[Samba] ntvfs handler = cifs, CIFS-Proxy
Meike Stone
meike.stone at googlemail.com
Tue Oct 7 03:25:07 MDT 2014
Hello,
thanks all for helping!
I got the cifs-Proxy running and I had to learn a lot new. So my last
knowledge from samba was all about 3.x but not 4.x
So I was a little confused at first, sorry Rowland!
But back to the Proxy.
Network layout:
---------------
[Client01]----[smbproxy01]--┬--[filer01.mydom01.net]
└--[dc01.mydom01.net]
(if not displayed correctly, [dc01.mydom01.net] is connected in the
same LAN as [filer01.mydom01.net]
Setup system:
--------------
* installed samba4 from sernet
* /etc/nsswitch.conf => added winbind in section passwd and group
* DNS
* ntp
* configured Kerberos client (/etc/krb5.conf) to works with dc01.mydom.net
my smb.conf aud smbprox01.mydom.net:
==========================================================
[global]
workgroup = MYDOM
realm = MYDOM.NET
netbios name = SMBPROX01
server role = member server
security = ads
bind interfaces only = yes
interfaces = lo eth1
server services = +smb -s3fs +winbind
dcerpc endpoint servers = +winreg +srvsvc
encrypt passwords = yes
password server = dc01.mydom.net
allow trusted domains = no
kerberos method = system keytab
load printers = no
printcap name = /dev/null
disable spoolss = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config MYDOM:backend = ads
idmap config MYDOM:range = 2500-40000
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
winbind separator = +
[test]
ntvfs handler = cifs
cifs:server = filer01.mydom.net
cifs:share = projects$
==========================================================
Setup:
--------
/etc/default/sernet-samba => SAMBA_START_MODE="ad"
kinit domadmin
samba-tool domain provision --server-role=member --domain=mydom.net
--realm=MYDOM.NET
samba-tool domain join mydom.net MEMBER --kerberos=yes --use-ntvfs
samba -i -M single -d3
Problem here:
STATUS=daemon 'samba' finished starting up and ready to serve
connectionssamba_terminate: Failed to startup smb server task
task_server_terminate: [Cannot start Winbind (domain member): Failed
to find record for MYDOM.NET in /var/lib/samba/private/secrets.ldb: No
such object: (null): Have you joined the MYDOM.NET domain?]
checking secrets.ldb:
==========================================================
smbprox01:/etc/samba # ldbsearch -H /var/lib/samba/private/secrets.ldb
# record 1
dn: CN=LSA Secrets
cn: LSA Secrets
objectClass: top
objectClass: container
objectGUID: a0ca8cf6-c72b-45d0-ace4-f9f07af1f461
whenCreated: 20141006185638.0Z
whenChanged: 20141006185638.0Z
uSNCreated: 5
uSNChanged: 5
name: LSA Secrets
distinguishedName: CN=LSA Secrets
# record 2
dn: CN=Primary Domains
cn: Primary Domains
objectClass: top
objectClass: container
objectGUID: 0d75dd3b-0d0e-410f-bd28-d08ed58da1fc
whenCreated: 20141006185638.0Z
whenChanged: 20141006185638.0Z
uSNCreated: 6
uSNChanged: 6
name: Primary Domains
distinguishedName: CN=Primary Domains
# record 3
dn: flatname=MYDOM,cn=Primary Domains
msDS-KeyVersionNumber: 3
objectClass: top
objectClass: primaryDomain
objectClass: kerberosSecret
objectSid: S-1-5-21-2106688235-2558952384-3954008982
privateKeytab: secrets.keytab
realm: mydom.net
saltPrincipal: host/smbprox01.mydom.net at MYDOM.NET
samAccountName: SMBPROX01$
secret: ....
secureChannelType: 2
servicePrincipalName: HOST/smbprox01
objectGUID: 0036303c-e714-44e8-880b-1ad6dbae0d5c
whenCreated: 20141006185655.0Z
whenChanged: 20141006185655.0Z
uSNCreated: 7
uSNChanged: 7
name: MYDOM
flatname: MYDOM
distinguishedName: flatname=MYDOM,cn=Primary Domains
==========================================================
Record for MYDOM.NET is missing! For testing reason, I added one
(copied and modified MYDOM) via
ldbadd -H /var/lib/samba/private/secrets.ldb secrets.ldif
with:
==========================================================
dn: flatname=MYDOM.NET,cn=Primary Domains
msDS-KeyVersionNumber: 3
objectClass: top
objectClass: primaryDomain
objectClass: kerberosSecret
objectSid: S-1-5-21-2106688235-2558952384-3954008982
privateKeytab: secrets.keytab
realm: mydom.net
saltPrincipal: host/smbprox01.mydom.net at MYDOM.NET
samAccountName: SMBPROX01$
secret: ....
secureChannelType: 2
servicePrincipalName: HOST/smbprox01
whenCreated: 20141006170153.0Z
whenChanged: 20141006170153.0Z
uSNCreated: 7
uSNChanged: 7
name: MYDOM.NET
flatname: MYDOM.NET
distinguishedName: flatname=MYDOM.NET,cn=Primary Domains
==========================================================
!!! After This, samba4 was working as CIFS-proxy!!!
samba -i -M single -d3
check:
wbinfo -u
wginfo -g
getent passwd
getent group
But unfortunately, the WINDOWS-Client is not member of any domain, and
has to speak NTLMSSP.
So the CIFS-Proxy is working, but not for me ...
==========================================================
Got NTLMSSP neg_flags=0xa2088207
Got user=[] domain=[] workstation=[Client01] len1=1 len2=0
auth_check_password_send: Checking password for unmapped user []\[]@[Client01]
auth_check_password_send: mapped user is: [MYDOM]\[]@[Client01]
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0xa2088205
using SPNEGO
Selected protocol [5][NT LM 0.12]
Got NTLMSSP neg_flags=0xa2088207
Got user=[user1] domain=[mydom] workstation=[Client01] len1=24 len2=24
auth_check_password_send: Checking password for unmapped user
[mydom]\[user1]@[Client01]
auth_check_password_send: mapped user is: [MYDOM]\[user1]@[Client01]
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0xa2088205
CIFS backend: NO delegated credentials found: You must supply server,
user and password or the client must supply delegated credentials
Terminating connection deferred - 'NT_STATUS_END_OF_FILE'
Terminating connection - 'NT_STATUS_END_OF_FILE'
single_terminate: reason[NT_STATUS_END_OF_FILE]
ipv4:192.233.1.10:1625 closed connection to service test
==========================================================
Thanks for helping @all
Meike
More information about the samba
mailing list