jacek burghardt
2023-Dec-13 15:44 UTC
[Samba] samba fails to connect to windows file share joined to domain
I see this in logs what is causing it ? [2023/12/13 07:38:25.104382, 1] ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - NT_STATUS_LOGON_FAILURE [2023/12/13 07:38:55.142864, 1] ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - NT_STATUS_LOGON_FAILURE [2023/12/13 07:39:25.152964, 1] ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - NT_STATUS_LOGON_FAILURE [2023/12/13 07:39:55.130647, 1] ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - NT_STATUS_LOGON_FAILURE [2023/12/13 07:40:25.150802, 1] ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - NT_STATUS_LOGON_FAILURE [2023/12/13 07:40:55.162914, 1] ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) On Tue, Dec 12, 2023 at 11:51?AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 12 Dec 2023 19:32:10 +0100 > Stefan Kania via samba <samba at lists.samba.org> wrote: > > > > > > > Am 12.12.23 um 17:46 schrieb jacek burghardt via samba: > > > I am using arch linux > > > This is my fstab entry using cred for windows domain user > > > > > > //winnas/radio /radio cifs > > > > credentials=/etc/samba/credentials/radiorec,vers=2.0,uid=1000,gid=1000,iocharset=utf8,sec=krb5i,nofail > > > 0 0 > > > > > > I run hardening kitty scripts . > > > > > > Windows and osx clients can mount the shares but linux has an issue. > > > > > > > > > [global] > > > > > > netbios name = radiorec > > > > > > socket options = TCP_NODELAY SO_RCVBUF=16384 > > > SO_SNDBUF=16384 > > > > > > winbind sealed pipes = false > > > > > > require strong key = false > > > > > > winbind sealed pipes:HEBE = true > > > > > > require strong key:HEBE = true > > > > > > lanman auth = no > > > > > > ntlm auth = yes > > > > > > ntlm auth = mschapv2-and-ntlmv2-only > > > > > > client signing = auto > > > > > > server signing = auto > > > > > > winbind enum users = yes > > > > > > winbind gid = 10000-20000 > > > > > > workgroup = hebe > > > > > > os level = 20 > > > > > > winbind enum groups = yes > > > > > > password server = den-dc01.hebe.us > > > > > > preferred master = no > > > > > > winbind separator = + > > > > > > max log size = 50 > > > > > > log file = /var/log/samba/log.%m > > > > > > dns proxy = no > > > > > > realm = hebe.us > > > > > > security = ADS > > > > > > wins server = 192.168.1.8 > > > > > > wins proxy = no > > > > > > client signing = auto > > > > > > server signing = auto > > > > > > domain master = auto > > > > > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > > > drepl, winbindd, ntp_signd, kcc, dnsupdate > > > > > > idmap_ldb:use rfc2307 = yes > > > > > > ldap server require strong auth = No > > > > > > idmap config * : backend = tdb > > > > > > idmap config * : range = 10000-20000 > > > > > > winbind use default domain = Yes > > > > > > winbind enum users = Yes > > > > > > winbind enum groups = Yes > > > > > > winbind nested groups = Yes > > > > > > winbind separator = + > > > > > > winbind refresh tickets = yes > > > > > > winbind offline logon = yes > > > > > > winbind cache time = 300 > > > > > > template shell = /bin/bash > > > > > > template homedir = /home/%D/%U > > > > > > > > > inherit acls = Yes > > > > > > map acl inherit = Yes > > > > > > acl group control = yes > > > > > > > > > load printers = no > > > > > > debug level = 3 > > > > > > use sendfile = no > > > > > > vfs objects = acl_xattr shadow_copy2 > > > > > > [sysvol] > > > > > > path = /usr/share/samba/sysvol > > > > > > read only = No > > > > > > [netlogon] > > > > > > On Tue, Dec 12, 2023 at 1:26?AM Rowland Penny via samba < > > > samba at lists.samba.org> wrote: > > > > > >> On Mon, 11 Dec 2023 19:07:47 -0700 > > >> jacek burghardt via samba <samba at lists.samba.org> wrote: > > >> > > >>> After running hardening scripts samba cant mount windows shares. > > >> > > >> What 'hardening scripts', what did they do ? > > >> Samba doesn't mount anything, it provides the shares to mount. > > >> > > >>> I get error trying to mount share > > >>> > > >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and > > >>> keyutils is installed > > >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126 > > >>> [72860.509158] CIFS: VFS: cifs_mount failed w/return code = -126 > > >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and > > >>> keyutils is installed > > >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126 > > >>> > > >> > > >> That is actually coming from mount.cifs and '-126' is 'Required > > >> key not available', so does the user that is doing the mount have > > >> a kerberos ticket ? > > >> > > >>> I get following errors: > > >>> > > >>> [root at radiorec admin]# smbclient -k -L winnas > > >>> WARNING: The option -k|--kerberos is deprecated! > > >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is > > >>> deprecated > > >>> gensec_spnego_client_negTokenInit_step: Could not find a suitable > > >>> mechtype in NEG_TOKEN_INIT > > >>> session setup failed: NT_STATUS_INVALID_PARAMETER > > >>> > > >>> [root at radiorec admin]# smbclient -L winnas > > >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is > > >>> deprecated > > >>> Password for [HEBE\root]: > > >>> > > >>> [root at radiorec admin]# smbclient -L winnas -U jacek > > >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is > > >>> deprecated > > >>> Password for [HEBE\jacek]: > > >>> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE > > >>> > > >>> Is there gpo I need to disable or I can change config in samba to > > >>> get shares to mount? > > >>> > > >>> I see domain relationship failure but wbinfo works > > >> > > >> I think you need to give us more information: > > >> What OS ? > > >> What version of Samba ? > > >> The contents of your smb.conf > > >> The mount command you are using > > >> > > >> Rowland > > >> > > >> > > >> -- > > >> To unsubscribe from this list go to the following URL and read the > > >> instructions: https://lists.samba.org/mailman/options/samba > > >> > > Yoiu did not told us, if you could join the domain ( I think with > > your smb.conf "NO" "NEVER"). If you Linux-Client (I think that's what > > you are talking about) is not a domain member, you can't use > > Kerberos. Your smb.conf is (let's be kind) not working. > > > > This could be a start for your smb.conf: > > ----------------------- > > [global] > > workgroup = hebe > > realm = hebe.us > > security = ADS > > winbind refresh tickets = Yes > > winbind use default domain = yes > > idmap config * : range = 10000 - 19999 > > idmap config hebe : backend = rid > > idmap config hebe : range = 100000 - 199999 > > ----------------------- > > > > Then join the domain with "net ads join -U administrator" (or any > > other user who is member of "domain admins" group. > > > > Then to mount the share you can try it via fstab and credential-file > > but every time you chage your password the mount will fail. Better > > use libpam-mount. (You will find a lot of info's about configure > > libpam-mount with google. > > > > With libpam-mount AND as a domainmember your linux-client can mount > > shares using Kerberos for authetnication. > > > > Stefan > > > > > > Hi Stefan, > Whilst I cannot argue with anything you have written and would agree > your setup will work, I still feel we need more information, it seems > we are only being told half the story. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Stefan Kania
2023-Dec-13 16:15 UTC
[Samba] samba fails to connect to windows file share joined to domain
Am 13.12.23 um 16:44 schrieb jacek burghardt via samba:> I see this in logs what is causing it ? > > [2023/12/13 07:38:25.104382, 1] > ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) > > wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - > NT_STATUS_LOGON_FAILURE > > [2023/12/13 07:38:55.142864, 1] > ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) > > wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - > NT_STATUS_LOGON_FAILURE > > [2023/12/13 07:39:25.152964, 1] > ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) > > wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - > NT_STATUS_LOGON_FAILURE > > [2023/12/13 07:39:55.130647, 1] > ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) > > wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - > NT_STATUS_LOGON_FAILURE > > [2023/12/13 07:40:25.150802, 1] > ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) > > wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - > NT_STATUS_LOGON_FAILURE > > [2023/12/13 07:40:55.162914, 1] > ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) > > On Tue, Dec 12, 2023 at 11:51?AM Rowland Penny via samba < > samba at lists.samba.org> wrote: > >> On Tue, 12 Dec 2023 19:32:10 +0100 >> Stefan Kania via samba <samba at lists.samba.org> wrote: >> >>> >>> >>> Am 12.12.23 um 17:46 schrieb jacek burghardt via samba: >>>> I am using arch linux >>>> This is my fstab entry using cred for windows domain user >>>> >>>> //winnas/radio /radio cifs >>>> >> credentials=/etc/samba/credentials/radiorec,vers=2.0,uid=1000,gid=1000,iocharset=utf8,sec=krb5i,nofail >>>> 0 0 >>>> >>>> I run hardening kitty scripts . >>>> >>>> Windows and osx clients can mount the shares but linux has an issue. >>>> >>>> >>>> [global] >>>> >>>> netbios name = radiorec >>>> >>>> socket options = TCP_NODELAY SO_RCVBUF=16384 >>>> SO_SNDBUF=16384 >>>> >>>> winbind sealed pipes = false >>>> >>>> require strong key = false >>>> >>>> winbind sealed pipes:HEBE = true >>>> >>>> require strong key:HEBE = true >>>> >>>> lanman auth = no >>>> >>>> ntlm auth = yes >>>> >>>> ntlm auth = mschapv2-and-ntlmv2-only >>>> >>>> client signing = auto >>>> >>>> server signing = auto >>>> >>>> winbind enum users = yes >>>> >>>> winbind gid = 10000-20000 >>>> >>>> workgroup = hebe >>>> >>>> os level = 20 >>>> >>>> winbind enum groups = yes >>>> >>>> password server = den-dc01.hebe.us >>>> >>>> preferred master = no >>>> >>>> winbind separator = + >>>> >>>> max log size = 50 >>>> >>>> log file = /var/log/samba/log.%m >>>> >>>> dns proxy = no >>>> >>>> realm = hebe.us >>>> >>>> security = ADS >>>> >>>> wins server = 192.168.1.8 >>>> >>>> wins proxy = no >>>> >>>> client signing = auto >>>> >>>> server signing = auto >>>> >>>> domain master = auto >>>> >>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>>> drepl, winbindd, ntp_signd, kcc, dnsupdate >>>> >>>> idmap_ldb:use rfc2307 = yes >>>> >>>> ldap server require strong auth = No >>>> >>>> idmap config * : backend = tdb >>>> >>>> idmap config * : range = 10000-20000 >>>> >>>> winbind use default domain = Yes >>>> >>>> winbind enum users = Yes >>>> >>>> winbind enum groups = Yes >>>> >>>> winbind nested groups = Yes >>>> >>>> winbind separator = + >>>> >>>> winbind refresh tickets = yes >>>> >>>> winbind offline logon = yes >>>> >>>> winbind cache time = 300 >>>> >>>> template shell = /bin/bash >>>> >>>> template homedir = /home/%D/%U >>>> >>>> >>>> inherit acls = Yes >>>> >>>> map acl inherit = Yes >>>> >>>> acl group control = yes >>>> >>>> >>>> load printers = no >>>> >>>> debug level = 3 >>>> >>>> use sendfile = no >>>> >>>> vfs objects = acl_xattr shadow_copy2 >>>> >>>> [sysvol] >>>> >>>> path = /usr/share/samba/sysvol >>>> >>>> read only = No >>>> >>>> [netlogon] >>>> >>>> On Tue, Dec 12, 2023 at 1:26?AM Rowland Penny via samba < >>>> samba at lists.samba.org> wrote: >>>> >>>>> On Mon, 11 Dec 2023 19:07:47 -0700 >>>>> jacek burghardt via samba <samba at lists.samba.org> wrote: >>>>> >>>>>> After running hardening scripts samba cant mount windows shares. >>>>> >>>>> What 'hardening scripts', what did they do ? >>>>> Samba doesn't mount anything, it provides the shares to mount. >>>>> >>>>>> I get error trying to mount share >>>>>> >>>>>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and >>>>>> keyutils is installed >>>>>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126 >>>>>> [72860.509158] CIFS: VFS: cifs_mount failed w/return code = -126 >>>>>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and >>>>>> keyutils is installed >>>>>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126 >>>>>> >>>>> >>>>> That is actually coming from mount.cifs and '-126' is 'Required >>>>> key not available', so does the user that is doing the mount have >>>>> a kerberos ticket ? >>>>> >>>>>> I get following errors: >>>>>> >>>>>> [root at radiorec admin]# smbclient -k -L winnas >>>>>> WARNING: The option -k|--kerberos is deprecated! >>>>>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is >>>>>> deprecated >>>>>> gensec_spnego_client_negTokenInit_step: Could not find a suitable >>>>>> mechtype in NEG_TOKEN_INIT >>>>>> session setup failed: NT_STATUS_INVALID_PARAMETER >>>>>> >>>>>> [root at radiorec admin]# smbclient -L winnas >>>>>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is >>>>>> deprecated >>>>>> Password for [HEBE\root]: >>>>>> >>>>>> [root at radiorec admin]# smbclient -L winnas -U jacek >>>>>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is >>>>>> deprecated >>>>>> Password for [HEBE\jacek]: >>>>>> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE >>>>>> >>>>>> Is there gpo I need to disable or I can change config in samba to >>>>>> get shares to mount? >>>>>> >>>>>> I see domain relationship failure but wbinfo works >>>>> >>>>> I think you need to give us more information: >>>>> What OS ? >>>>> What version of Samba ? >>>>> The contents of your smb.conf >>>>> The mount command you are using >>>>> >>>>> Rowland >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>> Yoiu did not told us, if you could join the domain ( I think with >>> your smb.conf "NO" "NEVER"). If you Linux-Client (I think that's what >>> you are talking about) is not a domain member, you can't use >>> Kerberos. Your smb.conf is (let's be kind) not working. >>> >>> This could be a start for your smb.conf: >>> ----------------------- >>> [global] >>> workgroup = hebe >>> realm = hebe.us >>> security = ADS >>> winbind refresh tickets = Yes >>> winbind use default domain = yes >>> idmap config * : range = 10000 - 19999 >>> idmap config hebe : backend = rid >>> idmap config hebe : range = 100000 - 199999 >>> ----------------------- >>> >>> Then join the domain with "net ads join -U administrator" (or any >>> other user who is member of "domain admins" group. >>> >>> Then to mount the share you can try it via fstab and credential-file >>> but every time you chage your password the mount will fail. Better >>> use libpam-mount. (You will find a lot of info's about configure >>> libpam-mount with google. >>> >>> With libpam-mount AND as a domainmember your linux-client can mount >>> shares using Kerberos for authetnication. >>> >>> Stefan >>> >>> >> >> Hi Stefan, >> Whilst I cannot argue with anything you have written and would agree >> your setup will work, I still feel we need more information, it seems >> we are only being told half the story. >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>I think you did not read what we have writen. 1. Do you want to setup a domaincontroller, fileserver or a client 2. If you want to setup a fileserver or client tell us if you joined to the domain "net ads testjoin" is showing this. 3. Did you change your smb.conf to define your role DC or filserver or client. At the moment it's a little bit from everything. If you don't provide these information to us we can't help. Stefan
Rowland Penny
2023-Dec-13 16:38 UTC
[Samba] samba fails to connect to windows file share joined to domain
On Wed, 13 Dec 2023 08:44:48 -0700 jacek burghardt via samba <samba at lists.samba.org> wrote:> I see this in logs what is causing it ? > > [2023/12/13 07:38:25.104382, 1] > ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) > > wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - > NT_STATUS_LOGON_FAILURE > > [2023/12/13 07:38:55.142864, 1] > ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) > > wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - > NT_STATUS_LOGON_FAILURE > > [2023/12/13 07:39:25.152964, 1] > ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) > > wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - > NT_STATUS_LOGON_FAILURE > > [2023/12/13 07:39:55.130647, 1] > ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) > > wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - > NT_STATUS_LOGON_FAILURE > > [2023/12/13 07:40:25.150802, 1] > ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) > > wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE - > NT_STATUS_LOGON_FAILURE > > [2023/12/13 07:40:55.162914, 1] > ../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done) > > On Tue, Dec 12, 2023 at 11:51?AM Rowland Penny via samba < > samba at lists.samba.org> wrote: >Excuse me, but would you mind answering the questions that have been asked of you. At the moment, I haven't a clue just what you are running, or how you are running it. Rowland