Rowland Penny
2023-Dec-12 08:25 UTC
[Samba] samba fails to connect to windows file share joined to domain
On Mon, 11 Dec 2023 19:07:47 -0700 jacek burghardt via samba <samba at lists.samba.org> wrote:> After running hardening scripts samba cant mount windows shares.What 'hardening scripts', what did they do ? Samba doesn't mount anything, it provides the shares to mount.> I get error trying to mount share > > [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and keyutils > is installed > [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126 > [72860.509158] CIFS: VFS: cifs_mount failed w/return code = -126 > [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and keyutils > is installed > [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126 >That is actually coming from mount.cifs and '-126' is 'Required key not available', so does the user that is doing the mount have a kerberos ticket ?> I get following errors: > > [root at radiorec admin]# smbclient -k -L winnas > WARNING: The option -k|--kerberos is deprecated! > lpcfg_do_global_parameter: WARNING: The "lanman auth" option is > deprecated > gensec_spnego_client_negTokenInit_step: Could not find a suitable > mechtype in NEG_TOKEN_INIT > session setup failed: NT_STATUS_INVALID_PARAMETER > > [root at radiorec admin]# smbclient -L winnas > lpcfg_do_global_parameter: WARNING: The "lanman auth" option is > deprecated > Password for [HEBE\root]: > > [root at radiorec admin]# smbclient -L winnas -U jacek > lpcfg_do_global_parameter: WARNING: The "lanman auth" option is > deprecated > Password for [HEBE\jacek]: > session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE > > Is there gpo I need to disable or I can change config in samba to get > shares to mount? > > I see domain relationship failure but wbinfo worksI think you need to give us more information: What OS ? What version of Samba ? The contents of your smb.conf The mount command you are using Rowland
jacek burghardt
2023-Dec-12 16:46 UTC
[Samba] samba fails to connect to windows file share joined to domain
I am using arch linux
This is my fstab entry using cred for windows domain user
//winnas/radio /radio cifs
credentials=/etc/samba/credentials/radiorec,vers=2.0,uid=1000,gid=1000,iocharset=utf8,sec=krb5i,nofail
0 0
I run hardening kitty scripts .
Windows and osx clients can mount the shares but linux has an issue.
[global]
netbios name = radiorec
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
winbind sealed pipes = false
require strong key = false
winbind sealed pipes:HEBE = true
require strong key:HEBE = true
lanman auth = no
ntlm auth = yes
ntlm auth = mschapv2-and-ntlmv2-only
client signing = auto
server signing = auto
winbind enum users = yes
winbind gid = 10000-20000
workgroup = hebe
os level = 20
winbind enum groups = yes
password server = den-dc01.hebe.us
preferred master = no
winbind separator = +
max log size = 50
log file = /var/log/samba/log.%m
dns proxy = no
realm = hebe.us
security = ADS
wins server = 192.168.1.8
wins proxy = no
client signing = auto
server signing = auto
domain master = auto
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
ldap server require strong auth = No
idmap config * : backend = tdb
idmap config * : range = 10000-20000
winbind use default domain = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind separator = +
winbind refresh tickets = yes
winbind offline logon = yes
winbind cache time = 300
template shell = /bin/bash
template homedir = /home/%D/%U
inherit acls = Yes
map acl inherit = Yes
acl group control = yes
load printers = no
debug level = 3
use sendfile = no
vfs objects = acl_xattr shadow_copy2
[sysvol]
path = /usr/share/samba/sysvol
read only = No
[netlogon]
On Tue, Dec 12, 2023 at 1:26?AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 11 Dec 2023 19:07:47 -0700
> jacek burghardt via samba <samba at lists.samba.org> wrote:
>
> > After running hardening scripts samba cant mount windows shares.
>
> What 'hardening scripts', what did they do ?
> Samba doesn't mount anything, it provides the shares to mount.
>
> > I get error trying to mount share
> >
> > [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and keyutils
> > is installed
> > [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126
> > [72860.509158] CIFS: VFS: cifs_mount failed w/return code = -126
> > [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and keyutils
> > is installed
> > [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126
> >
>
> That is actually coming from mount.cifs and '-126' is 'Required
key not
> available', so does the user that is doing the mount have a kerberos
> ticket ?
>
> > I get following errors:
> >
> > [root at radiorec admin]# smbclient -k -L winnas
> > WARNING: The option -k|--kerberos is deprecated!
> > lpcfg_do_global_parameter: WARNING: The "lanman auth" option
is
> > deprecated
> > gensec_spnego_client_negTokenInit_step: Could not find a suitable
> > mechtype in NEG_TOKEN_INIT
> > session setup failed: NT_STATUS_INVALID_PARAMETER
> >
> > [root at radiorec admin]# smbclient -L winnas
> > lpcfg_do_global_parameter: WARNING: The "lanman auth" option
is
> > deprecated
> > Password for [HEBE\root]:
> >
> > [root at radiorec admin]# smbclient -L winnas -U jacek
> > lpcfg_do_global_parameter: WARNING: The "lanman auth" option
is
> > deprecated
> > Password for [HEBE\jacek]:
> > session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
> >
> > Is there gpo I need to disable or I can change config in samba to get
> > shares to mount?
> >
> > I see domain relationship failure but wbinfo works
>
> I think you need to give us more information:
> What OS ?
> What version of Samba ?
> The contents of your smb.conf
> The mount command you are using
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>