On Wed, 2021-08-11 at 18:01 +0200, Mark Amundsen via samba wrote:> Hi and thanks for your time > > > First of all, I cleaned up the krb5.conf according to the samba wiki > and after that I can connect with smbclient using the three part > style of the credentials file, i.e > username=me > password=thesecret > domain=domain.example.com > > but mount.cifs still says STATUS_NO_LOGON_SERVERS > > > > > Is the 'linux box' joined to the domain ? If not, why not ? > It is joined to the domain. > > > > Lets start by you posting the smb.conf from all three machines > > (hint: > > post the output from 'samba-tool testparm --suppress-prompt' on the > > DC > > and 'testparm -s' on the others) > > Here are the outputs you asked for. some info anonymized. > > AD DC: > root at doc:~# samba-tool testparm --suppress-prompt > INFO 2021-08-11 17:18:37,355 pid:3345 > /usr/local/samba/lib/python3.7/site-packages/samba/netcmd/testparm.py > #96: Loaded smb config files from /etc/samba/smb.conf > INFO 2021-08-11 17:18:37,355 pid:3345 > /usr/local/samba/lib/python3.7/site-packages/samba/netcmd/testparm.py > #97: Loaded services file OK. > # Global parameters > [global] > dns forwarder = 1.2.3.4 > netbios name = DOC > realm = THEDOMAIN.EXAMPLE.COM > server role = active directory domain controller > workgroup = THEDOMAIN > idmap_ldb:use rfc2307 = yes > > [netlogon] > path > /usr/local/samba/var/locks/sysvol/thedomain.example.com/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > Fileserver: > root at sneezy:~# testparm -s > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Weak crypto is allowed > > Server role: ROLE_DOMAIN_MEMBER > > # Global parameters > [global] > log file = /var/log/samba/%m.log > realm = THEDOMAIN.EXAMPLE.COM > security = ADS > username map = /etc/samba/user.map > winbind use default domain = Yes > workgroup = THEDOMAIN > idmap config thedomain: range = 10000-999999 > idmap config thedomain: backend = rid > idmap config * : range = 3000-7999 > idmap config * : backend = tdb > map acl inherit = Yes > vfs objects = acl_xattr > > > [Data] > path = /var/mntsamba/samba/Data/ > read only = No > > > The 'linux-box' that no longer mounts shares (I wasn't aware that > mount.cifs uses the smb.conf so it is basicly default debian conf) > root at pluto:~# testparm -s > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Server role: ROLE_STANDALONE > # Global parameters > [global] > log file = /var/log/samba/log.%m > logging = file > map to guest = Bad User > max log size = 1000 > obey pam restrictions = Yes > pam password change = Yes > panic action = /usr/share/samba/panic-action %d > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > passwd program = /usr/bin/passwd %u > server role = standalone server > unix password sync = Yes > usershare allow guests = Yes > workgroup = THEDOMAIN > idmap config * : backend = tdb > create mask = 0700 > directory mask = 0700 > valid users = %S > > > > cheers > Mark >OK, the two machines running 4.14.6 use SMBv2 as a minimum, your standalone server uses SMBv1 as a minimum, so you may have to add 'vers=2' to your mount command. Your three machines are using the same workgroup name, but the standalone server will have a different SID than the other two, can I suggest you join the standalone server to the domain, it makes more sense. I would only use a standalone server in a workgroup or ad-hoc setup. Rowland
Thanks for your time> OK, the two machines running 4.14.6 use SMBv2 as a minimum, your > standalone server uses SMBv1 as a minimum, so you may have to add > 'vers=2' to your mount command.I've tried vers=2.0 3.0 and even 2.1 (simply vers=2 gives an invalid argument error), same as before: CIFS VFS: Send error in SessSetup = -5 CIFS VFS: cifs_mount failed w/return code = -5 Status code returned 0xc000005e STATUS_NO_LOGON_SERVERS If I try vers=1.0 it simply says: CIFS VFS: cifs_mount failed w/return code = -95 (also: mount.cifs says: Default has changed to a more secure dialect, SMB2.1 or later) I created a share on one of the domain-joined windows machines and I can connect to that in the same manner as I used to connect to the samba fileserver, which leads me to belive that something has changed in the fileserver. Have I disabled the authentication method that mount.cifs is using? Mark
Hai, Do all server the spn : cifs/hostname.fqdn.tld registered in the AD and in the local /etc/krb5.keytab ? Offcourse the stand alone does not have it, but can add it manualy in AD and keytab file on that server. Make sure all your server using CIFS have A and PTR records, (even your standalone). Then thats done, make sure all formats are like this. Workgroup = ADDOM_IN_CAPS Realm = SOME.DOM.TLD_IN_CAPS Check smb.conf and krb5.conf As far i could tell this looked good. When above is in place, and your leting the users automount these folder. Did you set : allow delegate for kerberous services for the servers that do automounting? samba-tool user sensitive - Set/unset or show UF_NOT_DELEGATED for an account. If not set it. Last, the server with samba 4.9.5, upgrade it to at least samba 4.13/14 And now, if you sure all is using kerberos auth, it should work now. Im using the same here, CIFS and NFS4 kerberized mounts and automounting. This is how i setup the automouting with systemd on my debian servers. https://michlstechblog.info/blog/systemd-mount-examples-for-cifs-shares/ See how far you get, i'll keep an eye on the list today. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark > Amundsen via samba > Verzonden: donderdag 12 augustus 2021 9:55 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] mount.cifs STATUS_NO_LOGON_SERVERS > > Thanks for your time > > > OK, the two machines running 4.14.6 use SMBv2 as a minimum, your > > standalone server uses SMBv1 as a minimum, so you may have to add > > 'vers=2' to your mount command. > > I've tried vers=2.0 3.0 and even 2.1 (simply vers=2 gives an > invalid argument error), same as before: > CIFS VFS: Send error in SessSetup = -5 > CIFS VFS: cifs_mount failed w/return code = -5 > Status code returned 0xc000005e STATUS_NO_LOGON_SERVERS > > If I try vers=1.0 it simply says: > CIFS VFS: cifs_mount failed w/return code = -95 > > > (also: mount.cifs says: Default has changed to a more secure > dialect, SMB2.1 or later) > > > > I created a share on one of the domain-joined windows > machines and I can connect to that in the same manner as I > used to connect to the samba fileserver, which leads me to > belive that something has changed in the fileserver. > > Have I disabled the authentication method that mount.cifs is using? > > > Mark > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >