[Samba] ntvfs handler = cifs, CIFS-Proxy
Rowland Penny
rowlandpenny at googlemail.com
Tue Oct 7 08:01:57 MDT 2014
On 07/10/14 10:40, Rowland Penny wrote:
> On 07/10/14 10:25, Meike Stone wrote:
>> Hello,
>>
>> thanks all for helping!
>>
>> I got the cifs-Proxy running and I had to learn a lot new. So my last
>> knowledge from samba was all about 3.x but not 4.x
>> So I was a little confused at first, sorry Rowland!
>> But back to the Proxy.
>>
>> Network layout:
>> ---------------
>> [Client01]----[smbproxy01]--┬--[filer01.mydom01.net]
>> └--[dc01.mydom01.net]
>>
>> (if not displayed correctly, [dc01.mydom01.net] is connected in the
>> same LAN as [filer01.mydom01.net]
>>
>> Setup system:
>> --------------
>> * installed samba4 from sernet
>> * /etc/nsswitch.conf => added winbind in section passwd and group
>> * DNS
>> * ntp
>> * configured Kerberos client (/etc/krb5.conf) to works with
>> dc01.mydom.net
>>
>>
>> my smb.conf aud smbprox01.mydom.net:
>> ==========================================================
>> [global]
>> workgroup = MYDOM
>> realm = MYDOM.NET
>> netbios name = SMBPROX01
>> server role = member server
>> security = ads
>>
>> bind interfaces only = yes
>> interfaces = lo eth1
>>
>> server services = +smb -s3fs +winbind
>> dcerpc endpoint servers = +winreg +srvsvc
>>
>> encrypt passwords = yes
>> password server = dc01.mydom.net
>> allow trusted domains = no
>> kerberos method = system keytab
>>
>>
>> load printers = no
>> printcap name = /dev/null
>> disable spoolss = yes
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 70001-80000
>> idmap config MYDOM:backend = ads
>> idmap config MYDOM:range = 2500-40000
>>
>>
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind refresh tickets = Yes
>> winbind separator = +
>>
>>
>> [test]
>> ntvfs handler = cifs
>> cifs:server = filer01.mydom.net
>> cifs:share = projects$
>> ==========================================================
>>
>>
>> Setup:
>> --------
>> /etc/default/sernet-samba => SAMBA_START_MODE="ad"
>> kinit domadmin
>> samba-tool domain provision --server-role=member --domain=mydom.net
>> --realm=MYDOM.NET
>> samba-tool domain join mydom.net MEMBER --kerberos=yes --use-ntvfs
>> samba -i -M single -d3
>>
>> Problem here:
>> STATUS=daemon 'samba' finished starting up and ready to serve
>> connectionssamba_terminate: Failed to startup smb server task
>> task_server_terminate: [Cannot start Winbind (domain member): Failed
>> to find record for MYDOM.NET in /var/lib/samba/private/secrets.ldb: No
>> such object: (null): Have you joined the MYDOM.NET domain?]
>>
>> checking secrets.ldb:
>> ==========================================================
>> smbprox01:/etc/samba # ldbsearch -H /var/lib/samba/private/secrets.ldb
>> # record 1
>> dn: CN=LSA Secrets
>> cn: LSA Secrets
>> objectClass: top
>> objectClass: container
>> objectGUID: a0ca8cf6-c72b-45d0-ace4-f9f07af1f461
>> whenCreated: 20141006185638.0Z
>> whenChanged: 20141006185638.0Z
>> uSNCreated: 5
>> uSNChanged: 5
>> name: LSA Secrets
>> distinguishedName: CN=LSA Secrets
>>
>> # record 2
>> dn: CN=Primary Domains
>> cn: Primary Domains
>> objectClass: top
>> objectClass: container
>> objectGUID: 0d75dd3b-0d0e-410f-bd28-d08ed58da1fc
>> whenCreated: 20141006185638.0Z
>> whenChanged: 20141006185638.0Z
>> uSNCreated: 6
>> uSNChanged: 6
>> name: Primary Domains
>> distinguishedName: CN=Primary Domains
>>
>> # record 3
>> dn: flatname=MYDOM,cn=Primary Domains
>> msDS-KeyVersionNumber: 3
>> objectClass: top
>> objectClass: primaryDomain
>> objectClass: kerberosSecret
>> objectSid: S-1-5-21-2106688235-2558952384-3954008982
>> privateKeytab: secrets.keytab
>> realm: mydom.net
>> saltPrincipal: host/smbprox01.mydom.net at MYDOM.NET
>> samAccountName: SMBPROX01$
>> secret: ....
>> secureChannelType: 2
>> servicePrincipalName: HOST/smbprox01
>> objectGUID: 0036303c-e714-44e8-880b-1ad6dbae0d5c
>> whenCreated: 20141006185655.0Z
>> whenChanged: 20141006185655.0Z
>> uSNCreated: 7
>> uSNChanged: 7
>> name: MYDOM
>> flatname: MYDOM
>> distinguishedName: flatname=MYDOM,cn=Primary Domains
>> ==========================================================
>>
>>
>> Record for MYDOM.NET is missing! For testing reason, I added one
>> (copied and modified MYDOM) via
>>
>> ldbadd -H /var/lib/samba/private/secrets.ldb secrets.ldif
>>
>> with:
>> ==========================================================
>> dn: flatname=MYDOM.NET,cn=Primary Domains
>> msDS-KeyVersionNumber: 3
>> objectClass: top
>> objectClass: primaryDomain
>> objectClass: kerberosSecret
>> objectSid: S-1-5-21-2106688235-2558952384-3954008982
>> privateKeytab: secrets.keytab
>> realm: mydom.net
>> saltPrincipal: host/smbprox01.mydom.net at MYDOM.NET
>> samAccountName: SMBPROX01$
>> secret: ....
>> secureChannelType: 2
>> servicePrincipalName: HOST/smbprox01
>> whenCreated: 20141006170153.0Z
>> whenChanged: 20141006170153.0Z
>> uSNCreated: 7
>> uSNChanged: 7
>> name: MYDOM.NET
>> flatname: MYDOM.NET
>> distinguishedName: flatname=MYDOM.NET,cn=Primary Domains
>> ==========================================================
>>
>> !!! After This, samba4 was working as CIFS-proxy!!!
>> samba -i -M single -d3
>> check:
>> wbinfo -u
>> wginfo -g
>> getent passwd
>> getent group
>>
>> But unfortunately, the WINDOWS-Client is not member of any domain, and
>> has to speak NTLMSSP.
>> So the CIFS-Proxy is working, but not for me ...
>>
>> ==========================================================
>> Got NTLMSSP neg_flags=0xa2088207
>> Got user=[] domain=[] workstation=[Client01] len1=1 len2=0
>> auth_check_password_send: Checking password for unmapped user
>> []\[]@[Client01]
>> auth_check_password_send: mapped user is: [MYDOM]\[]@[Client01]
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0xa2088205
>> using SPNEGO
>> Selected protocol [5][NT LM 0.12]
>> Got NTLMSSP neg_flags=0xa2088207
>> Got user=[user1] domain=[mydom] workstation=[Client01] len1=24 len2=24
>> auth_check_password_send: Checking password for unmapped user
>> [mydom]\[user1]@[Client01]
>> auth_check_password_send: mapped user is: [MYDOM]\[user1]@[Client01]
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0xa2088205
>> CIFS backend: NO delegated credentials found: You must supply server,
>> user and password or the client must supply delegated credentials
>> Terminating connection deferred - 'NT_STATUS_END_OF_FILE'
>> Terminating connection - 'NT_STATUS_END_OF_FILE'
>> single_terminate: reason[NT_STATUS_END_OF_FILE]
>> ipv4:192.233.1.10:1625 closed connection to service test
>> ==========================================================
>>
>>
>> Thanks for helping @all
>>
>>
>> Meike
> Hi, thanks for reporting back, as I said, this is the first time I
> have heard of provisioning a domain and then joining it to the same
> domain. I wonder if this would work for getting a proper 'member
> server' working, I feel a test coming on ;-)
>
> Rowland
OK, after following the idea of provisioning a member server and then
joining it to the domain, I now seem to have a member server!!
Well I have what could be a member server, but having never seen a
proper member server, I am not sure. What I do have is a sam.ldb that
seems to have a lot of what is in the sam.ldb on a DC, but the rootdse
is the hostname (in uppercase) of the machine the member server is
running on.
The machine is running the samba, smbd & winbind daemons, I had to turn
off the winbind builtin into the samba daemon to get rfc2307 to work.
Anybody got any ideas how to test if it works like a windows member
server ????
Rowland
More information about the samba
mailing list