hans
2020-Jan-02 17:45 UTC
[Samba] Connection dropping every 24 hours from Windows Client.
I posted the following a month ago but have only managed to get to fixing on this over the holidays.? Rowland mentions that I needed to add my domain info, it?s now included and I still have the same issue. Thanks and Happy New YearOld post begins below with edits Hello ? I have a problem with my Windows 10 drive connections dropping every 24 hours, very briefly.? It's enough to cause me to be unable to save my file, or access a geodatabase.? I have followed much trouble shooting and I believe that its due to the KDC Service ticket lifetime expiring, I have it set for 24 hours in smb.conf.? I have a Samba 4.9 DC and an Ubuntu 18.04 member file server where the shares are running? 4.7.6 and connected to the DC by Winbindd.? I notice that when my 24 hours is up, smbstatus will show that I have a new PID.? The files are unfortunately still being held open by the old PID and are no longer accessible (I think.). Here is the global part of my DC smb.conf [global] ??????? workgroup = MYNET ??????? realm = mynet.mynet.com ??????? netbios name = MY_DC ??????? server role = active directory domain controller ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate ??????? idmap_ldb:use rfc2307 = yes ??????? kdc:service ticket lifetime = 24 ??????? kdc:user ticket lifetime = 360 ??????? kdc:renewal lifetime = 1800 ??????? dsdb:schema update allowed = true ??????? tls enabled? = yes ??????? tls keyfile? = tls/myKey.pem ??????? tls certfile = tls/myCert.pem ??????? tls cafile?? ??????? wins support = yes ??????? ldap server require strong auth = no ? And here is the global part of my file server smb.conf workgroup = MYNET client signing = yes client use spnego = yes kerberos method = secrets and keytab realm = MYNET.MYNET.COM security = ads vfs object = acl_xattr map acl inherit = yes hide unreadable = yes winbind refresh tickets = Yes idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config MYNET : backend = rid???? ?added as per Rowland idmap config MYNET : range = 50000-1000000? ? added as per Rowland ??????????????? winbind use default domain = true ??????????????? winbind offline logon = false ???????????????? winbind nss info = rfc2307 ???????????????? winbind enum users = yes ??????????????? winbind enum groups = yes ??????????????? store dos attributes = yes ? When I used to host the shares on the same DC, I never had this trouble. When I had kdc:service ticket lifetime = 10, then the connections dropped every 10 hours.? Do I just keep upping that number to something useful and hope I don't get hacked, or is there something else I am missing.? To me, it sounds a lot like this problem, https://lists.samba.org/archive/samba/2014-March/179555.html Thanks ?
Rowland penny
2020-Jan-02 19:01 UTC
[Samba] Connection dropping every 24 hours from Windows Client.
On 02/01/2020 17:45, hans via samba wrote:> I posted the following a month ago but have only managed to get to fixing on this over the holidays.? Rowland mentions that I needed to add my domain info, it?s now included and I still have the same issue. > > Thanks and Happy New YearOld post begins below with edits > Hello > > I have a problem with my Windows 10 drive connections dropping every 24 > hours, very briefly.? It's enough to cause me to be unable to save my file, > or access a geodatabase.? I have followed much trouble shooting and I > believe that its due to the KDC Service ticket lifetime expiring, I have it > set for 24 hours in smb.conf. > > I have a Samba 4.9 DC and an Ubuntu 18.04 member file server where the > shares are running? 4.7.6 and connected to the DC by Winbindd.? I notice > that when my 24 hours is up, smbstatus will show that I have a new PID.? The > files are unfortunately still being held open by the old PID and are no > longer accessible (I think.). > > Here is the global part of my DC smb.conf > [global] > ??????? workgroup = MYNET > ??????? realm = mynet.mynet.com > ??????? netbios name = MY_DC > ??????? server role = active directory domain controller > ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbind, ntp_signd, kcc, dnsupdate > ??????? idmap_ldb:use rfc2307 = yes > ??????? kdc:service ticket lifetime = 24 > ??????? kdc:user ticket lifetime = 360 > ??????? kdc:renewal lifetime = 1800 > ??????? dsdb:schema update allowed = true > ??????? tls enabled? = yes > ??????? tls keyfile? = tls/myKey.pem > ??????? tls certfile = tls/myCert.pem > ??????? tls cafile?? > ??????? wins support = yes > ??????? ldap server require strong auth = no > > And here is the global part of my file server smb.conf > > workgroup = MYNET > client signing = yes > client use spnego = yes > kerberos method = secrets and keytab > realm = MYNET.MYNET.COM > security = ads > vfs object = acl_xattr > map acl inherit = yes > hide unreadable = yes > winbind refresh tickets = Yes > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config MYNET : backend = rid???? ?added as per Rowland > idmap config MYNET : range = 50000-1000000? ? added as per Rowland > > > ??????????????? winbind use default domain = true > ??????????????? winbind offline logon = false > ???????????????? winbind nss info = rfc2307 > ???????????????? winbind enum users = yes > ??????????????? winbind enum groups = yes > ??????????????? store dos attributes = yes > > When I used to host the shares on the same DC, I never had this trouble. > When I had kdc:service ticket lifetime = 10, then the connections dropped > every 10 hours.? Do I just keep upping that number to something useful and > hope I don't get hacked, or is there something else I am missing.? To me, it > sounds a lot like this problem, > https://lists.samba.org/archive/samba/2014-March/179555.html > > Thanks >OK, you do not need these lines in your DC smb.conf: ??????? kdc:service ticket lifetime = 24 ??????? kdc:user ticket lifetime = 360 ??????? kdc:renewal lifetime = 1800 ??????? dsdb:schema update allowed = true ??????? wins support = yes Try this as the [global] part of your smb.conf on the Unix domain member: [global] workgroup = MYNET security = ADS realm = MYNET.MYNET.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind use default domain = yes winbind expand groups = 2 winbind refresh tickets = Yes idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config MYNET : backend = rid idmap config MYNET : range = 50000-1000000 # If your users log into the Unix domain member # uncomment the following two lines and alter to your requirements #template shell = /bin/bash #template homedir = /home/%U username map = /etc/samba/user.map vfs object = acl_xattr map acl inherit = yes store dos attributes = yes client signing = yes Create '/etc/samba/user.map' containing this: !root = MYNET\Administrator Run (as root): net ads keytab create Restart Samba and see how you go. Rowland
Hans Rasmussen
2020-Jan-03 16:25 UTC
[Samba] Connection dropping every 24 hours from Windows Client.
I changed my SMB.conf on the DC's and the member as per your instructions.
Now the connection dropped at 10 hours, which appears to be the default end time
of the certificate.
KLIST on a windows box returns.....
Cached Tickets: (3)
#0> Client: hans @ MYNET.MYNET.COM
Server: krbtgt/ MYNET.MYNET.COM @ MYNET.MYNET.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 1/3/2020 7:59:07 (local)
End Time: 1/3/2020 17:59:07 (local)
Renew Time: 1/10/2020 7:59:07 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called: bobafett.mynet.mynet.com
#1> Client: hans @ MYNET.MYNET.COM
Server: LDAP/bigbird.mynet.mynet.com / mynet.mynet.com @ MYNET.MYNET.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40ac0000 -> forwardable renewable pre_authent
ok_as_delegate 0x80000
Start Time: 1/3/2020 7:59:08 (local)
End Time: 1/3/2020 17:59:07 (local)
Renew Time: 1/10/2020 7:59:07 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: bobafett.mynet.mynet.com
#2> Client: hans @ MYNET.MYNET.COM
Server: host/han.mynet.mynet.com @ MYNET.MYNET.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a80000 -> forwardable renewable pre_authent 0x80000
Start Time: 1/3/2020 7:59:07 (local)
End Time: 1/3/2020 17:59:07 (local)
Renew Time: 1/10/2020 7:59:07 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: bobafett mynet.mynet.com
Where bigbird is my primary DC, bobafett and jabbathehut (not seen here) are my
identical secondary dc's, and han is my windows 10 workstation.
On 02/01/2020 17:45, hans via samba wrote:> I posted the following a month ago but have only managed to get to fixing
on this over the holidays. Rowland mentions that I needed to add my domain
info, it?s now included and I still have the same issue.
>
> Thanks and Happy New YearOld post begins below with edits Hello
>
> I have a problem with my Windows 10 drive connections dropping every
> 24 hours, very briefly. It's enough to cause me to be unable to save
> my file, or access a geodatabase. I have followed much trouble
> shooting and I believe that its due to the KDC Service ticket lifetime
> expiring, I have it set for 24 hours in smb.conf.
>
> I have a Samba 4.9 DC and an Ubuntu 18.04 member file server where the
> shares are running 4.7.6 and connected to the DC by Winbindd. I
> notice that when my 24 hours is up, smbstatus will show that I have a
> new PID. The files are unfortunately still being held open by the old
> PID and are no longer accessible (I think.).
>
> When I used to host the shares on the same DC, I never had this trouble.
> When I had kdc:service ticket lifetime = 10, then the connections
> dropped every 10 hours. Do I just keep upping that number to
> something useful and hope I don't get hacked, or is there something
> else I am missing. To me, it sounds a lot like this problem,
> https://lists.samba.org/archive/samba/2014-March/179555.html
>
> Thanks
>
OK, you do not need these lines in your DC smb.conf:
kdc:service ticket lifetime = 24
kdc:user ticket lifetime = 360
kdc:renewal lifetime = 1800
dsdb:schema update allowed = true
wins support = yes
Try this as the [global] part of your smb.conf on the Unix domain member:
[global]
workgroup = MYNET
security = ADS
realm = MYNET.MYNET.COM
dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MYNET : backend = rid
idmap config MYNET : range = 50000-1000000
# If your users log into the Unix domain member # uncomment the following two
lines and alter to your requirements #template shell = /bin/bash #template
homedir = /home/%U
username map = /etc/samba/user.map
vfs object = acl_xattr
map acl inherit = yes
store dos attributes = yes
client signing = yes
Create '/etc/samba/user.map' containing this:
!root = MYNET\Administrator
Run (as root):
net ads keytab create
Restart Samba and see how you go.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba