Rowland penny via samba ha scritto il 27/08/20 alle 16:43:> [...] > Netbios is intrinsically tied to SMBv1 and? LLMNR (Link-Local Multicast > Name Resolution) is also connected in a way, it allows name resolutions > without a nameserver. So, if you are using it, I personally wouldn't, > ever heard of MITM ?Just to understand a little more... NetBIOS with a wins server configured is not prone to the MiTM attack, isn't it? Piviul
Hi All,
I've samba (4.11.2) on centos 8 connected to IPA.
All works as expected but I see these errors in log:
Aug 28 09:12:02 satan8 smbd[889]: [2020/08/28 09:12:02.656514, 0,
pid=889] ../../source3/rpc_client/cli_pipe.c:2937(rpc_pipe_open_ncalrpc)
Aug 28 09:12:02 satan8 smbd[889]: connect(/run/samba/ncalrpc/EPMAPPER)
failed: No such file or directory
Aug 28 09:12:02 satan8 smbd[889]: [2020/08/28 09:12:02.656848, 0,
pid=889] ../../source3/rpc_client/cli_pipe.c:2937(rpc_pipe_open_ncalrpc)
Aug 28 09:12:02 satan8 smbd[889]: connect(/run/samba/ncalrpc/EPMAPPER)
failed: No such file or directory
Aug 28 09:12:02 satan8 smbd[889]: [2020/08/28 09:12:02.657066, 0,
pid=889] ../../source3/rpc_client/cli_pipe.c:2937(rpc_pipe_open_ncalrpc)
Aug 28 09:12:02 satan8 smbd[889]: connect(/run/samba/ncalrpc/EPMAPPER)
failed: No such file or directory
Aug 28 09:12:06 satan8 smbd[889]: [2020/08/28 09:12:06.661632, 0,
pid=889] ../../source3/rpc_client/cli_pipe.c:2937(rpc_pipe_open_ncalrpc)
Aug 28 09:12:06 satan8 smbd[889]: connect(/run/samba/ncalrpc/EPMAPPER)
failed: No such file or directory
Aug 28 09:12:06 satan8 smbd[889]: [2020/08/28 09:12:06.662068, 0,
pid=889] ../../source3/rpc_client/cli_pipe.c:2937(rpc_pipe_open_ncalrpc)
Aug 28 09:12:06 satan8 smbd[889]: connect(/run/samba/ncalrpc/EPMAPPER)
failed: No such file or directory
Aug 28 09:12:06 satan8 smbd[889]: [2020/08/28 09:12:06.662392, 0,
pid=889] ../../source3/rpc_client/cli_pipe.c:2937(rpc_pipe_open_ncalrpc)
Aug 28 09:12:06 satan8 smbd[889]: connect(/run/samba/ncalrpc/EPMAPPER)
failed: No such file or directory
what is here wrong?
this is my config:
[global]
debug pid = yes
realm = CHAO5.INT
workgroup = CHAO5
ldap group suffix = cn=groups,cn=accounts
ldap machine suffix = cn=computers,cn=accounts
ldap ssl = off
ldap suffix = dc=chao5,dc=int
ldap user suffix = cn=users,cn=accounts
log file = /var/log/samba/log
max log size = 100000
registry shares = Yes
disable spoolss = Yes
dedicated keytab file = FILE:/etc/samba/samba.keytab
kerberos method = dedicated keytab
passdb backend = ipasam:ldap://barbas.chao5.int
ldap://marbas.chao5.int
security = USER
create krb5 conf = No
rpc_daemon:lsasd = fork
rpc_daemon:epmd = fork
rpc_server:tcpip = yes
rpc_server:netlogon = external
rpc_server:samr = external
rpc_server:lsasd = external
rpc_server:lsass = external
rpc_server:lsarpc = external
rpc_server:epmapper = external
ldapsam:trusted = yes
idmap config * : backend = tdb
ldap admin dn = cn=Directory Manager
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[shared]
comment = Public Share Test
path = /mnt
writable = yes
browsable = yes
guest ok = no
read only = no
---
------
Greetz
Am 28.08.2020 08:43, schrieb Piviul via samba:> Rowland penny via samba ha scritto il 27/08/20 alle 16:43:
>> [...]
>> Netbios is intrinsically tied to SMBv1 and? LLMNR (Link-Local
>> Multicast Name Resolution) is also connected in a way, it allows name
>> resolutions without a nameserver. So, if you are using it, I
>> personally wouldn't, ever heard of MITM ?
> Just to understand a little more... NetBIOS with a wins server
> configured is not prone to the MiTM attack, isn't it?
>
> Piviul
On 28/08/2020 08:17, Christoph via samba wrote:> Hi All, > > I've samba (4.11.2) on centos 8 connected to IPA. > All works as expected but I see these errors in log: > > what is here wrong?Apart from not starting your thread ?> > this is my config: > > [global] > ??????? debug pid = yes > ??????? realm = CHAO5.INT > ??????? workgroup = CHAO5 > ??????? ldap group suffix = cn=groups,cn=accounts > ??????? ldap machine suffix = cn=computers,cn=accounts > ??????? ldap ssl = off > ??????? ldap suffix = dc=chao5,dc=int > ??????? ldap user suffix = cn=users,cn=accounts > ??????? log file = /var/log/samba/log > ??????? max log size = 100000 > ??????? registry shares = Yes > ??????? disable spoolss = Yes > ??????? dedicated keytab file = FILE:/etc/samba/samba.keytab > ??????? kerberos method = dedicated keytab > ??????? passdb backend = ipasam:ldap://barbas.chao5.int > ldap://marbas.chao5.int > ??????? security = USER > ??????? create krb5 conf = No > ??????? rpc_daemon:lsasd = fork > ??????? rpc_daemon:epmd = fork > ??????? rpc_server:tcpip = yes > ??????? rpc_server:netlogon = external > ??????? rpc_server:samr = external > ??????? rpc_server:lsasd = external > ??????? rpc_server:lsass = external > ??????? rpc_server:lsarpc = external > ??????? rpc_server:epmapper = external > ??????? ldapsam:trusted = yes > ??????? idmap config * : backend = tdb > > ??????? ldap admin dn = cn=Directory Manager > > [homes] > ??????? comment = Home Directories > ??????? valid users = %S, %D%w%S > ??????? browseable = No > ??????? read only = No > ??????? inherit acls = Yes > > [shared] > ??????? comment = Public Share Test > ??????? path = /mnt > ??????? writable = yes > ??????? browsable = yes > ??????? guest ok = no > ??????? read only = no >I do not believe I am typing this, but you should be using sssd, security should be 'ADS' and you are asking on the wrong list. Samba does not produce the required 'idmap_sss' backend you require, so I suggest you start by reading this: https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html and contact the sssd-users mailing list. I should also point out that you cannot have Samba shares or use NTLM. Rowland
On 28/08/2020 07:43, Piviul via samba wrote:> Rowland penny via samba ha scritto il 27/08/20 alle 16:43: >> [...] >> Netbios is intrinsically tied to SMBv1 and? LLMNR (Link-Local >> Multicast Name Resolution) is also connected in a way, it allows name >> resolutions without a nameserver. So, if you are using it, I >> personally wouldn't, ever heard of MITM ? > Just to understand a little more... NetBIOS with a wins server > configured is not prone to the MiTM attack, isn't it? > > Piviul >There is a possibility, because a wins server relies on the clients actually being who they claim to be. Rowland