samba - Oct 2024 - Kerberos ticket renew causes a brief network interruption

On Fri, 25 Oct 2024 08:35:08 +0000
Hans van Leeuwen via samba <samba at lists.samba.org> wrote:
> Hi Samba engineer,
> 
> We use an Ubuntu 20.04.6 systems as Samba server.
> The Samba version is 4.15.13-Ubuntu.
> The SMC-Client is a Windows Server 2022 Standard 21H2.
>  
> The hostname of the Ubuntu Samba server is "samba-srv"
> On the Windows system, Samba disk is shared with the command:
> C:>net use Y: \\samba-srv\customers /u:hans
> Enter the password for 'hans' to connect to 'samba-srv': 
> The command completed successfully
> 
> Now the Samba disk on system samba-srv can be accessed on the Y-drive.
> The network analyzer Wireshark show that Kerberos is used to encrypt
> the network packages. But on the moment that Kerberos ticket renewal,
> the Samba share is some seconds not available.
> 
> An other DNS record is created with the name "samba-srv-alias"
> This is a "Alias (CNAME)" to the DNS "Host (A)"
"samba-srv".
> 
> The Y-drive is removed and created again and now with as host
> "samba-srv-alias". C:>net use Y: \\samba-srv-alias\customers
/u:hans
> 
> Also now the Samba disk on the samba-srv can be accessed on the
> Y-drive. But Wireshark show now that NTLM is used to encrypt the
> network packages. NTLM doesn't work with tickets that need to be
> renewed. The problem that the Samba shared is some seconds not
> available doesn't occur when NTML is used to encrypt the network
> packages.
> 
> The problem that the share is some seconds not available also doesn't
> occur when the share is not on Samba but on an other Windows system,
> also when Kerberos is used.
> 
> In the attachment contains the C-program source that can be used to
> reproduce the problem. This source can be compiled on Windows with
> e.g. gcc .
> 
> The program read every 3 seconds a map on the share to check for
> files and write in a logfile when the share is not available and
> available again.
> 
> Start the hotfolderscan program e.g. on the way below:
> C:>hotfolderscan.exe  Y:\  C:\temp\folderscan.log
> 
> After +/- 10 hours, when Kerberos renew the ticket, the lines below
> are written in de log file: 2024-10-23 09:09:13 Error 2 No such file
> or directory 2024-10-23 09:09:16 Share available again 
> 
> Is seems that Samba doesn't handle the Kerberos ticket renewal on the
> right way.
> 
> Best regards,
> Ing. Hans van Leeuwen
> 
> 
> The used Samba parameters on the Samba-server  
> # testparm -s
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> Weak crypto is allowed
> 
> Server role: ROLE_DOMAIN_MEMBER
> 
> # Global parameters
> [global]
> 	client min protocol = SMB3_02
> 	log file = /var/log/samba
> 	max open files = 65536
> 	realm = MAIL-STREET.LOCAL
> 	restrict anonymous = 2
> 	security = ADS
> 	server min protocol = SMB3_02
> 	server signing = required
> 	smb ports = 445
> 	template shell = /bin/bash
> 	winbind enum groups = Yes
> 	winbind enum users = Yes
> 	winbind separator = ^
> 	winbind use default domain = Yes
> 	workgroup = MAIL-STREET
> 	full_audit:priority = notice
> 	full_audit:facility = local5
> 	full_audit:failure = none
> 	full_audit:success = open close read write mkdirat renameat
> unlinkat openat full_audit:prefix = %u|%I|%S
> 	idmap config * : range = 10000-20000
> 	idmap config * : backend = tdb
> 	vfs objects = full_audit
> 
> 
> [customers]
> 	create mask = 0777
> 	directory mask = 0777
> 	force directory mode = 0777
> 	force group = Yschijfusers
> 	path = /var/local/customers
> 	read only = No
> 	valid users = @Yschijfusers
One of two things seems to be going on here:
You just have a mis-configured smb.conf (no 'idmap.config' lines for
the 'MAIL-STREET' domain).

You are are also using sssd.

Which is it ?

Rowland

Hi Roland Penny,

Indeed the "idmap.config" parameter line is not added to the smb.conf
file.
But the command below shows that the default values are used.
testparm -vs | grep idmap.config 
        idmap config * : range = 100000-200000
        idmap config * : backend = tdb

I did not set sssd, so if sssd is used it happened automatically.

Can idmap.config and sssd affect the Kerberos usage?

Best regards,
Hans van Leeuwen.


-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny
via samba
Sent: Friday, October 25, 2024 10:51 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Kerberos ticket renew causes a brief network interruption

On Fri, 25 Oct 2024 08:35:08 +0000
Hans van Leeuwen via samba <samba at lists.samba.org> wrote:
> Hi Samba engineer,
>
> We use an Ubuntu 20.04.6 systems as Samba server.
> The Samba version is 4.15.13-Ubuntu.
> The SMC-Client is a Windows Server 2022 Standard 21H2.
>
> The hostname of the Ubuntu Samba server is "samba-srv"
> On the Windows system, Samba disk is shared with the command:
> C:>net use Y: \\samba-srv\customers /u:hans
> Enter the password for 'hans' to connect to 'samba-srv':
> The command completed successfully
>
> Now the Samba disk on system samba-srv can be accessed on the Y-drive.
> The network analyzer Wireshark show that Kerberos is used to encrypt
> the network packages. But on the moment that Kerberos ticket renewal,
> the Samba share is some seconds not available.
>
> An other DNS record is created with the name "samba-srv-alias"
> This is a "Alias (CNAME)" to the DNS "Host (A)"
"samba-srv".
>
> The Y-drive is removed and created again and now with as host
> "samba-srv-alias". C:>net use Y: \\samba-srv-alias\customers
/u:hans
>
> Also now the Samba disk on the samba-srv can be accessed on the
> Y-drive. But Wireshark show now that NTLM is used to encrypt the
> network packages. NTLM doesn't work with tickets that need to be
> renewed. The problem that the Samba shared is some seconds not
> available doesn't occur when NTML is used to encrypt the network
> packages.
>
> The problem that the share is some seconds not available also doesn't
> occur when the share is not on Samba but on an other Windows system,
> also when Kerberos is used.
>
> In the attachment contains the C-program source that can be used to
> reproduce the problem. This source can be compiled on Windows with
> e.g. gcc .
>
> The program read every 3 seconds a map on the share to check for
> files and write in a logfile when the share is not available and
> available again.
>
> Start the hotfolderscan program e.g. on the way below:
> C:>hotfolderscan.exe  Y:\  C:\temp\folderscan.log
>
> After +/- 10 hours, when Kerberos renew the ticket, the lines below
> are written in de log file: 2024-10-23 09:09:13 Error 2 No such file
> or directory 2024-10-23 09:09:16 Share available again
>
> Is seems that Samba doesn't handle the Kerberos ticket renewal on the
> right way.
>
> Best regards,
> Ing. Hans van Leeuwen
>
>
> The used Samba parameters on the Samba-server
> # testparm -s
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> Weak crypto is allowed
>
> Server role: ROLE_DOMAIN_MEMBER
>
> # Global parameters
> [global]
>       client min protocol = SMB3_02
>       log file = /var/log/samba
>       max open files = 65536
>       realm = MAIL-STREET.LOCAL
>       restrict anonymous = 2
>       security = ADS
>       server min protocol = SMB3_02
>       server signing = required
>       smb ports = 445
>       template shell = /bin/bash
>       winbind enum groups = Yes
>       winbind enum users = Yes
>       winbind separator = ^
>       winbind use default domain = Yes
>       workgroup = MAIL-STREET
>       full_audit:priority = notice
>       full_audit:facility = local5
>       full_audit:failure = none
>       full_audit:success = open close read write mkdirat renameat
> unlinkat openat full_audit:prefix = %u|%I|%S
>       idmap config * : range = 10000-20000
>       idmap config * : backend = tdb
>       vfs objects = full_audit
>
>
> [customers]
>       create mask = 0777
>       directory mask = 0777
>       force directory mode = 0777
>       force group = Yschijfusers
>       path = /var/local/customers
>       read only = No
>       valid users = @Yschijfusers
One of two things seems to be going on here:
You just have a mis-configured smb.conf (no 'idmap.config' lines for
the 'MAIL-STREET' domain).

You are are also using sssd.

Which is it ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba