samba - Jan 2024 - Samba acting as a domain member + netbios

Thanks for the advice about the security line, I won't use domain type
anymore then.

I know name_status_find is using NetBios, what I don't know is why this
function is called when using 'security = ads', and as a result of the
fail my domain is added to the failed connection cache.

Then, every action that needs to have a look into the cache results in failing,
and wbinfo -P returns "WBC_ERR_DOMAIN_NOT_FOUND"

I've got the following error message :
wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: BERTINIT -
NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND

Cheers
Vincent

-----Message d'origine-----
De : samba <samba-bounces at lists.samba.org> De la part de Rowland Penny
via samba
Envoy? : jeudi 25 janvier 2024 17:18
? : samba at lists.samba.org
Cc : Rowland Penny <rpenny at samba.org>
Objet : Re: [Samba] Samba acting as a domain member + netbios

[You don't often get email from samba at lists.samba.org. Learn why this is
important at https://aka.ms/LearnAboutSenderIdentification ]

On Thu, 25 Jan 2024 15:48:39 +0000
Vincent DROUIN via samba <samba at lists.samba.org> wrote:
> Hello,
>
> I'm trying to use to use a Samba share service with authentication
> delegated to a Windows Active Directory Server.
>
> I manage to join successfully to the AD using net ads join command,
> with or without Kerberos, using either "security = domain" or
> "security = ads".
You really should only use 'security = ads', 'domain' is meant
for the legacy NT4-style domains.
> Nevertheless, if I use "disable netbios" option, winbindd
immediately
> fails to use "name_status_find",
It would, it requires netbios. If you turn the logging up to 5, you will get a
log message telling you this.
> the domain is
> then added to the negative connection cache and the whole thing stops
> working.
What stops working ? The entire domain, or whatever you are trying to do ?
>
> The winbind ping is also failing if netbios is disabled.
Are we taking 'wbinfo -P', because I have netbios turned off in smb.conf
(I also do not run nmbd) and that command works for myself:

wbinfo -P
checking the NETLOGON for domain[SAMDOM] dc connection to
"rpidc2.samdom.example.com" succeeded

Though I am using a Samba AD DC
>
> Am I missing some configuration parameter that would prevent such a
> behavior? NetBios is an unsecure deprecated protocol : why is it
> mandatory to have it to verify communication with the domain?
It isn't mandatory, as far as I am aware, as for you having a missing
parameter, it is doubtful, but I haven't a clue because I do not know what
you have in your smb.conf.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Thu, 25 Jan 2024 16:28:57 +0000
Vincent DROUIN <vdrouin at chapsvision.com> wrote:
> Thanks for the advice about the security line, I won't use domain
> type anymore then.
> 
> I know name_status_find is using NetBios, what I don't know is why
> this function is called when using 'security = ads', and as a
result
> of the fail my domain is added to the failed connection cache.
Whilst name_status_find is meant for netbios, if you look at the code,
there is this near the top of the function:

	if (lp_disable_netbios()) {
		DEBUG(5,("name_status_find(%s#%02x): netbios is disabled\n",
					q_name, q_type));
		return False;
	}

Which to myself, means that if 'disable netbios = yes' is set in
smb.conf , then return false and log a message if the log level is 5 or
greater.

If 'disable netbios = yes' is set in smb.conf, then netbios
shouldn't
be used by Samba and you shouldn't be having problems with it.

I think you need to give us a bit more detail:

What version of Windows server ?
What version of Samba are you using ?
What OS is Samba running on ?
Please post the output of 'testparm -s'
   
At the moment, all I can say is that it all works for myself, but I am
using Samba (with netbios turned off and nmbd not running) against a
Samba AD DC (again with netbios turned off and nbt turned off).

Rowland
 
> 
> Then, every action that needs to have a look into the cache results
> in failing, and wbinfo -P returns "WBC_ERR_DOMAIN_NOT_FOUND"
> 
> I've got the following error message :
> wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain:
> BERTINIT - NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
> 
>