[Samba] Openvpn and samba: play nice together?
Karel Lang AFD
lang at afd.cz
Mon Nov 2 09:20:38 UTC 2015
Hi,
this reminds me of my troubles of setting up samba BDC at remote company
branch.
Connection was done by IPSEC tunnel between 2 mikrotik routers.
Thing was, ipsec supports only unicast, but not multicast,nor broadcast.
Solved it by adding L2TP tunnel that support the above mentioned
mechanisms. So ended up with the l2tp (which has very weak encryption
and is very old and vulnerable) encapsulated by the modern ipsec - so
tunnel inside tunnel to get it working.
I don't know about openvpn (never used it) but i suspect it is gonna be
similar problem.
cheers,
--
*Karel Lang*
*Unix/Linux Administration*
lang at afd.cz | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz
On 10/31/2015 09:45 PM, Douglas D Germann Sr wrote:
> Friends--
>
> I'm stumped! Cannot get mount.cifs to work over a tun connection. How
> would you trouble-shoot this?
>
> 1. It cannot be openvpn causing the problem: I can ping across the
> connection both directions on all machines.
>
> 2. It cannot be samba causing the problem: I can mount.cifs the smb
> shares on the lan (using the identical credentials file) without any issue.
>
> 3. Have iptables firewall on server, but have the same problem whether
> it is active or not.
>
> Specific error messages when trying to mount.cifs: "“Credential
> formatted incorrectly: (null) ” and “Unable to find suitable address.”
> The second message is more common than the first.
>
> The details:
> Production environment, trying to install a new server, named torus.
>
> Server: torus locally is 192.168.0.203; its tun is 10.8.20.1. Runs
> Ubuntu 14.04 lts.
>
> Clients:
> fire is local client at 192.168.0.6; its tun on torus is 10.8.20.5.
>
> wind is remote client with tun on torus at 10.8.20.13.
>
> air locally is 192.168.0.212, and its tun address for torus is
> 10.8.20.21. It will eventually go out to live remotely and connect only
> through the cloud and a dynamic dns. (For sake of this thread, I will
> say that the .conf files on air are the same as wind, and it is having
> the same error messages; with it I can test mounting over the lan
> (192.168.0.x) and find that it connects; wind is 20 miles away and not
> on the 192 lan.)
>
> All these clients run Ubuntu 12.04 lts.
>
> There is another client, svs2, which runs winxp, and it has no problems
> connecting nor mounting the shares.
>
> The torus server .conf is:
> =====
> push "route 10.8.20.0 255.255.255.0"
>
> dev tun
>
> management 127.0.0.1 1195
>
> server 10.8.20.0 255.255.255.0
>
> dh /etc/openvpn/dh4096torus.pem
> ca /etc/openvpn/ca.crt
> cert /etc/openvpn/torus.crt
> key /etc/openvpn/torus.key
>
> client-config-dir /etc/openvpn/ccd
> ifconfig-pool-persist /etc/openvpn/ipp.txt 0
>
> max-clients 6
>
> comp-lzo
>
> persist-tun
> persist-key
>
> verb 3
>
> log-append /var/log/openvpn.log
>
> keepalive 10 60
> reneg-sec 0
>
> status-version 2
> proto udp6
> port 1***
>
> user nobody
> group nobody
> #group nogroup
>
> client-to-client
> tls-auth ta.key 0
> =====
>
> On torus:
> =====
> doug at torus:~$ route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> default router 0.0.0.0 UG 0 0 0 eth1
> 10.8.20.0 10.8.20.2 255.255.255.0 UG 0 0 0 tun0
> 10.8.20.2 * 255.255.255.255 UH 0 0 0 tun0
> 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
> doug at torus:~$
> =====
>
> On wind:
> =====
> doug at wind:~$ cat /etc/openvpn/torus.conf
> client
> dev tun2
> proto udp
> remote *****.org 1***
> resolv-retry infinite
> nobind
> persist-key
> persist-tun
> dh dh4096torus.pem
> ca /etc/openvpn/caontorus.crt
> cert /etc/openvpn/windontorus.crt
> key /etc/openvpn/windontorus.key
> remote-cert-tls server
> comp-lzo
> verb 3
> tls-auth /etc/openvpn/taontorus.key 1
>
>
> doug at wind:~$ route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
> 10.8.1.0 10.8.1.14 255.255.255.0 UG 0 0 0 tun1
> 10.8.1.14 * 255.255.255.255 UH 0 0 0 tun1
> 10.8.20.0 10.8.20.14 255.255.255.0 UG 0 0 0 tun2
> 10.8.20.14 * 255.255.255.255 UH 0 0 0 tun2
> link-local * 255.255.0.0 U 1000 0 0 eth0
> 192.168.1.0 * 255.255.255.0 U 1 0 0 eth0
> doug at wind:~$
> =====
> (Wind's connection to another server on its tun1 is able to mount.cifs
> its shares. Far as I can tell the server.conf and client.conf files are
> the same as this set up.)
>
> The smb.conf file on torus is:
> =====
>
> [global]
> workgroup = EVERYONE
> server string = h server (Samba, Ubuntu)
> map to guest = Bad User
> obey pam restrictions = Yes
> pam password change = Yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:
> * %n\n *password\supdated\ssuccessfully* .
> unix password sync = Yes
> lanman auth = Yes
> client lanman auth = Yes
> client plaintext auth = Yes
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 1000
> printcap name = cups
> disable spoolss = Yes
> showadd printer wizard = No
> hosts allow = 192.168.0.0/24 10.8.0.0/24 127.0.0.1
> #interfaces = 192.168.0.0/24 10.8.0.0/24 10.8.20.0/24 10.8.1.0/24
> ########ddg20151026
> interfaces = eth* tun* lo
> bind interfaces only = yes
> #######
> dns proxy = No
> usershare allow guests = Yes
> panic action = /usr/share/samba/panic-action %d
> create mask = 0775
>
> [printers]
> comment =All Printers
> path = /var/spool/samba
> create mask = 0700
> printable = Yes
> browseable = No
> browsable = No
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
> [homes]
> comment = Home Directories
> valid users = %S
> read only = No
> browseable = No
> browsable = No
>
> [vol1]
> path = /vol1
> valid users = doug, [blanked]
> force user = doug
> force group = apps
> read only = No
>
> [vol2]
> path = /vol2
> valid users = doug, [blanked]
> force user = doug
> force group =data read only = No
> [label]
> path = /vol1/apps/label
> valid users = doug, [blanked]
> force user = doug
> force group = data
> read only = No
>
> [doug2]
> path = /doug2
> valid users = doug
> force user = doug
> force group = doug
> read only = No
> browseable = No
> browsable = No
>
> [etc]
> path = /etc
> valid users = doug
> force user = doug
> force group = doug
> read only = No
> browseable = No
> browsable = No
> [home]
> path = /home
> valid users = doug
> force user = doug
> force group = doug
> read only = No
> browseable = No
> browsable = No
> =====
>
>
>
> Here is the error message on wind, with the iptables on torus flushed:
> =====
> [sudo] password for doug:
> mount: proc already mounted on /proc
> mount: //mariah/vol1 already mounted on /sam/vol1
> mount: //mariah/vol2 already mounted on /sam/vol2
> Credential formatted incorrectly: (null)
> Credential formatted incorrectly: (null)
> Credential formatted incorrectly: (null)
> mount.cifs kernel mount options:
> ip=10.8.20.1,unc=\\torus\vol2,nobrl,credentials=/root/.toruscredentials,uid=1000,gid=1003,ver=1,user=doug,pass=********
>
> Unable to find suitable address.
> doug at wind:~$
> =====
>
> The specific line in wind's /etc/fstab involved is:
> =====
> //torus/vol2 /sam/torus2 cifs
> rw,nobrl,mand.user,credentials=/root/.toruscredentials,uid=doug,gid=data
> 0 0
> =====
>
> So how do I get these talking to each other in such a way that I can
> mount these samba shares?
>
> Thanks!
More information about the samba
mailing list