[Samba] cannot access to linux share from windows
Fujisan
fujisan43 at gmail.com
Fri Dec 2 09:41:35 UTC 2016
Some more info:
I ran the following command from the client B (10.0.21.200), server A is
10.0.21.18
# smbclient -d3 -L \\10.0.21.18 -U smith
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
lp_load_ex: changing to config backend registry
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface enp0s25 ip=10.0.21.200 bcast=10.0.21.255
netmask=255.255.255.128
Client started (version 4.5.1).
Enter smith's password:
Connecting to 10.0.21.18 at port 445
Doing spnego session setup (blob length=74)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.1]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba 4.5.1)
homes Disk Home Directories
smith Disk Home Directories
Connecting to 10.0.21.18 at port 139
Doing spnego session setup (blob length=74)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.1]
Server Comment
--------- -------
F25SERVER Samba 4.5.1
Workgroup Master
--------- -------
MYDOMAIN F25SERVER
But the following command run from client B (10.0.21.200) does not work:
# smbclient -d3 -L \\10.0.21.200 -U smith
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
lp_load_ex: changing to config backend registry
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface enp0s25 ip=10.0.21.200 bcast=10.0.21.255
netmask=255.255.255.128
Client started (version 4.5.1).
Enter smith's password:
Connecting to 10.0.21.200 at port 445
Doing spnego session setup (blob length=74)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
It seems that it cannot log in to ldap freeipa server A (10.0.21.18).
On Thu, Dec 1, 2016 at 2:57 PM, Fujisan <fujisan43 at gmail.com> wrote:
> OK I will contact freeipa mailing list as well.
>
> Anyway, on server A, conf is the following:
>
> [global]
> workgroup = MYDOMAIN
> netbios name = F25SERVER
> realm = MYDOMAIN
> kerberos method = dedicated keytab
> dedicated keytab file = FILE:/etc/samba/samba.keytab
> create krb5 conf = no
> domain master = yes
> domain logons = yes
> max log size = 10000
> log file = /var/log/samba/log.%m
> passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN.socket
> disable spoolss = yes
> ldapsam:trusted = yes
> ldap ssl = off
> ldap suffix = dc=mydomain
> ldap user suffix = cn=users,cn=accounts
> ldap group suffix = cn=groups,cn=accounts
> ldap machine suffix = cn=computers,cn=accounts
> rpc_server:epmapper = external
> rpc_server:lsarpc = external
> rpc_server:lsass = external
> rpc_server:lsasd = external
> rpc_server:samr = external
> rpc_server:netlogon = external
> rpc_server:tcpip = yes
> rpc_daemon:epmd = fork
> rpc_daemon:lsasd = fork
> security = user
> enable core files = no
> log level = 2
>
> [homes]
> comment = Home Directories
> read only = no
> browseable = yes
> create mask = 0664
> directory mask = 0775
>
> and on client B:
>
>
> [global]
> workgroup = MYDOMAIN
> realm = MYDOMAIN
> netbios name = F25SERVER
> server string = Samba Server Version %v
> kerberos method = dedicated keytab
> dedicated keytab file = FILE:/etc/samba/samba.keytab
> log file = /var/log/samba/log.%m
> rpc_server:epmapper = external
> rpc_server:lsarpc = external
> rpc_server:lsass = external
> rpc_server:lsasd = external
> rpc_server:samr = external
> rpc_server:netlogon = external
> rpc_server:tcpip = yes
> rpc_daemon:epmd = fork
> rpc_daemon:lsasd = fork
> security = user
> map untrusted to domain = Yes
> smb ports = 139 445
> log level = 2
>
> [data]
> comment = /data/beauduin on f25desktop
> path = /data/smith
> create mask = 0644
> read only = no
>
> [data2]
> comment = /data2/beauduin on f25desktop
> path = /data2/smith
> create mask = 0644
> read only = no
>
> [data3]
> comment = /data3 on f25desktop
> path = /data3/smith
> create mask = 0644
> read only = no
>
> [backup]
> comment = /backup on f25desktop
> path = /backup
> read only = no
>
> On Thu, Dec 1, 2016 at 2:37 PM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Thu, 1 Dec 2016 14:08:55 +0100
>> Fujisan via samba <samba at lists.samba.org> wrote:
>>
>> > I have:
>> > A/ 1 F25 freeipa server
>> > B/ 1 F25 freeipa client
>> > C/ 1 F24 freeipa client
>> > D/ 1 windows desktop
>> >
>> > I can access linux shares of A from D.
>> > I can access linux shares of C from D.
>> > I *cannot* access linux shares of B from D.
>> >
>>
>> So, ignoring 'C', windows can access shares on a 'F25' computer (A),
>> but cannot access shares on a 'F25' computer (B)
>>
>> Can I suggest you compare the various conf files on 'A' & 'B'
>> Can I also point out the 'freeipa' & 'sssd' (which is also probably
>> involved here) have nothing to do with Samba. You may get better help
>> from their respective mailing lists.
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
More information about the samba
mailing list