samba - Oct 2017 - Using GPO to mount shares on Linux

I think MJ is using samba with AD backend and Rowland RID.
Rowland, try AD backend if your using rid atm. 

Gr. 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj via samba
> Verzonden: woensdag 11 oktober 2017 13:25
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Using GPO to mount shares on Linux
> 
> 
> 
> On 10/11/2017 12:43 PM, Rowland Penny via samba wrote:
> > I want to mount a users folder on one machine into the 
> users folder on 
> > another machine.
> > i.e. mount \\dc1\users\rowland on client /home/rowland/mnt
> That sounds similar to our use case.
> 
> > Sods law has kicked in, I have now got a mount to work with 
> pam_mount, 
> > but there is a major problem, anything created in the share
doesn't
> > belong to rowland, it is 3000000:domain users. This is not 
> acceptable, 
> > the mounted share belongs to rowland, but nothing inside it does. I 
> > think I will continue to try and get pam_script to do what I want.
> Strange.
> 
> So what does a mount look like?
> 
> Here:
> 
> > root at dmmember:~# mount | grep username 
> > //fileserver.company.com/username on 
> /home/username/username type cifs 
> > 
> (rw,relatime,sec=ntlmi,unc=\\filehost.company.com\username,username=us
> > 
> ername,domain=WRKGRP,uid=49611,forceuid,gid=513,forcegid,addr=192.168.
> > 
> 89.2,unix,posixpaths,serverino,acl,rsize=61440,wsize=65536,actimeo=1)
> > root at dmmember:~#
> 
> MJ
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Wed, 11 Oct 2017 13:34:23 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> I think MJ is using samba with AD backend and Rowland RID.
> Rowland, try AD backend if your using rid atm. 
> 
That fixed it, sort of proves the point, you need to use the same ID
everywhere.

Rowland

Wohoo, finaly i could help Rowland :-p  ;-) 

I follow this as guidance:

1 server ( all in one ) use RID, easy to setup etc, but .. If you go to ... Or
have plans to..
 
2 servers ( DC + a member ) 
	use backend RID if you dont need access with a windows account to a shared home
folder. ( cifs or nfs )
	 	you use a dedicated local "linuxAdmin" for maintanace. ( often the
first created user in linux )
	use backend AD if you do need access with ssh for example or shared
homefolders.

3 server or more, all server where ssh or access to a server with a shared
folder is needed, use backend AD.
	adviced is all servers with file shares. 
	Optional, mix this with RID, for example for a dedicated print server, or proxy
server (auth).

I use setup 3. 
Multiple servers with AD and RID mixed on the members, based on function. 

A NFS pointer is. 
Make sure you set you home folder 755, kerberos ( MIT ), lookf or .klogin in the
home dir.
If the setup is to tight this fails.  ( workaround: disable .klogin checking in
krb5.conf )
And nfs/hostname.FQDN needs to be added to HOSTNAME$ where its needed. 

For Cifs. You may need to add these lines in krb5.conf cifs uses them nfs not. 
; for Windows 2008 with AES
    default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5

Now here, if you see, Required keys not available, no matter what you do
Then you probley are missing these line in krb5.conf. 

The source i use for above info : 
http://www.cs.rug.nl/~jurjen/ApprenticesNotes/mount_ms_cifs_using_ad_krb.html 
http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_nfs4.html

Its a .nl domain but its in english  ;-) and contains still good info. 
Just beware its based on debian squeeze. 
And a handy to know. 
https://support.microsoft.com/en-us/help/977321/kdc-event-id-16-or-27-is-logged-if-des-for-kerberos-is-disabled

Greetz, 

Louis

Hello,

Sorry for take so long to answer, but I was not able to do the tests
because the computer is in use and out of my office.

Finally I've progressed in this topic with realmd, sssd and autofs, but now
I'm locked on mounting shares from my member server.
I'm able to use autofs and smbclient to mount and connect to sysvol share
on my DC server, but when I try to connect to my member server I get this
error:
----------------
smbclient //server.domain.dom/escaner -U user -W DOMAIN.DOM -R host -k -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
added interface enp1s0 ip=192.168.0.xx bcast=192.168.0.255
netmask=255.255.255.0
Client started (version 4.3.11-Ubuntu).
tdb(/var/run/samba/gencache_notrans.tdb): tdb_open_ex: could not open file
/var/run/samba/gencache_notrans.tdb: Permiso denegado
tdb(/var/run/samba/gencache_notrans.tdb): tdb_open_ex: could not open file
/var/run/samba/gencache_notrans.tdb: Permiso denegado
resolve_hosts: Attempting host lookup for name server.domain.dom<0x20>
tdb(/var/run/samba/gencache_notrans.tdb): tdb_open_ex: could not open file
/var/run/samba/gencache_notrans.tdb: Permiso denegado
Connecting to 192.168.0.xxx at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server
principal=cifs/server.domain.dom at DOMAIN.DOM
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
gss_init_sec_context failed with [ Miscellaneous failure (see text): Server
(cifs/server at DOMAIN.DOM) unknown]
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR
----------

I've missed something?.

My member server has joined Samba DC and is able to authenticate the
Windows clients.

Thanks!!

2017-10-11 16:52 GMT+02:00 L.P.H. van Belle via samba <samba at
lists.samba.org
>:
> Wohoo, finaly i could help Rowland :-p  ;-)
>
> I follow this as guidance:
>
> 1 server ( all in one ) use RID, easy to setup etc, but .. If you go to
> ... Or have plans to..
>
> 2 servers ( DC + a member )
>         use backend RID if you dont need access with a windows account to
> a shared home folder. ( cifs or nfs )
>                 you use a dedicated local "linuxAdmin" for
maintanace. (
> often the first created user in linux )
>         use backend AD if you do need access with ssh for example or
> shared homefolders.
>
> 3 server or more, all server where ssh or access to a server with a shared
> folder is needed, use backend AD.
>         adviced is all servers with file shares.
>         Optional, mix this with RID, for example for a dedicated print
> server, or proxy server (auth).
>
> I use setup 3.
> Multiple servers with AD and RID mixed on the members, based on function.
>
> A NFS pointer is.
> Make sure you set you home folder 755, kerberos ( MIT ), lookf or .klogin
> in the home dir.
> If the setup is to tight this fails.  ( workaround: disable .klogin
> checking in krb5.conf )
> And nfs/hostname.FQDN needs to be added to HOSTNAME$ where its needed.
>
> For Cifs. You may need to add these lines in krb5.conf cifs uses them nfs
> not.
> ; for Windows 2008 with AES
>     default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
>     default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
>     permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
> rc4-hmac des-cbc-crc des-cbc-md5
>
> Now here, if you see, Required keys not available, no matter what you do
> Then you probley are missing these line in krb5.conf.
>
> The source i use for above info :
> http://www.cs.rug.nl/~jurjen/ApprenticesNotes/mount_ms_
> cifs_using_ad_krb.html
> http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_nfs4.html
>
> Its a .nl domain but its in english  ;-) and contains still good info.
> Just beware its based on debian squeeze.
> And a handy to know.
> https://support.microsoft.com/en-us/help/977321/kdc-event-
> id-16-or-27-is-logged-if-des-for-kerberos-is-disabled
>
> Greetz,
>
> Louis
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________

Hai, 
 
now realmd sssd and autofs are all not my cookies.. but.. 
 
i see 2 things. 
1) you missing the CIFS spn. 
here is shows how to make them and extract them. 
https://wiki.samba.org/index.php/Generating_Keytabs 
https://wiki.samba.org/index.php/Keytab_Extraction 
 
 
2) for the smblcient try :  

smbclient //server.domain.dom/escaner -U user -W DOMAIN.DOM -R host -k -d 3 -m
SMB2

....added -m SMB2 at the end. 
 
 
last, i see :  /var/run/samba/gencache_notrans.tdb  
Can you post also an output of  samba -b 
That path is normaly /var/cache/samba/ not that its wrong, but it may help so
see how samba was builded.
 
 
 
Greetz, 
 
Louis
 
 


Van: Daniel Carrasco [mailto:d.carrasco at i2tic.com] 
Verzonden: vrijdag 20 oktober 2017 14:58
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Using GPO to mount shares on Linux



Hello, 

Sorry for take so long to answer, but I was not able to do the tests because the
computer is in use and out of my office.


Finally I've progressed in this topic with realmd, sssd and autofs, but now
I'm locked on mounting shares from my member server.
I'm able to use autofs and smbclient to mount and connect to sysvol share on
my DC server, but when I try to connect to my member server I get this error:
----------------
smbclient //server.domain.dom/escaner -U user -W DOMAIN.DOM -R host -k -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
added interface enp1s0 ip=192.168.0.xx bcast=192.168.0.255 netmask=255.255.255.0
Client started (version 4.3.11-Ubuntu).
tdb(/var/run/samba/gencache_notrans.tdb): tdb_open_ex: could not open file
/var/run/samba/gencache_notrans.tdb: Permiso denegado
tdb(/var/run/samba/gencache_notrans.tdb): tdb_open_ex: could not open file
/var/run/samba/gencache_notrans.tdb: Permiso denegado
resolve_hosts: Attempting host lookup for name server.domain.dom<0x20>
tdb(/var/run/samba/gencache_notrans.tdb): tdb_open_ex: could not open file
/var/run/samba/gencache_notrans.tdb: Permiso denegado
Connecting to 192.168.0.xxx at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/server.domain.dom at
DOMAIN.DOM
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
gss_init_sec_context failed with [ Miscellaneous failure (see text): Server
(cifs/server at DOMAIN.DOM) unknown]
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR

----------


I've missed something?.


My member server has joined Samba DC and is able to authenticate the Windows
clients.


Thanks!!


2017-10-11 16:52 GMT+02:00 L.P.H. van Belle via samba <samba at
lists.samba.org>:
Wohoo, finaly i could help Rowland :-p  ;-)

I follow this as guidance:

1 server ( all in one ) use RID, easy to setup etc, but .. If you go to ... Or
have plans to..

2 servers ( DC + a member )
        use backend RID if you dont need access with a windows account to a
shared home folder. ( cifs or nfs )
                you use a dedicated local "linuxAdmin" for maintanace.
( often the first created user in linux )
        use backend AD if you do need access with ssh for example or shared
homefolders.

3 server or more, all server where ssh or access to a server with a shared
folder is needed, use backend AD.
        adviced is all servers with file shares.
        Optional, mix this with RID, for example for a dedicated print server,
or proxy server (auth).

I use setup 3.
Multiple servers with AD and RID mixed on the members, based on function.

A NFS pointer is.
Make sure you set you home folder 755, kerberos ( MIT ), lookf or .klogin in the
home dir.
If the setup is to tight this fails.  ( workaround: disable .klogin checking in
krb5.conf )
And nfs/hostname.FQDN needs to be added to HOSTNAME$ where its needed.

For Cifs. You may need to add these lines in krb5.conf cifs uses them nfs not.
; for Windows 2008 with AES
    default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5

Now here, if you see, Required keys not available, no matter what you do
Then you probley are missing these line in krb5.conf.

The source i use for above info :
http://www.cs.rug.nl/~jurjen/ApprenticesNotes/mount_ms_cifs_using_ad_krb.html
http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_nfs4.html

Its a .nl domain but its in english  ;-) and contains still good info.
Just beware its based on debian squeeze.
And a handy to know.
https://support.microsoft.com/en-us/help/977321/kdc-event-id-16-or-27-is-logged-if-des-for-kerberos-is-disabled

Greetz,

Louis


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






-- 
_________________________________________

      Daniel Carrasco Marín

      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________