Kontrol-Suporte
2018-Jun-23 20:04 UTC
[Samba] use spnego question - samba 47 to samba48 migration
Hello Gentlemen. OK, Tests were made. I got some errors only when using Samba48 (samba47 is still fine) IMPORTANT: I forgot to mention... This is being used with SQUID Proxy for SSO authentication. Got NTLMSSP neg_flags=0xa2088207 Got user=[user01] domain=[MYDOMAIN] workstation=[ADCONTROL01] len1=24 len2=338 Login for user [MYDOMAIN]\[user01]@[ ADCONTROL01] failed due to [{Access Denied} A process has requested access to an object but has not been granted those access rights.] GENSEC login failed: NT_STATUS_ACCESS_DENIED I tried the new settings as suggested and also partial changes. Both are presenting the same behaviour. Nothing was changed in the AD side. I also re-checked the permissions/ownership on "/var/db/samba4/winbindd_privileged" folder which is used by SQUID. To Rowland: You asked if I really need the "min protocol = LANMAN2" option. Well, the idea was to enforce a minimum security level. Any help will be very appreciated. Regards Fabricio. -----Original Message----- From: Kontrol-Suporte <suporte at kontrolsecurity.com.br> Sent: Saturday, June 23, 2018 3:42 PM To: 'samba at lists.samba.org' <samba at lists.samba.org> Subject: RE: [Samba] use spnego question - samba 47 to samba48 migration Thanks everyone who replied to this thread. I will try the new settings ASAP! Thanks once again! Fabricio. -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Saturday, June 23, 2018 8:13 AM To: samba at lists.samba.org Subject: Re: [Samba] use spnego question - samba 47 to samba48 migration On Fri, 22 Jun 2018 19:25:11 -0300 Kontrol-Suporte via samba <samba at lists.samba.org> wrote:> Hello Everyone, > > Good evening! > > > > Here a Background: > > I am moving from samba47 to samba48 - I am keeping my existing scripts > and config files. > > The messages below are now appearing while executing some tasks in > samba48 only - samba47 is not showing it: > > > > #Unknown parameter encountered: "use spnego" > > #Ignoring unknown parameter "use spnego" > > #Unknown parameter encountered: "use spnego" > > #Ignoring unknown parameter "use spnego" > > > > Question: is the "use spnego" deprecated for samba48? If so, what is > replacing it? > > > > Here my smb4.conf file: > > ############################### > > > > [global] > > workgroup = MYDOMAIN > > map to guest = never > > logon path = \\%L\profiles\.msprofile > > logon home = \\%L\%U\.9xprofile > > logon drive = P: > > usershare allow guests = no > > client NTLMv2 auth = yes > > client lanman auth = no > > client plaintext auth = no > > use spnego = yes > > client use spnego = yes > > min protocol = LANMAN2 > > idmap gid = 10000-20000 > > idmap uid = 10000-20000 > > realm = MYDOMAIN.CORP > > security = ads > > template homedir = /home/%D/%U > > template shell = /bin/bash > > winbind offline logon = yes > > winbind refresh tickets = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind nested groups = yes > > winbind use default domain = yes > > encrypt passwords = yes > > socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 > > log level = 3 passdb:5 winbind:3 > > usershare allow guests = no > > printcap name = /dev/null > > load printers = no > > printing = bsd > > local master = no > > kerberos method = secrets and keytab > > winbind refresh tickets = yes > > > > > > [homes] > > comment = Home Directories > > valid users = %s, %D%W%S > > browseable = no > > read only = no > > inherit acls = yes > > > > ############################### > > Thanks Much! > > > > Fabricio. >OK, you multiple default lines in your smb.conf, these are: map to guest = never usershare allow guests = no client NTLMv2 auth = yes client lanman auth = no client plaintext auth = no client use spnego = yes template homedir = /home/%D/%U winbind nested groups = yes encrypt passwords = yes usershare allow guests = no You might as well remove them. The following lines are not much use in a Unix domain member smb.conf, they don't work with AD: logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: So you might as well remove them as well, These two lines slow things down and are not actually needed: winbind enum users = yes winbind enum groups = yes You might as well remove them as well. 'use spnego' was remove at 4.8.0, so you must remove this line You should also remove the 'socket options' line, you should let your kernal sort this for you. Finally 'idmap gid' and 'idmap uid' have been deprecated for quite some time and have been replaced by 'idmap config' lines, so with all the removals etc, can I suggest you try this smb.conf: [global] workgroup = MYDOMAIN realm = MYDOMAIN.CORP security = ads min protocol = LANMAN2 # Do really need this ? idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config MYDOMAIN : backend = rid idmap config MYDOMAIN : range = 10000-20000 template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes winbind use default domain = yes log level = 3 passdb:5 winbind:3 printcap name = /dev/null load printers = no printing = bsd local master = no kerberos method = secrets and keytab [homes] comment = Home Directories valid users = %s, %D%W%S browseable = no read only = no inherit acls = yes Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2018-Jun-24 07:26 UTC
[Samba] use spnego question - samba 47 to samba48 migration
On Sat, 23 Jun 2018 17:04:39 -0300 Kontrol-Suporte via samba <samba at lists.samba.org> wrote:> Hello Gentlemen. > OK, Tests were made. I got some errors only when using Samba48 > (samba47 is still fine) IMPORTANT: I forgot to mention... This is > being used with SQUID Proxy for SSO authentication. > > Got NTLMSSP neg_flags=0xa2088207 > Got user=[user01] domain=[MYDOMAIN] workstation=[ADCONTROL01] len1=24 > len2=338 Login for user [MYDOMAIN]\[user01]@[ ADCONTROL01] failed due > to [{Access Denied} A process has requested access to an object but > has not been granted those access rights.] GENSEC login failed: > NT_STATUS_ACCESS_DENIED > > I tried the new settings as suggested and also partial changes. Both > are presenting the same behaviour. Nothing was changed in the AD > side. I also re-checked the permissions/ownership on > "/var/db/samba4/winbindd_privileged" folder which is used by SQUID.I think you might want to check that again, the 'winbindd_privileged' dir went away quite some time ago.> > To Rowland: You asked if I really need the "min protocol = LANMAN2" > option. Well, the idea was to enforce a minimum security level. >I actually thought that, but 'LANMAN2' ??? why not 'NT1' at least. Have you considered using kerberos with squid ? Rowland
Kontrol-Suporte
2018-Jun-24 23:32 UTC
[Samba] use spnego question - samba 47 to samba48 migration
Hi Rowland, Thanks Much for the help, as usual! About Kerberos: Yes, I have implemented Kerberos and NTLM. I need both working. About winbindd_privileged: Not sure what you mean with " I think you might want to check that again, the 'winbindd_privileged' dir went away quite some time ago." Shouldn't that folder be there anymore? Everytime I install Samba47 or 48 it creates the folder with the "pipe" inside of it. I just needed to change the permissions/ownership to the folder. Isn't Ok to use that way anymore? About Lanman2: Hummm... now you got me confused. I could swear that option was to force ntlm v2 as minimum. The idea is to force NTLM v2 as minimum protocol. Should I use option "smb2" instead? Thanks a Lot, Fabricio. -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Sunday, June 24, 2018 4:26 AM To: samba at lists.samba.org Subject: Re: [Samba] use spnego question - samba 47 to samba48 migration On Sat, 23 Jun 2018 17:04:39 -0300 Kontrol-Suporte via samba <samba at lists.samba.org> wrote:> Hello Gentlemen. > OK, Tests were made. I got some errors only when using Samba48 > (samba47 is still fine) IMPORTANT: I forgot to mention... This is > being used with SQUID Proxy for SSO authentication. > > Got NTLMSSP neg_flags=0xa2088207 > Got user=[user01] domain=[MYDOMAIN] workstation=[ADCONTROL01] len1=24 > len2=338 Login for user [MYDOMAIN]\[user01]@[ ADCONTROL01] failed due > to [{Access Denied} A process has requested access to an object but > has not been granted those access rights.] GENSEC login failed: > NT_STATUS_ACCESS_DENIED > > I tried the new settings as suggested and also partial changes. Both > are presenting the same behaviour. Nothing was changed in the AD side. > I also re-checked the permissions/ownership on > "/var/db/samba4/winbindd_privileged" folder which is used by SQUID.I think you might want to check that again, the 'winbindd_privileged' dir went away quite some time ago.> > To Rowland: You asked if I really need the "min protocol = LANMAN2" > option. Well, the idea was to enforce a minimum security level. >I actually thought that, but 'LANMAN2' ??? why not 'NT1' at least. Have you considered using kerberos with squid ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba