Hans van Leeuwen
2024-Oct-25 08:35 UTC
[Samba] Kerberos ticket renew causes a brief network interruption
Hi Samba engineer, We use an Ubuntu 20.04.6 systems as Samba server. The Samba version is 4.15.13-Ubuntu. The SMC-Client is a Windows Server 2022 Standard 21H2. The hostname of the Ubuntu Samba server is "samba-srv" On the Windows system, Samba disk is shared with the command: C:>net use Y: \\samba-srv\customers /u:hans Enter the password for 'hans' to connect to 'samba-srv': The command completed successfully Now the Samba disk on system samba-srv can be accessed on the Y-drive. The network analyzer Wireshark show that Kerberos is used to encrypt the network packages. But on the moment that Kerberos ticket renewal, the Samba share is some seconds not available. An other DNS record is created with the name "samba-srv-alias" This is a "Alias (CNAME)" to the DNS "Host (A)" "samba-srv". The Y-drive is removed and created again and now with as host "samba-srv-alias". C:>net use Y: \\samba-srv-alias\customers /u:hans Also now the Samba disk on the samba-srv can be accessed on the Y-drive. But Wireshark show now that NTLM is used to encrypt the network packages. NTLM doesn't work with tickets that need to be renewed. The problem that the Samba shared is some seconds not available doesn't occur when NTML is used to encrypt the network packages. The problem that the share is some seconds not available also doesn't occur when the share is not on Samba but on an other Windows system, also when Kerberos is used. In the attachment contains the C-program source that can be used to reproduce the problem. This source can be compiled on Windows with e.g. gcc . The program read every 3 seconds a map on the share to check for files and write in a logfile when the share is not available and available again. Start the hotfolderscan program e.g. on the way below: C:>hotfolderscan.exe Y:\ C:\temp\folderscan.log After +/- 10 hours, when Kerberos renew the ticket, the lines below are written in de log file: 2024-10-23 09:09:13 Error 2 No such file or directory 2024-10-23 09:09:16 Share available again Is seems that Samba doesn't handle the Kerberos ticket renewal on the right way. Best regards, Ing. Hans van Leeuwen The used Samba parameters on the Samba-server # testparm -s Load smb config files from /etc/samba/smb.conf Loaded services file OK. Weak crypto is allowed Server role: ROLE_DOMAIN_MEMBER # Global parameters [global] client min protocol = SMB3_02 log file = /var/log/samba max open files = 65536 realm = MAIL-STREET.LOCAL restrict anonymous = 2 security = ADS server min protocol = SMB3_02 server signing = required smb ports = 445 template shell = /bin/bash winbind enum groups = Yes winbind enum users = Yes winbind separator = ^ winbind use default domain = Yes workgroup = MAIL-STREET full_audit:priority = notice full_audit:facility = local5 full_audit:failure = none full_audit:success = open close read write mkdirat renameat unlinkat openat full_audit:prefix = %u|%I|%S idmap config * : range = 10000-20000 idmap config * : backend = tdb vfs objects = full_audit [customers] create mask = 0777 directory mask = 0777 force directory mode = 0777 force group = Yschijfusers path = /var/local/customers read only = No valid users = @Yschijfusers -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: hotfolderscan.c URL: <http://lists.samba.org/pipermail/samba/attachments/20241025/270becbd/hotfolderscan.c>
Rowland Penny
2024-Oct-25 08:50 UTC
[Samba] Kerberos ticket renew causes a brief network interruption
On Fri, 25 Oct 2024 08:35:08 +0000 Hans van Leeuwen via samba <samba at lists.samba.org> wrote:> Hi Samba engineer, > > We use an Ubuntu 20.04.6 systems as Samba server. > The Samba version is 4.15.13-Ubuntu. > The SMC-Client is a Windows Server 2022 Standard 21H2. > > The hostname of the Ubuntu Samba server is "samba-srv" > On the Windows system, Samba disk is shared with the command: > C:>net use Y: \\samba-srv\customers /u:hans > Enter the password for 'hans' to connect to 'samba-srv': > The command completed successfully > > Now the Samba disk on system samba-srv can be accessed on the Y-drive. > The network analyzer Wireshark show that Kerberos is used to encrypt > the network packages. But on the moment that Kerberos ticket renewal, > the Samba share is some seconds not available. > > An other DNS record is created with the name "samba-srv-alias" > This is a "Alias (CNAME)" to the DNS "Host (A)" "samba-srv". > > The Y-drive is removed and created again and now with as host > "samba-srv-alias". C:>net use Y: \\samba-srv-alias\customers /u:hans > > Also now the Samba disk on the samba-srv can be accessed on the > Y-drive. But Wireshark show now that NTLM is used to encrypt the > network packages. NTLM doesn't work with tickets that need to be > renewed. The problem that the Samba shared is some seconds not > available doesn't occur when NTML is used to encrypt the network > packages. > > The problem that the share is some seconds not available also doesn't > occur when the share is not on Samba but on an other Windows system, > also when Kerberos is used. > > In the attachment contains the C-program source that can be used to > reproduce the problem. This source can be compiled on Windows with > e.g. gcc . > > The program read every 3 seconds a map on the share to check for > files and write in a logfile when the share is not available and > available again. > > Start the hotfolderscan program e.g. on the way below: > C:>hotfolderscan.exe Y:\ C:\temp\folderscan.log > > After +/- 10 hours, when Kerberos renew the ticket, the lines below > are written in de log file: 2024-10-23 09:09:13 Error 2 No such file > or directory 2024-10-23 09:09:16 Share available again > > Is seems that Samba doesn't handle the Kerberos ticket renewal on the > right way. > > Best regards, > Ing. Hans van Leeuwen > > > The used Samba parameters on the Samba-server > # testparm -s > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Weak crypto is allowed > > Server role: ROLE_DOMAIN_MEMBER > > # Global parameters > [global] > client min protocol = SMB3_02 > log file = /var/log/samba > max open files = 65536 > realm = MAIL-STREET.LOCAL > restrict anonymous = 2 > security = ADS > server min protocol = SMB3_02 > server signing = required > smb ports = 445 > template shell = /bin/bash > winbind enum groups = Yes > winbind enum users = Yes > winbind separator = ^ > winbind use default domain = Yes > workgroup = MAIL-STREET > full_audit:priority = notice > full_audit:facility = local5 > full_audit:failure = none > full_audit:success = open close read write mkdirat renameat > unlinkat openat full_audit:prefix = %u|%I|%S > idmap config * : range = 10000-20000 > idmap config * : backend = tdb > vfs objects = full_audit > > > [customers] > create mask = 0777 > directory mask = 0777 > force directory mode = 0777 > force group = Yschijfusers > path = /var/local/customers > read only = No > valid users = @YschijfusersOne of two things seems to be going on here: You just have a mis-configured smb.conf (no 'idmap.config' lines for the 'MAIL-STREET' domain). You are are also using sssd. Which is it ? Rowland
Ralph Boehme
2024-Oct-25 09:08 UTC
[Samba] Kerberos ticket renew causes a brief network interruption
On 10/25/24 10:35 AM, Hans van Leeuwen via samba wrote:> Is seems that Samba doesn't handle the Kerberos ticket renewal on the right way.can you get us two network traces: - last minute before and after session expiry against Samba - last minute before and after session expiry against Windows -slow -- SerNet Samba Team Lead https://sernet.de/ Samba Team Member https://samba.org/ SAMBA+ packages https://samba.plus/ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20241025/a9eacfdf/OpenPGP_signature.sig>
Maybe Matching Threads
- Kerberos ticket renew causes a brief network interruption
- Kerberos ticket renew causes a brief network interruption
- Kerberos ticket renew causes a brief network interruption
- Kerberos ticket renew causes a brief network interruption
- Kerberos ticket renew causes a brief network interruption