samba - Oct 2017 - Using GPO to mount shares on Linux

Thanks Rowland.

I'll give a try to both things (WG and SPN).

To be honest, I ask here because the sssd daemon is working as expected
allowing the authentication of the machine to the domain, and the real
problem is that I'm not able to access to a shared drive using a Kerberos
authentication (cifs and smbclient) and i've thought that maybe was a
misconfiguration on member server (because works fine with domain server),
and this server is configured as Samba4 member server without sssd.

Greetings!

2017-10-20 17:52 GMT+02:00 Rowland Penny <rpenny at samba.org>:
> On Fri, 20 Oct 2017 17:15:32 +0200
> Daniel Carrasco via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > El 20 oct. 2017 4:50 p. m., "Rowland Penny via samba"
> > <samba at lists.samba.org> escribió:
> >
> > On Fri, 20 Oct 2017 14:57:42 +0200
> > Daniel Carrasco via samba <samba at lists.samba.org> wrote:
> >
> > > Hello,
> > >
> > > Sorry for take so long to answer, but I was not able to do the
tests
> > > because the computer is in use and out of my office.
> > >
> > > Finally I've progressed in this topic with realmd, sssd and
autofs,
> > > but now I'm locked on mounting shares from my member server.
> > > I'm able to use autofs and smbclient to mount and connect to
sysvol
> > > share on my DC server, but when I try to connect to my member
server
> > > I get this error:
> > > ----------------
> > > smbclient //server.domain.dom/escaner -U user -W DOMAIN.DOM -R
host
> > > -k -d 3 lp_load_ex: refreshing parameters
> >
> > Is 'DOMAIN.DOM' really your NetBIOS domain name (aka
workgroup) ?
> >
> >
> > My domain is domain.dom, so maybe the wg is domain only.
>
> -W, --workgroup=WORKGROUP                 Set the workgroup name
> >
> >
> > > Initialising global parameters
> > > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > > (16384) smbclient: Can't load /etc/samba/smb.conf - run
testparm to
> > > debug it
> >
> > Why can smbclient not read the smb.conf ?
> >
> >
> > I'm not using samba to connect to the domain, so this file
don't
> > exists. I've tested to mount and connect to domain server and
works
> > even without that file. It's important?, because I've not
tried to
> > create that file (I'm using realmd and sssd to connect to the
domain).
>
> If you are using sssd, you are on the wrong mailing list, sssd has
> nothing to do with Samba, you will get better help on the sssd-users
> mailing list, unless you want help with setting up Samba correctly.
>
> Rowland
>


-- 
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________

On Tue, 24 Oct 2017 14:11:15 +0200
Daniel Carrasco <d.carrasco at i2tic.com> wrote:
> Thanks Rowland.
> 
> I'll give a try to both things (WG and SPN).
> 
> To be honest, I ask here because the sssd daemon is working as
> expected allowing the authentication of the machine to the domain,
> and the real problem is that I'm not able to access to a shared drive
> using a Kerberos authentication (cifs and smbclient) and i've thought
> that maybe was a misconfiguration on member server (because works
> fine with domain server), and this server is configured as Samba4
> member server without sssd.
> 
Sorry, but I don't understand what you are trying to say.
Do you mean that it works on a Unix domain member against a Samba AD DC
and the Unix domain member isn't using sssd ?
Or do you mean something else, if so, please explain your set up.

Rowland

Hello,

My actual setup is:

   - 2 Domain Controller using Samba 4.7 stable (synced)
   - Multiple Windows Workstations that has joined the Domain without
   problem
   - 1 Linux server using Debian 8 with Samba 4.2 as Member Server joined
   also to that Domain

This setup is working as expected (some windows bugs hide network drives,
but is not samba problem). All workstations are able to login with domain
credentials, and connect to shared drives on Linux server (managed by GPO
and ACL).

Now I've an xUbuntu workstation that I want to join to that Domain and
I've
used realm and sssd to the job. The basic setup works fine and:

   - I'm able to login with domain users credentials into the linux
   workstation
   - I can get the domain data like for example users and groups, and even
   use domain data to manage autofs
   - I can mount shares stored on a DC using Kerberos authentication
   - I can connect to shares using smbclient using Kerberos authentication

My problem comes when I try to mount o connect to a share that is on Member
server from the xUbuntu workstation, that give me the errors I've commented
before. After your comments and research about SPN on google I think that
maybe is the problem, but for now I'm not able to test it.

Greetings!!

2017-10-24 14:40 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Tue, 24 Oct 2017 14:11:15 +0200
> Daniel Carrasco <d.carrasco at i2tic.com> wrote:
>
> > Thanks Rowland.
> >
> > I'll give a try to both things (WG and SPN).
> >
> > To be honest, I ask here because the sssd daemon is working as
> > expected allowing the authentication of the machine to the domain,
> > and the real problem is that I'm not able to access to a shared
drive
> > using a Kerberos authentication (cifs and smbclient) and i've
thought
> > that maybe was a misconfiguration on member server (because works
> > fine with domain server), and this server is configured as Samba4
> > member server without sssd.
> >
>
> Sorry, but I don't understand what you are trying to say.
> Do you mean that it works on a Unix domain member against a Samba AD DC
> and the Unix domain member isn't using sssd ?
> Or do you mean something else, if so, please explain your set up.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________

Hai, 

I did a re-read of you thread. 

First. 
If you use smblcient, with a samba installed, use -s
/path/alternative/smbclient.conf

If i did read it correct. 
Your connecting from  xUbuntu (samba version ??) to (debian8) samba 4.2 member

How did you join the xUbuntu? 
https://docs.pagure.org/SSSD.sssd/users/ad_provider.html 
Like this setup? ^^^ 
> This setup is working as expected (some windows bugs hide 
> network drives, but is not samba problem). 
Not a windows bug, but probely a ACL problem on sysvol, check windows event
logs.
Works fine here since samba 4.2 DC's. 

Now, i can only give a few advices. 
1) upgrade the debian jessie to debian stretch, and start with samba 4.5.12 from
debian.
2) tell us the xUbuntu version and the samba (smbclient) version 

If i recall correct.. 
Sssd lower then 1.12 my have problems, but as Rowland also said, 
I (we) know nothing about sssd here, except what i google. 
If you did not read this one, please do.
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
I dont know it it helps, but it shows some good settings and its good explained.
And if you get it working, please share the solution.  ;-) 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Daniel Carrasco via samba
> Verzonden: dinsdag 24 oktober 2017 15:42
> Aan: Rowland Penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Using GPO to mount shares on Linux
> 
> Hello,
> 
> My actual setup is:
> 
>    - 2 Domain Controller using Samba 4.7 stable (synced)
>    - Multiple Windows Workstations that has joined the Domain without
>    problem
>    - 1 Linux server using Debian 8 with Samba 4.2 as Member 
> Server joined
>    also to that Domain
> 
> This setup is working as expected (some windows bugs hide 
> network drives,
> but is not samba problem). All workstations are able to login 
> with domain
> credentials, and connect to shared drives on Linux server 
> (managed by GPO
> and ACL).
> 
> Now I've an xUbuntu workstation that I want to join to that 
> Domain and I've
> used realm and sssd to the job. The basic setup works fine and:
> 
>    - I'm able to login with domain users credentials into the linux
>    workstation
>    - I can get the domain data like for example users and 
> groups, and even
>    use domain data to manage autofs
>    - I can mount shares stored on a DC using Kerberos authentication
>    - I can connect to shares using smbclient using Kerberos 
> authentication
> 
> My problem comes when I try to mount o connect to a share 
> that is on Member
> server from the xUbuntu workstation, that give me the errors 
> I've commented
> before. After your comments and research about SPN on google 
> I think that
> maybe is the problem, but for now I'm not able to test it.
> 
> Greetings!!
> 
> 2017-10-24 14:40 GMT+02:00 Rowland Penny via samba 
> <samba at lists.samba.org>:
> 
> > On Tue, 24 Oct 2017 14:11:15 +0200
> > Daniel Carrasco <d.carrasco at i2tic.com> wrote:
> >
> > > Thanks Rowland.
> > >
> > > I'll give a try to both things (WG and SPN).
> > >
> > > To be honest, I ask here because the sssd daemon is working as
> > > expected allowing the authentication of the machine to the
domain,
> > > and the real problem is that I'm not able to access to a 
> shared drive
> > > using a Kerberos authentication (cifs and smbclient) and 
> i've thought
> > > that maybe was a misconfiguration on member server (because works
> > > fine with domain server), and this server is configured as Samba4
> > > member server without sssd.
> > >
> >
> > Sorry, but I don't understand what you are trying to say.
> > Do you mean that it works on a Unix domain member against a 
> Samba AD DC
> > and the Unix domain member isn't using sssd ?
> > Or do you mean something else, if so, please explain your set up.
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> 
> 
> 
> -- 
> _________________________________________
> 
>       Daniel Carrasco Marín
>       Ingeniería para la Innovación i2TIC, S.L.
>       Tlf:  +34 911 12 32 84 Ext: 223
>       www.i2tic.com
> _________________________________________
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>