[Samba] ntvfs handler = cifs, CIFS-Proxy
Rowland Penny
rowlandpenny at googlemail.com
Tue Oct 7 03:40:13 MDT 2014
On 07/10/14 10:25, Meike Stone wrote:
> Hello,
>
> thanks all for helping!
>
> I got the cifs-Proxy running and I had to learn a lot new. So my last
> knowledge from samba was all about 3.x but not 4.x
> So I was a little confused at first, sorry Rowland!
> But back to the Proxy.
>
> Network layout:
> ---------------
> [Client01]----[smbproxy01]--┬--[filer01.mydom01.net]
> └--[dc01.mydom01.net]
>
> (if not displayed correctly, [dc01.mydom01.net] is connected in the
> same LAN as [filer01.mydom01.net]
>
> Setup system:
> --------------
> * installed samba4 from sernet
> * /etc/nsswitch.conf => added winbind in section passwd and group
> * DNS
> * ntp
> * configured Kerberos client (/etc/krb5.conf) to works with dc01.mydom.net
>
>
> my smb.conf aud smbprox01.mydom.net:
> ==========================================================
> [global]
> workgroup = MYDOM
> realm = MYDOM.NET
> netbios name = SMBPROX01
> server role = member server
> security = ads
>
> bind interfaces only = yes
> interfaces = lo eth1
>
> server services = +smb -s3fs +winbind
> dcerpc endpoint servers = +winreg +srvsvc
>
> encrypt passwords = yes
> password server = dc01.mydom.net
> allow trusted domains = no
> kerberos method = system keytab
>
>
> load printers = no
> printcap name = /dev/null
> disable spoolss = yes
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config MYDOM:backend = ads
> idmap config MYDOM:range = 2500-40000
>
>
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
> winbind separator = +
>
>
> [test]
> ntvfs handler = cifs
> cifs:server = filer01.mydom.net
> cifs:share = projects$
> ==========================================================
>
>
> Setup:
> --------
> /etc/default/sernet-samba => SAMBA_START_MODE="ad"
> kinit domadmin
> samba-tool domain provision --server-role=member --domain=mydom.net
> --realm=MYDOM.NET
> samba-tool domain join mydom.net MEMBER --kerberos=yes --use-ntvfs
> samba -i -M single -d3
>
> Problem here:
> STATUS=daemon 'samba' finished starting up and ready to serve
> connectionssamba_terminate: Failed to startup smb server task
> task_server_terminate: [Cannot start Winbind (domain member): Failed
> to find record for MYDOM.NET in /var/lib/samba/private/secrets.ldb: No
> such object: (null): Have you joined the MYDOM.NET domain?]
>
> checking secrets.ldb:
> ==========================================================
> smbprox01:/etc/samba # ldbsearch -H /var/lib/samba/private/secrets.ldb
> # record 1
> dn: CN=LSA Secrets
> cn: LSA Secrets
> objectClass: top
> objectClass: container
> objectGUID: a0ca8cf6-c72b-45d0-ace4-f9f07af1f461
> whenCreated: 20141006185638.0Z
> whenChanged: 20141006185638.0Z
> uSNCreated: 5
> uSNChanged: 5
> name: LSA Secrets
> distinguishedName: CN=LSA Secrets
>
> # record 2
> dn: CN=Primary Domains
> cn: Primary Domains
> objectClass: top
> objectClass: container
> objectGUID: 0d75dd3b-0d0e-410f-bd28-d08ed58da1fc
> whenCreated: 20141006185638.0Z
> whenChanged: 20141006185638.0Z
> uSNCreated: 6
> uSNChanged: 6
> name: Primary Domains
> distinguishedName: CN=Primary Domains
>
> # record 3
> dn: flatname=MYDOM,cn=Primary Domains
> msDS-KeyVersionNumber: 3
> objectClass: top
> objectClass: primaryDomain
> objectClass: kerberosSecret
> objectSid: S-1-5-21-2106688235-2558952384-3954008982
> privateKeytab: secrets.keytab
> realm: mydom.net
> saltPrincipal: host/smbprox01.mydom.net at MYDOM.NET
> samAccountName: SMBPROX01$
> secret: ....
> secureChannelType: 2
> servicePrincipalName: HOST/smbprox01
> objectGUID: 0036303c-e714-44e8-880b-1ad6dbae0d5c
> whenCreated: 20141006185655.0Z
> whenChanged: 20141006185655.0Z
> uSNCreated: 7
> uSNChanged: 7
> name: MYDOM
> flatname: MYDOM
> distinguishedName: flatname=MYDOM,cn=Primary Domains
> ==========================================================
>
>
> Record for MYDOM.NET is missing! For testing reason, I added one
> (copied and modified MYDOM) via
>
> ldbadd -H /var/lib/samba/private/secrets.ldb secrets.ldif
>
> with:
> ==========================================================
> dn: flatname=MYDOM.NET,cn=Primary Domains
> msDS-KeyVersionNumber: 3
> objectClass: top
> objectClass: primaryDomain
> objectClass: kerberosSecret
> objectSid: S-1-5-21-2106688235-2558952384-3954008982
> privateKeytab: secrets.keytab
> realm: mydom.net
> saltPrincipal: host/smbprox01.mydom.net at MYDOM.NET
> samAccountName: SMBPROX01$
> secret: ....
> secureChannelType: 2
> servicePrincipalName: HOST/smbprox01
> whenCreated: 20141006170153.0Z
> whenChanged: 20141006170153.0Z
> uSNCreated: 7
> uSNChanged: 7
> name: MYDOM.NET
> flatname: MYDOM.NET
> distinguishedName: flatname=MYDOM.NET,cn=Primary Domains
> ==========================================================
>
> !!! After This, samba4 was working as CIFS-proxy!!!
> samba -i -M single -d3
> check:
> wbinfo -u
> wginfo -g
> getent passwd
> getent group
>
> But unfortunately, the WINDOWS-Client is not member of any domain, and
> has to speak NTLMSSP.
> So the CIFS-Proxy is working, but not for me ...
>
> ==========================================================
> Got NTLMSSP neg_flags=0xa2088207
> Got user=[] domain=[] workstation=[Client01] len1=1 len2=0
> auth_check_password_send: Checking password for unmapped user []\[]@[Client01]
> auth_check_password_send: mapped user is: [MYDOM]\[]@[Client01]
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0xa2088205
> using SPNEGO
> Selected protocol [5][NT LM 0.12]
> Got NTLMSSP neg_flags=0xa2088207
> Got user=[user1] domain=[mydom] workstation=[Client01] len1=24 len2=24
> auth_check_password_send: Checking password for unmapped user
> [mydom]\[user1]@[Client01]
> auth_check_password_send: mapped user is: [MYDOM]\[user1]@[Client01]
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0xa2088205
> CIFS backend: NO delegated credentials found: You must supply server,
> user and password or the client must supply delegated credentials
> Terminating connection deferred - 'NT_STATUS_END_OF_FILE'
> Terminating connection - 'NT_STATUS_END_OF_FILE'
> single_terminate: reason[NT_STATUS_END_OF_FILE]
> ipv4:192.233.1.10:1625 closed connection to service test
> ==========================================================
>
>
> Thanks for helping @all
>
>
> Meike
Hi, thanks for reporting back, as I said, this is the first time I have
heard of provisioning a domain and then joining it to the same domain.
I wonder if this would work for getting a proper 'member server'
working, I feel a test coming on ;-)
Rowland
More information about the samba
mailing list