Rowland Penny
2024-Oct-25 08:50 UTC
[Samba] Kerberos ticket renew causes a brief network interruption
On Fri, 25 Oct 2024 08:35:08 +0000 Hans van Leeuwen via samba <samba at lists.samba.org> wrote:> Hi Samba engineer, > > We use an Ubuntu 20.04.6 systems as Samba server. > The Samba version is 4.15.13-Ubuntu. > The SMC-Client is a Windows Server 2022 Standard 21H2. > > The hostname of the Ubuntu Samba server is "samba-srv" > On the Windows system, Samba disk is shared with the command: > C:>net use Y: \\samba-srv\customers /u:hans > Enter the password for 'hans' to connect to 'samba-srv': > The command completed successfully > > Now the Samba disk on system samba-srv can be accessed on the Y-drive. > The network analyzer Wireshark show that Kerberos is used to encrypt > the network packages. But on the moment that Kerberos ticket renewal, > the Samba share is some seconds not available. > > An other DNS record is created with the name "samba-srv-alias" > This is a "Alias (CNAME)" to the DNS "Host (A)" "samba-srv". > > The Y-drive is removed and created again and now with as host > "samba-srv-alias". C:>net use Y: \\samba-srv-alias\customers /u:hans > > Also now the Samba disk on the samba-srv can be accessed on the > Y-drive. But Wireshark show now that NTLM is used to encrypt the > network packages. NTLM doesn't work with tickets that need to be > renewed. The problem that the Samba shared is some seconds not > available doesn't occur when NTML is used to encrypt the network > packages. > > The problem that the share is some seconds not available also doesn't > occur when the share is not on Samba but on an other Windows system, > also when Kerberos is used. > > In the attachment contains the C-program source that can be used to > reproduce the problem. This source can be compiled on Windows with > e.g. gcc . > > The program read every 3 seconds a map on the share to check for > files and write in a logfile when the share is not available and > available again. > > Start the hotfolderscan program e.g. on the way below: > C:>hotfolderscan.exe Y:\ C:\temp\folderscan.log > > After +/- 10 hours, when Kerberos renew the ticket, the lines below > are written in de log file: 2024-10-23 09:09:13 Error 2 No such file > or directory 2024-10-23 09:09:16 Share available again > > Is seems that Samba doesn't handle the Kerberos ticket renewal on the > right way. > > Best regards, > Ing. Hans van Leeuwen > > > The used Samba parameters on the Samba-server > # testparm -s > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Weak crypto is allowed > > Server role: ROLE_DOMAIN_MEMBER > > # Global parameters > [global] > client min protocol = SMB3_02 > log file = /var/log/samba > max open files = 65536 > realm = MAIL-STREET.LOCAL > restrict anonymous = 2 > security = ADS > server min protocol = SMB3_02 > server signing = required > smb ports = 445 > template shell = /bin/bash > winbind enum groups = Yes > winbind enum users = Yes > winbind separator = ^ > winbind use default domain = Yes > workgroup = MAIL-STREET > full_audit:priority = notice > full_audit:facility = local5 > full_audit:failure = none > full_audit:success = open close read write mkdirat renameat > unlinkat openat full_audit:prefix = %u|%I|%S > idmap config * : range = 10000-20000 > idmap config * : backend = tdb > vfs objects = full_audit > > > [customers] > create mask = 0777 > directory mask = 0777 > force directory mode = 0777 > force group = Yschijfusers > path = /var/local/customers > read only = No > valid users = @YschijfusersOne of two things seems to be going on here: You just have a mis-configured smb.conf (no 'idmap.config' lines for the 'MAIL-STREET' domain). You are are also using sssd. Which is it ? Rowland
Hans van Leeuwen
2024-Oct-28 13:41 UTC
[Samba] Kerberos ticket renew causes a brief network interruption
Hi Roland Penny, Indeed the "idmap.config" parameter line is not added to the smb.conf file. But the command below shows that the default values are used. testparm -vs | grep idmap.config idmap config * : range = 100000-200000 idmap config * : backend = tdb I did not set sssd, so if sssd is used it happened automatically. Can idmap.config and sssd affect the Kerberos usage? Best regards, Hans van Leeuwen. -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Friday, October 25, 2024 10:51 AM To: samba at lists.samba.org Cc: Rowland Penny <rpenny at samba.org> Subject: Re: [Samba] Kerberos ticket renew causes a brief network interruption On Fri, 25 Oct 2024 08:35:08 +0000 Hans van Leeuwen via samba <samba at lists.samba.org> wrote:> Hi Samba engineer, > > We use an Ubuntu 20.04.6 systems as Samba server. > The Samba version is 4.15.13-Ubuntu. > The SMC-Client is a Windows Server 2022 Standard 21H2. > > The hostname of the Ubuntu Samba server is "samba-srv" > On the Windows system, Samba disk is shared with the command: > C:>net use Y: \\samba-srv\customers /u:hans > Enter the password for 'hans' to connect to 'samba-srv': > The command completed successfully > > Now the Samba disk on system samba-srv can be accessed on the Y-drive. > The network analyzer Wireshark show that Kerberos is used to encrypt > the network packages. But on the moment that Kerberos ticket renewal, > the Samba share is some seconds not available. > > An other DNS record is created with the name "samba-srv-alias" > This is a "Alias (CNAME)" to the DNS "Host (A)" "samba-srv". > > The Y-drive is removed and created again and now with as host > "samba-srv-alias". C:>net use Y: \\samba-srv-alias\customers /u:hans > > Also now the Samba disk on the samba-srv can be accessed on the > Y-drive. But Wireshark show now that NTLM is used to encrypt the > network packages. NTLM doesn't work with tickets that need to be > renewed. The problem that the Samba shared is some seconds not > available doesn't occur when NTML is used to encrypt the network > packages. > > The problem that the share is some seconds not available also doesn't > occur when the share is not on Samba but on an other Windows system, > also when Kerberos is used. > > In the attachment contains the C-program source that can be used to > reproduce the problem. This source can be compiled on Windows with > e.g. gcc . > > The program read every 3 seconds a map on the share to check for > files and write in a logfile when the share is not available and > available again. > > Start the hotfolderscan program e.g. on the way below: > C:>hotfolderscan.exe Y:\ C:\temp\folderscan.log > > After +/- 10 hours, when Kerberos renew the ticket, the lines below > are written in de log file: 2024-10-23 09:09:13 Error 2 No such file > or directory 2024-10-23 09:09:16 Share available again > > Is seems that Samba doesn't handle the Kerberos ticket renewal on the > right way. > > Best regards, > Ing. Hans van Leeuwen > > > The used Samba parameters on the Samba-server > # testparm -s > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Weak crypto is allowed > > Server role: ROLE_DOMAIN_MEMBER > > # Global parameters > [global] > client min protocol = SMB3_02 > log file = /var/log/samba > max open files = 65536 > realm = MAIL-STREET.LOCAL > restrict anonymous = 2 > security = ADS > server min protocol = SMB3_02 > server signing = required > smb ports = 445 > template shell = /bin/bash > winbind enum groups = Yes > winbind enum users = Yes > winbind separator = ^ > winbind use default domain = Yes > workgroup = MAIL-STREET > full_audit:priority = notice > full_audit:facility = local5 > full_audit:failure = none > full_audit:success = open close read write mkdirat renameat > unlinkat openat full_audit:prefix = %u|%I|%S > idmap config * : range = 10000-20000 > idmap config * : backend = tdb > vfs objects = full_audit > > > [customers] > create mask = 0777 > directory mask = 0777 > force directory mode = 0777 > force group = Yschijfusers > path = /var/local/customers > read only = No > valid users = @YschijfusersOne of two things seems to be going on here: You just have a mis-configured smb.conf (no 'idmap.config' lines for the 'MAIL-STREET' domain). You are are also using sssd. Which is it ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Apparently Analagous Threads
- Kerberos ticket renew causes a brief network interruption
- Kerberos ticket renew causes a brief network interruption
- Kerberos ticket renew causes a brief network interruption
- Kerberos ticket renew causes a brief network interruption
- Kerberos ticket renew causes a brief network interruption