Rowland Penny
2022-Aug-22 19:27 UTC
[Samba] authn timeouts enumerating (and connecting to) shares
On Mon, 2022-08-22 at 18:56 +0000, Aaron Johnson via samba wrote:> Hello Samba users! > > I?m experiencing an odd (hopefully, it?s odd to everyone and not just > me) issue with Alma Linux 8.6?s samba-4.15.5-8.el8_6.x86_64 (and > related) release. > > In short, I have a domain member Samba server with just the magic > [homes] share defined in smb.conf. Mildly sanitized ?testparm -s? > output: > > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Weak crypto is allowed > > Server role: ROLE_DOMAIN_MEMBER > > # Global parameters > [global] > ldap connection timeout = 3 > ldap timeout = 3 > load printers = No > log file = /var/log/samba/%m.log > log level = kerberos:10 auth:10 auth_audit:10 winbind:10 > ntlm auth = ntlmv1-permitted > printcap name = /dev/null > realm = MYDOMAIN.MYORG.COM > security = ADS > server role = member server > winbind max domain connections = 10 > workgroup = MYDOMAIN > idmap config MYDOMAIN : range = 100000-9999999 > idmap config MYDOMAIN : schema_mode = rfc2307 > idmap config MYDOMAIN : backend = ad > idmap config * : range = 0-99999 > idmap config * : backend = tdb > > [homes] > browseable = No > comment = Home Directories > inherit acls = Yes > read only = No > valid users = %S %D%w%S > > (I?ve added the ?log level? setting in there as testparm didn?t print > it.) > > Trying to list out any shares on this server results in an > NT_STATUS_IO_TIMEOUT like so: > > [myuser at myserver ~]$ time smbclient -d 2 -U MYDOMAIN\\myuser -L > myserver.myorg.comThat command is interesting, you are trying to connect to 'myserver.myorg.com' , yet your realm is 'MYDOMAIN.MYORG.COM', so presumably your dns domain will be 'mydomain.myorg.com'. I think you should be connecting to 'myserver.mydomain.myorg.com' Rowland
Aaron Johnson
2022-Aug-22 19:42 UTC
[Samba] authn timeouts enumerating (and connecting to) shares
Thanks for the swift response, Rowland! I?ve added 'myserver.mydomain.myorg.com? to /etc/hosts; restarted smbd, nmbd, and winbind; tried smblclient -L ? again; and don?t see any difference in the results. I?m happy to share the sanitized logs if that would make a difference. (Would have done at the outset, but didn?t see people sending more than brief excerpts as I browsed the archives.) From: samba <samba-bounces at lists.samba.org> on behalf of Rowland Penny via samba <samba at lists.samba.org> Date: Monday, August 22, 2022 at 1:28 PM To: samba at lists.samba.org <samba at lists.samba.org> Cc: Rowland Penny <rpenny at samba.org> Subject: Re: [Samba] authn timeouts enumerating (and connecting to) shares Caution: This email is from an external sender. Please do not click links or open attachments unless you recognize the sender and know the content is safe. Forward suspicious emails to isitbad at . On Mon, 2022-08-22 at 18:56 +0000, Aaron Johnson via samba wrote:> Hello Samba users! > > I?m experiencing an odd (hopefully, it?s odd to everyone and not just > me) issue with Alma Linux 8.6?s samba-4.15.5-8.el8_6.x86_64 (and > related) release. > > In short, I have a domain member Samba server with just the magic > [homes] share defined in smb.conf. Mildly sanitized ?testparm -s? > output: > > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Weak crypto is allowed > > Server role: ROLE_DOMAIN_MEMBER > > # Global parameters > [global] > ldap connection timeout = 3 > ldap timeout = 3 > load printers = No > log file = /var/log/samba/%m.log > log level = kerberos:10 auth:10 auth_audit:10 winbind:10 > ntlm auth = ntlmv1-permitted > printcap name = /dev/null > realm = MYDOMAIN.MYORG.COM > security = ADS > server role = member server > winbind max domain connections = 10 > workgroup = MYDOMAIN > idmap config MYDOMAIN : range = 100000-9999999 > idmap config MYDOMAIN : schema_mode = rfc2307 > idmap config MYDOMAIN : backend = ad > idmap config * : range = 0-99999 > idmap config * : backend = tdb > > [homes] > browseable = No > comment = Home Directories > inherit acls = Yes > read only = No > valid users = %S %D%w%S > > (I?ve added the ?log level? setting in there as testparm didn?t print > it.) > > Trying to list out any shares on this server results in an > NT_STATUS_IO_TIMEOUT like so: > > [myuser at myserver ~]$ time smbclient -d 2 -U MYDOMAIN\\myuser -L > myserver.myorg.comThat command is interesting, you are trying to connect to 'myserver.myorg.com' , yet your realm is 'MYDOMAIN.MYORG.COM', so presumably your dns domain will be 'mydomain.myorg.com'. I think you should be connecting to 'myserver.mydomain.myorg.com' Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Fmailman%2Foptions%2Fsamba&data=05%7C01%7Cajohnson1%40godaddy.com%7C96bb747298024c7fd5e508da847478ca%7Cd5f1622b14a345a6b069003f8dc4851f%7C0%7C0%7C637967933026433906%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9fCHup9kWhFPvGGQ3sH9I4uWeGpVW38iN%2BXHXnWZVGU%3D&reserved=0