > > > credentials=/etc/samba/credentials/radiorec,vers=2.0,uid=1000,gid=1000,iocharset=utf8,sec=krb5i,nofail > > > 0 0 > > > > > > I run hardening kitty scripts . > > > > > > Windows and osx clients can mount the shares but linux has an issue. > > > > > > > > > [global] > > > > > > netbios name = radiorec > > > > > > socket options = TCP_NODELAY SO_RCVBUF=16384 > > > SO_SNDBUF=16384 > > > > > > winbind sealed pipes = false > > > > > > require strong key = false > > > > > > winbind sealed pipes:HEBE = true > > > > > > require strong key:HEBE = true > > > > > > lanman auth = no > > > > > > ntlm auth = yes > > > > > > ntlm auth = mschapv2-and-ntlmv2-only > > > > > > client signing = auto > > > > > > server signing = auto > > > > > > winbind enum users = yes > > > > > > winbind gid = 10000-20000 > > > > > > workgroup = hebe > > > > > > os level = 20 > > > > > > winbind enum groups = yes > > > > > > password server = den-dc01.hebe.us > > > > > > preferred master = no > > > > > > winbind separator = + > > > > > > max log size = 50 > > > > > > log file = /var/log/samba/log.%m > > > > > > dns proxy = no > > > > > > realm = hebe.us > > > > > > security = ADS > > > > > > wins server = 192.168.1.8 > > > > > > wins proxy = no > > > > > > client signing = auto > > > > > > server signing = auto > > > > > > domain master = auto > > > > > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > > > drepl, winbindd, ntp_signd, kcc, dnsupdate > > > > > > idmap_ldb:use rfc2307 = yes > > > > > > ldap server require strong auth = No > > > > > > idmap config * : backend = tdb > > > > > > idmap config * : range = 10000-20000 > > > > > > winbind use default domain = Yes > > > > > > winbind enum users = Yes > > > > > > winbind enum groups = Yes > > > > > > winbind nested groups = Yes > > > > > > winbind separator = + > > > > > > winbind refresh tickets = yes > > > > > > winbind offline logon = yes > > > > > > winbind cache time = 300 > > > > > > template shell = /bin/bash > > > > > > template homedir = /home/%D/%U > > > > > > > > > inherit acls = Yes > > > > > > map acl inherit = Yes > > > > > > acl group control = yes > > > > > > > > > load printers = no > > > > > > debug level = 3 > > > > > > use sendfile = no > > > > > > vfs objects = acl_xattr shadow_copy2 > > > > > > [sysvol] > > > > > > path = /usr/share/samba/sysvol > > > > > > read only = No > > > > > > [netlogon] > > > > > > On Tue, Dec 12, 2023 at 1:26?AM Rowland Penny via samba < > > > samba at lists.samba.org> wrote: > > > > > >> On Mon, 11 Dec 2023 19:07:47 -0700 > > >> jacek burghardt via samba <samba at lists.samba.org> wrote: > > >> > > >>> After running hardening scripts samba cant mount windows shares. > > >> > > >> What 'hardening scripts', what did they do ? > > >> Samba doesn't mount anything, it provides the shares to mount. > > >> > > >>> I get error trying to mount share > > >>> > > >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and > > >>> keyutils is installed > > >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126 > > >>> [72860.509158] CIFS: VFS: cifs_mount failed w/return code = -126 > > >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and > > >>> keyutils is installed > > >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126 > > >>> > > >> > > >> That is actually coming from mount.cifs and '-126' is 'Required > > >> key not available', so does the user that is doing the mount have > > >> a kerberos ticket ? > > >> > > >>> I get following errors: > > >>> > > >>> [root at radiorec admin]# smbclient -k -L winnas > > >>> WARNING: The option -k|--kerberos is deprecated! > > >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is > > >>> deprecated > > >>> gensec_spnego_client_negTokenInit_step: Could not find a suitable > > >>> mechtype in NEG_TOKEN_INIT > > >>> session setup failed: NT_STATUS_INVALID_PARAMETER > > >>> > > >>> [root at radiorec admin]# smbclient -L winnas > > >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is > > >>> deprecated > > >>> Password for [HEBE\root]: > > >>> > > >>> [root at radiorec admin]# smbclient -L winnas -U jacek > > >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is > > >>> deprecated > > >>> Password for [HEBE\jacek]: > > >>> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE > > >>> > > >>> Is there gpo I need to disable or I can change config in samba to > > >>> get shares to mount? > > >>> > > >>> I see domain relationship failure but wbinfo works > > >> > > >> I think you need to give us more information: > > >> What OS ? > > >> What version of Samba ? > > >> The contents of your smb.conf > > >> The mount command you are using > > >> > > >> Rowland > > >> > > >> > > >> -- > > >> To unsubscribe from this list go to the following URL and read the > > >> instructions: https://lists.samba.org/mailman/options/samba > > >> > > Yoiu did not told us, if you could join the domain ( I think with > > your smb.conf "NO" "NEVER"). If you Linux-Client (I think that's what > > you are talking about) is not a domain member, you can't use > > Kerberos. Your smb.conf is (let's be kind) not working. > > > > This could be a start for your smb.conf: > > ----------------------- > > [global] > > workgroup = hebe > > realm = hebe.us > > security = ADS > > winbind refresh tickets = Yes > > winbind use default domain = yes > > idmap config * : range = 10000 - 19999 > > idmap config hebe : backend = rid > > idmap config hebe : range = 100000 - 199999 > > ----------------------- > > > > Then join the domain with "net ads join -U administrator" (or any > > other user who is member of "domain admins" group. > > > > Then to mount the share you can try it via fstab and credential-file > > but every time you chage your password the mount will fail. Better > > use libpam-mount. (You will find a lot of info's about configure > > libpam-mount with google. > > > > With libpam-mount AND as a domainmember your linux-client can mount > > shares using Kerberos for authetnication. > > > > Stefan > > > > > > Hi Stefan, > Whilst I cannot argue with anything you have written and would agree > your setup will work, I still feel we need more information, it seems > we are only being told half the story. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >