SMB proxy server using ntvfs cifs
chris at cmiller.co.uk
Wed Jan 27 22:16:44 UTC 2016
I now have the server configured as a AD DC (with another Windows AD server that was set up first and handles DNS and Kerberos). I followed: https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory
This is working to serve local files and shares but it doesn’t serve the vfs_cifs remote content as yet (I’ve tried several different configs for the sys parameters). There are no obvious errors in the logs (at least to me, conf below). The NTVFS binding lines do show up and so do the debug lines from the code in the vfs_cifs.c module itself within the connect function.
Could someone let me know/point me in the right direction - Does the vfs_cifs module work with incoming SMB2 traffic or only SMB1 incoming traffic. Also on the outgoing side (it doesn’t fully connect for me yet), but in wireshark, I only see SMB1 traffic as output.
Do both the input and output to and from this module have to be in SMB1 or is it possible to mix and match with SMB2 in some way?
Config for reference, note that there are no changes with +smb - s3fs form the samba-tool output apart from logging and shares. The samba process is also run. This machine does show up as a domain controller on the windows AD DC and windows user accounts act as you would expect looking at the local shares.
# Global parameters
workgroup = SMBDOMAIN
realm = smbdomain.net
netbios name = SAMBADC
interfaces = lo enp0s8
bind interfaces only = Yes
server role = active directory domain controller
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns, smb
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc
log file = /usr/local/samba/samba.log
log level = 5
path = /usr/local/samba/var/locks/sysvol/smbdomain.net/scripts
read only = No
path = /usr/local/samba/var/locks/sysvol
read only = No
path = /usr/share/someshare/test
read only = No
ntvfs handler = cifs
cifs:server = 192.168.0.22
cifs:domain = SMBDOMAIN.NET
cifs:user = testuser
cifs:password = terstpass
cifs:share = Share2
path = /usr/share/someshare/noop
writable = yes
On 27/01/2016, 16:06, "samba-technical on behalf of Rowland Penny" <samba-technical-bounces at lists.samba.org on behalf of repenny241155 at gmail.com> wrote:
>On 27/01/16 15:11, Chris Miller wrote:
>> Thanks Rowland,
>> Sorry, the smbd, nmbd etc starts were just to demonstrate that the server worked in the non ntvfs mode and served content. After that step, and changing the smb.conf to include the 'server services = +smb - s3fs' lines, it is run with ‘samba’ or 'samba -i’ only.
>To run the 'samba' deamon, you need to provision as an AD DC, as far as
>I am aware, you shouldn't create your own smb.conf to use with the
>> Would you mind clarifying the following please:
>> Is it not possible to act as a cifs proxy (using source4/ntvfs/cifs/vfs_cifs.c) as a domain member?
>I do not think so, vfs_cifs.c is part of ntvfs and you cannot run ntvfs
>on a domain member
>> If not, is it possible in another configuration (AC DC or standalone etc) to use vfs_cifs?
>It looks like you would have to provision Samba as an AD DC using the
>ntvfs backend and as I said, the ntvfs backend is depreciated.
>> Can you only access vfs_cifs without +smb -s3fs and ‘samba’
>I think you meant, run 'samba' with '+smb -s3fs' , if so the yes, I
>think this is the only way to use vfs_cifs
>> The functionality in the ntvfs module cifs to proxy is the main driver and I don’t think its currently possible elsewhere...
>> Many Thanks
>It was written as part of 'ntvfs' and this hasn't received any updates
>for quite some time and to be honest, I wouldn't use any of its code.
More information about the samba-technical