Hans van Leeuwen
2024-Oct-25 08:35 UTC
[Samba] Kerberos ticket renew causes a brief network interruption
Hi Samba engineer, We use an Ubuntu 20.04.6 systems as Samba server. The Samba version is 4.15.13-Ubuntu. The SMC-Client is a Windows Server 2022 Standard 21H2. The hostname of the Ubuntu Samba server is "samba-srv" On the Windows system, Samba disk is shared with the command: C:>net use Y: \\samba-srv\customers /u:hans Enter the password for 'hans' to connect to 'samba-srv': The command completed successfully Now the Samba disk on system samba-srv can be accessed on the Y-drive. The network analyzer Wireshark show that Kerberos is used to encrypt the network packages. But on the moment that Kerberos ticket renewal, the Samba share is some seconds not available. An other DNS record is created with the name "samba-srv-alias" This is a "Alias (CNAME)" to the DNS "Host (A)" "samba-srv". The Y-drive is removed and created again and now with as host "samba-srv-alias". C:>net use Y: \\samba-srv-alias\customers /u:hans Also now the Samba disk on the samba-srv can be accessed on the Y-drive. But Wireshark show now that NTLM is used to encrypt the network packages. NTLM doesn't work with tickets that need to be renewed. The problem that the Samba shared is some seconds not available doesn't occur when NTML is used to encrypt the network packages. The problem that the share is some seconds not available also doesn't occur when the share is not on Samba but on an other Windows system, also when Kerberos is used. In the attachment contains the C-program source that can be used to reproduce the problem. This source can be compiled on Windows with e.g. gcc . The program read every 3 seconds a map on the share to check for files and write in a logfile when the share is not available and available again. Start the hotfolderscan program e.g. on the way below: C:>hotfolderscan.exe Y:\ C:\temp\folderscan.log After +/- 10 hours, when Kerberos renew the ticket, the lines below are written in de log file: 2024-10-23 09:09:13 Error 2 No such file or directory 2024-10-23 09:09:16 Share available again Is seems that Samba doesn't handle the Kerberos ticket renewal on the right way. Best regards, Ing. Hans van Leeuwen The used Samba parameters on the Samba-server # testparm -s Load smb config files from /etc/samba/smb.conf Loaded services file OK. Weak crypto is allowed Server role: ROLE_DOMAIN_MEMBER # Global parameters [global] client min protocol = SMB3_02 log file = /var/log/samba max open files = 65536 realm = MAIL-STREET.LOCAL restrict anonymous = 2 security = ADS server min protocol = SMB3_02 server signing = required smb ports = 445 template shell = /bin/bash winbind enum groups = Yes winbind enum users = Yes winbind separator = ^ winbind use default domain = Yes workgroup = MAIL-STREET full_audit:priority = notice full_audit:facility = local5 full_audit:failure = none full_audit:success = open close read write mkdirat renameat unlinkat openat full_audit:prefix = %u|%I|%S idmap config * : range = 10000-20000 idmap config * : backend = tdb vfs objects = full_audit [customers] create mask = 0777 directory mask = 0777 force directory mode = 0777 force group = Yschijfusers path = /var/local/customers read only = No valid users = @Yschijfusers -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: hotfolderscan.c URL: <http://lists.samba.org/pipermail/samba/attachments/20241025/270becbd/hotfolderscan.c>
Rowland Penny
2024-Oct-25 08:50 UTC
[Samba] Kerberos ticket renew causes a brief network interruption
On Fri, 25 Oct 2024 08:35:08 +0000 Hans van Leeuwen via samba <samba at lists.samba.org> wrote:> Hi Samba engineer, > > We use an Ubuntu 20.04.6 systems as Samba server. > The Samba version is 4.15.13-Ubuntu. > The SMC-Client is a Windows Server 2022 Standard 21H2. > > The hostname of the Ubuntu Samba server is "samba-srv" > On the Windows system, Samba disk is shared with the command: > C:>net use Y: \\samba-srv\customers /u:hans > Enter the password for 'hans' to connect to 'samba-srv': > The command completed successfully > > Now the Samba disk on system samba-srv can be accessed on the Y-drive. > The network analyzer Wireshark show that Kerberos is used to encrypt > the network packages. But on the moment that Kerberos ticket renewal, > the Samba share is some seconds not available. > > An other DNS record is created with the name "samba-srv-alias" > This is a "Alias (CNAME)" to the DNS "Host (A)" "samba-srv". > > The Y-drive is removed and created again and now with as host > "samba-srv-alias". C:>net use Y: \\samba-srv-alias\customers /u:hans > > Also now the Samba disk on the samba-srv can be accessed on the > Y-drive. But Wireshark show now that NTLM is used to encrypt the > network packages. NTLM doesn't work with tickets that need to be > renewed. The problem that the Samba shared is some seconds not > available doesn't occur when NTML is used to encrypt the network > packages. > > The problem that the share is some seconds not available also doesn't > occur when the share is not on Samba but on an other Windows system, > also when Kerberos is used. > > In the attachment contains the C-program source that can be used to > reproduce the problem. This source can be compiled on Windows with > e.g. gcc . > > The program read every 3 seconds a map on the share to check for > files and write in a logfile when the share is not available and > available again. > > Start the hotfolderscan program e.g. on the way below: > C:>hotfolderscan.exe Y:\ C:\temp\folderscan.log > > After +/- 10 hours, when Kerberos renew the ticket, the lines below > are written in de log file: 2024-10-23 09:09:13 Error 2 No such file > or directory 2024-10-23 09:09:16 Share available again > > Is seems that Samba doesn't handle the Kerberos ticket renewal on the > right way. > > Best regards, > Ing. Hans van Leeuwen > > > The used Samba parameters on the Samba-server > # testparm -s > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Weak crypto is allowed > > Server role: ROLE_DOMAIN_MEMBER > > # Global parameters > [global] > client min protocol = SMB3_02 > log file = /var/log/samba > max open files = 65536 > realm = MAIL-STREET.LOCAL > restrict anonymous = 2 > security = ADS > server min protocol = SMB3_02 > server signing = required > smb ports = 445 > template shell = /bin/bash > winbind enum groups = Yes > winbind enum users = Yes > winbind separator = ^ > winbind use default domain = Yes > workgroup = MAIL-STREET > full_audit:priority = notice > full_audit:facility = local5 > full_audit:failure = none > full_audit:success = open close read write mkdirat renameat > unlinkat openat full_audit:prefix = %u|%I|%S > idmap config * : range = 10000-20000 > idmap config * : backend = tdb > vfs objects = full_audit > > > [customers] > create mask = 0777 > directory mask = 0777 > force directory mode = 0777 > force group = Yschijfusers > path = /var/local/customers > read only = No > valid users = @YschijfusersOne of two things seems to be going on here: You just have a mis-configured smb.conf (no 'idmap.config' lines for the 'MAIL-STREET' domain). You are are also using sssd. Which is it ? Rowland
Ralph Boehme
2024-Oct-25 09:08 UTC
[Samba] Kerberos ticket renew causes a brief network interruption
On 10/25/24 10:35 AM, Hans van Leeuwen via samba wrote:> Is seems that Samba doesn't handle the Kerberos ticket renewal on the right way.can you get us two network traces: - last minute before and after session expiry against Samba - last minute before and after session expiry against Windows -slow -- SerNet Samba Team Lead https://sernet.de/ Samba Team Member https://samba.org/ SAMBA+ packages https://samba.plus/ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20241025/a9eacfdf/OpenPGP_signature.sig>
Michael Tokarev
2024-Oct-31 11:37 UTC
[Samba] Kerberos ticket renew causes a brief network interruption
Hi! I haven't seen this thread until now. But it looks like this is exactly the case with our network, which I mentioned in a "strange" bug/issue report a while back (sorry can't immediately find a reference to my own post). The prob in my case was that occasionally, the mapped network drives (mapped to samba server in a samba ad) disconnects, and windows shows red X near the drive icon in explorer. Also, Far Manager app (a Norton Commander clone), if it is left with a network path open on its panel, which is supposed to refresh contents on changes, shows error instead, saying the network path is unavaliable. At the same time, just clicking on the drive icon in Explorer (or acknowleging error message in Far Manager) is enough for the connection to be restored. It looks like the root cause of this my issue is the same as in this thread - brief network disconnect on a kerberos ticket renew, which isn't happen often to be easily reproducible, but not rare enough to be non-annoying at times. Now, for fun, a couple weeks ago I had some time and decided to work on that our issue, - to get the network traces asked by Jeremy at the time of my initial report (since it doesn't happen often, I had to run packet capture for quite some time). And it turned out that with current version of samba (I was using 4.20.5 at the time), I don't longer see these disconnects anymore. I had the packet capture running for 4 days in a row (restarting it to start new capture to save space), keeping the Far Manager window open in a usual user session, - to no avail. I think the last version where I had definitely seen that issue was 4.18 or 4.19 (can't say for sure anymore). And it looks like current samba does not have this issue anymore. Is there a way to trigger ticket renew from windows somehow? Thanks, /mjt