SMB proxy server using ntvfs cifs
Chris Miller
chris at cmiller.co.uk
Wed Jan 27 13:10:12 UTC 2016
Hi,
I am trying to get an ntvfs with cifs proxy server running with several failed attempts for a few days now and have hit some stumbling blocks. Preferably, I need to set up as a domain member as I wish to put an NTVFS module before the CIFS proxy to marshall file access as a proxy server (much like some of the vfs modules do at the endpoint).
I can successfully join the domain by running winbind, nmbd and smdb and also get a basic share served to me :)
If I start samba in ntvfs mode instead of smbd with the following lines in the smb.conf , I can’t list the shares any more and get blocked access. I get the following line below in the logs:
[global]
…
# these lines are toggled for samba with ntvfs or smb mode
server services = +smb -s3fs +winbind
dcerpc endpoint servers = +winreg +srvsvc
GSSAPI Connection will be cryptographically signed
../source4/dsdb/common/util_groups.c:162: dsdb_search for <SID=S-1-5-21-328311718-2679075906-1920496216-1105> failed: Unsupported critical extension 1.2.840.113556.1.4.529
Terminating connection deferred - 'NT_STATUS_CONNECTION_RESET'
I’m not sure if this is the cause, this is before I get to the cifs share implementation!! Could someone shed some light please??
Also, can the cifs module work in standalone mode as well as domain member?
Is there any way to make the cifs handler output SMB2 instead of SMB1 based on connection?
Many thanks
ChrisM
Setup is Samba 4.3.4 from source on CentOS Linux release 7.2.1511 with a Win2008r2 domain controller and Win7 client. I started again and followed the steps in the wiki: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member (which works up until ntvfs)
I have also tried to follow: https://lists.samba.org/archive/samba/2014-October/185659.html (ntvfs handler = cifs, CIFS-Proxy) and https://lists.samba.org/archive/samba/2012-August/168723.html (CIFS proxy with samba4)
Full smb.conf below:
[global]
netbios name = test3
security = ADS
workgroup = SMBDOMAIN
realm = SMBDOMAIN.NET
log file = /usr/lcoal/samba/%m.log
log level = 6
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
# idmap config used for your domain.
# Choose one of the following backends fitting to your
# requirements and add the corresponding configuration.
# - idmap config ad
# - idmap config rid
# - idmap config autorid
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config SMBDOMAIN:backend = ads
idmap config SMBDOMAIN:range = 2500-40000
idmap_ldb:use rfc2307 = yes
# these lines are toggled for samba with ntvfs or smb mode
# server services = +smb -s3fs +winbind
# dcerpc endpoint servers = +winreg +srvsvc
[basic]
path = /usr/share/somedir/
writable = yes
[guest]
comment = Anonymous Samba Share
path = /usr/share/somedir/test/
guest ok = yes
read only = no
writable = no
# not tried yet
#[test]
# ntvfs handler = cifs
# cifs:server = windc.smbdomain.net
# cifs:share = Share2
The fuller log:
smbsrv_accept
Shutdown SMB signing
switch message SMBnegprot (task_id 7587)
Requested protocol [0][PC NETWORK PROGRAM 1.0]
Requested protocol [1][LANMAN1.0]
Requested protocol [2][Windows for Workgroups 3.1a]
Requested protocol [3][LM1.2X002]
Requested protocol [4][LANMAN2.1]
Requested protocol [5][NT LM 0.12]
Requested protocol [6][SMB 2.002]
Requested protocol [7][SMB 2.???]
ldb_wrap open of secrets.ldb
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Opened keytab MEMORY:yYLnr9a1Xkwvmtrd
Added key (kvno 0) to keytab (enctype 1)
Added key (kvno 0) to keytab (enctype 3)
Added key (kvno 0) to keytab (enctype 23)
Added key (kvno 0) to keytab (enctype 17)
Added key (kvno 0) to keytab (enctype 18)
Selected protocol [6][SMB 2.002]
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
gensec_gssapi: NO credentials were delegated
GSSAPI Connection will be cryptographically signed
../source4/dsdb/common/util_groups.c:162: dsdb_search for <SID=S-1-5-21-328311718-2679075906-1920496216-1105> failed: Unsupported critical extension 1.2.840.113556.1.4.529
Terminating connection deferred - 'NT_STATUS_CONNECTION_RESET'
Terminating connection - 'NT_STATUS_CONNECTION_RESET'
standard_terminate: reason[NT_STATUS_CONNECTION_RESET]
More information about the samba-technical
mailing list