SMB proxy server using ntvfs cifs

Wed Jan 27 22:16:44 UTC 2016

Hi,

I now have the server configured as a AD DC (with another Windows AD server that was set up first and handles DNS and Kerberos). I followed:  https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory

This is working to serve local files and shares but it doesn’t serve the vfs_cifs remote content as yet (I’ve tried several different configs for the sys parameters). There are no obvious errors in the logs (at least to me, conf below). The NTVFS binding lines do show up and so do the debug lines from the code in the vfs_cifs.c module itself within the connect function.

Could someone let me know/point me in the right direction -  Does the vfs_cifs module work with incoming SMB2 traffic or only SMB1 incoming traffic. Also on the outgoing side (it doesn’t fully connect for me yet), but in wireshark, I only see SMB1 traffic as output.

Do both the input and output to and from this module have to be in SMB1 or is it possible to mix and match with SMB2 in some way?

Many Thanks

Config for reference, note that there are no changes with +smb - s3fs form the samba-tool output apart from logging and shares. The samba process is also run. This machine does show up as a domain controller on the windows AD DC and windows user accounts act as you would expect looking at the local shares.

# Global parameters
[global]
	workgroup = SMBDOMAIN
	realm = smbdomain.net
	netbios name = SAMBADC
	interfaces = lo enp0s8
	bind interfaces only = Yes
	server role = active directory domain controller
	server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns, smb
	dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc
	log file = /usr/local/samba/samba.log
	log level = 5

[netlogon]
	path = /usr/local/samba/var/locks/sysvol/smbdomain.net/scripts
	read only = No

[sysvol]
	path = /usr/local/samba/var/locks/sysvol
	read only = No

[basic]
	path = /usr/share/someshare/test	
	read only = No

[test03]
	ntvfs handler = cifs
	cifs:server = 192.168.0.22
	cifs:domain = SMBDOMAIN.NET
	cifs:user = testuser
	cifs:password = terstpass
	cifs:share = Share2		
	path = /usr/share/someshare/noop
	writable = yes

On 27/01/2016, 16:06, "samba-technical on behalf of Rowland Penny" <samba-technical-bounces at lists.samba.org on behalf of repenny241155 at gmail.com> wrote:

>On 27/01/16 15:11, Chris Miller wrote:
>> Thanks Rowland,
>>
>> Sorry, the smbd, nmbd etc starts were just to demonstrate that the server worked in the non ntvfs mode and served content. After that step, and changing the smb.conf to include the 'server services = +smb - s3fs' lines,  it is run with ‘samba’ or 'samba -i’ only.
>
>To run the 'samba' deamon, you need to provision as an AD DC, as far as 
>I am aware, you shouldn't create your own smb.conf to use with the 
>'samba' deamon
>
>
>>
>> Would you mind clarifying the following please:
>>
>> Is it not possible to act as a cifs proxy (using source4/ntvfs/cifs/vfs_cifs.c) as a domain member?
>
>I do not think so, vfs_cifs.c is part of ntvfs and you cannot run ntvfs 
>on a domain member
>
>>
>> If not, is it possible in another configuration (AC DC or standalone etc) to use vfs_cifs?
>
>It looks like you would have to provision Samba as an AD DC using the 
>ntvfs backend and as I said, the ntvfs backend is depreciated.
>
>>
>> Can you only access vfs_cifs without  +smb -s3fs and ‘samba’
>
>I think you meant, run 'samba' with '+smb -s3fs' , if so the yes, I 
>think this is the only way to use vfs_cifs
>
>>
>> The functionality in the ntvfs module cifs to proxy is the main driver and I don’t think its currently possible elsewhere...
>>
>> Many Thanks
>>
>>
>>
>
>It was written as part of 'ntvfs' and this hasn't received any updates 
>for quite some time and to be honest, I wouldn't use any of its code.
>
>Rowland
>
>