SMB proxy server using ntvfs cifs

Chris Miller chris at cmiller.co.uk
Wed Jan 27 13:10:12 UTC 2016


Hi,

I am trying to get an ntvfs with cifs proxy server running with several failed attempts for a few days now and have hit some stumbling blocks. Preferably, I need to set up as a domain member as I wish to put an NTVFS module before the CIFS proxy to marshall file access as a proxy server (much like some of the vfs modules do at the endpoint).

I can successfully join the domain by running winbind, nmbd and smdb and also get a basic share served to me :)

If I start samba in ntvfs mode instead of smbd with the following lines in the smb.conf , I can’t list the shares any more and get blocked access. I get the following line below in the logs:

[global]
 …
# these lines are toggled for samba with ntvfs or smb mode

server services = +smb -s3fs +winbind
dcerpc endpoint servers = +winreg +srvsvc


GSSAPI Connection will be cryptographically signed
../source4/dsdb/common/util_groups.c:162: dsdb_search for <SID=S-1-5-21-328311718-2679075906-1920496216-1105> failed: Unsupported critical extension 1.2.840.113556.1.4.529
Terminating connection deferred - 'NT_STATUS_CONNECTION_RESET'





I’m not sure if this is the cause, this is before I get to the cifs share implementation!! Could someone shed some light please?? 

Also, can the cifs module work in standalone mode as well as domain member?

Is there any way to make the cifs handler output SMB2 instead of SMB1 based on connection?


Many thanks

ChrisM





Setup is Samba 4.3.4 from source on CentOS Linux release 7.2.1511 with a Win2008r2 domain controller and Win7 client. I started again and followed the steps in the wiki: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member (which works up until ntvfs)

I have also tried to follow: https://lists.samba.org/archive/samba/2014-October/185659.html (ntvfs handler = cifs, CIFS-Proxy) and https://lists.samba.org/archive/samba/2012-August/168723.html (CIFS proxy with samba4)


Full smb.conf below:

[global]
	netbios name = test3
	security = ADS
	workgroup = SMBDOMAIN
	realm = SMBDOMAIN.NET
	
	log file = /usr/lcoal/samba/%m.log
	log level = 6
	
	dedicated keytab file = /etc/krb5.keytab
	kerberos method = secrets and keytab
	winbind refresh tickets = yes
	
	winbind trusted domains only = no
	winbind use default domain = yes
	winbind enum users  = yes
	winbind enum groups = yes
	
	# idmap config used for your domain.
	# Choose one of the following backends fitting to your
	# requirements and add the corresponding configuration. 
	#  - idmap config ad
	#  - idmap config rid
	#  - idmap config autorid
	idmap config *:backend = tdb
    idmap config *:range = 70001-80000
    idmap config SMBDOMAIN:backend = ads
    idmap config SMBDOMAIN:range = 2500-40000
    
    idmap_ldb:use rfc2307 = yes
    
    # these lines are toggled for samba with ntvfs or smb mode
    # server services = +smb -s3fs +winbind
    # dcerpc endpoint servers = +winreg +srvsvc

[basic]
	path = /usr/share/somedir/
	writable = yes
	
[guest]
   comment = Anonymous Samba Share
   path = /usr/share/somedir/test/
   guest ok = yes
   read only = no
   writable = no

# not tried yet	
#[test]
#	ntvfs handler = cifs
#	cifs:server = windc.smbdomain.net
#	cifs:share = Share2


The fuller log:

smbsrv_accept
Shutdown SMB signing
switch message SMBnegprot (task_id 7587)
Requested protocol [0][PC NETWORK PROGRAM 1.0]
Requested protocol [1][LANMAN1.0]
Requested protocol [2][Windows for Workgroups 3.1a]
Requested protocol [3][LM1.2X002]
Requested protocol [4][LANMAN2.1]
Requested protocol [5][NT LM 0.12]
Requested protocol [6][SMB 2.002]
Requested protocol [7][SMB 2.???]
ldb_wrap open of secrets.ldb
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Opened keytab MEMORY:yYLnr9a1Xkwvmtrd
Added key (kvno 0) to keytab (enctype 1)
Added key (kvno 0) to keytab (enctype 3)
Added key (kvno 0) to keytab (enctype 23)
Added key (kvno 0) to keytab (enctype 17)
Added key (kvno 0) to keytab (enctype 18)
Selected protocol [6][SMB 2.002]
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed
../source4/dsdb/common/util_groups.c:162: dsdb_search for <SID=S-1-5-21-328311718-2679075906-1920496216-1105> failed: Unsupported critical extension 1.2.840.113556.1.4.529
Terminating connection deferred - 'NT_STATUS_CONNECTION_RESET'
Terminating connection - 'NT_STATUS_CONNECTION_RESET'
standard_terminate: reason[NT_STATUS_CONNECTION_RESET]









More information about the samba-technical mailing list