[Samba] cannot access to linux share from windows

Fujisan fujisan43 at gmail.com
Fri Dec 2 09:41:35 UTC 2016 

Some more info:

I ran the following command from the client B (10.0.21.200), server A is
10.0.21.18

# smbclient -d3 -L \\10.0.21.18  -U smith
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
lp_load_ex: changing to config backend registry
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface enp0s25 ip=10.0.21.200 bcast=10.0.21.255
netmask=255.255.255.128
Client started (version 4.5.1).
Enter smith's password:
Connecting to 10.0.21.18 at port 445
Doing spnego session setup (blob length=74)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.1]

    Sharename       Type      Comment
    ---------       ----      -------
    IPC$            IPC       IPC Service (Samba 4.5.1)
    homes           Disk      Home Directories
    smith        Disk      Home Directories
Connecting to 10.0.21.18 at port 139
Doing spnego session setup (blob length=74)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Domain=[MYDOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.1]

    Server               Comment
    ---------            -------
    F25SERVER               Samba 4.5.1

    Workgroup            Master
    ---------            -------
    MYDOMAIN                F25SERVER


But the following command run from client B (10.0.21.200) does not work:

# smbclient -d3 -L \\10.0.21.200  -U smith
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
lp_load_ex: changing to config backend registry
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface enp0s25 ip=10.0.21.200 bcast=10.0.21.255
netmask=255.255.255.128
Client started (version 4.5.1).
Enter smith's password:
Connecting to 10.0.21.200 at port 445
Doing spnego session setup (blob length=74)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE

It seems that it cannot log in to ldap freeipa server A (10.0.21.18).



On Thu, Dec 1, 2016 at 2:57 PM, Fujisan <fujisan43 at gmail.com> wrote:

> OK I will contact freeipa mailing list as well.
>
> Anyway, on server A, conf is the following:
>
> [global]
>     workgroup = MYDOMAIN
>     netbios name = F25SERVER
>     realm = MYDOMAIN
>     kerberos method = dedicated keytab
>     dedicated keytab file = FILE:/etc/samba/samba.keytab
>     create krb5 conf = no
>     domain master = yes
>     domain logons = yes
>     max log size = 10000
>     log file = /var/log/samba/log.%m
>     passdb backend = ipasam:ldapi://%2fvar%2frun%2fslapd-MYDOMAIN.socket
>     disable spoolss = yes
>     ldapsam:trusted = yes
>     ldap ssl = off
>     ldap suffix = dc=mydomain
>     ldap user suffix = cn=users,cn=accounts
>     ldap group suffix = cn=groups,cn=accounts
>     ldap machine suffix = cn=computers,cn=accounts
>     rpc_server:epmapper = external
>     rpc_server:lsarpc = external
>     rpc_server:lsass = external
>     rpc_server:lsasd = external
>     rpc_server:samr = external
>     rpc_server:netlogon = external
>     rpc_server:tcpip = yes
>     rpc_daemon:epmd = fork
>     rpc_daemon:lsasd = fork
>     security = user
>     enable core files = no
>     log level = 2
>
> [homes]
>     comment = Home Directories
>     read only = no
>     browseable = yes
>     create mask = 0664
>     directory mask = 0775
>
> and on client B:
>
>
> [global]
>     workgroup = MYDOMAIN
>     realm = MYDOMAIN
>     netbios name = F25SERVER
>     server string = Samba Server Version %v
>     kerberos method = dedicated keytab
>     dedicated keytab file = FILE:/etc/samba/samba.keytab
>     log file = /var/log/samba/log.%m
>     rpc_server:epmapper = external
>     rpc_server:lsarpc = external
>     rpc_server:lsass = external
>     rpc_server:lsasd = external
>     rpc_server:samr = external
>     rpc_server:netlogon = external
>     rpc_server:tcpip = yes
>     rpc_daemon:epmd = fork
>     rpc_daemon:lsasd = fork
>     security = user
>     map untrusted to domain = Yes
>     smb ports = 139 445
>     log level = 2
>
> [data]
>     comment = /data/beauduin on f25desktop
>     path = /data/smith
>     create mask = 0644
>     read only = no
>
> [data2]
>     comment = /data2/beauduin on f25desktop
>     path = /data2/smith
>     create mask = 0644
>     read only = no
>
> [data3]
>     comment = /data3 on f25desktop
>     path = /data3/smith
>     create mask = 0644
>     read only = no
>
> [backup]
>     comment = /backup on f25desktop
>     path = /backup
>     read only = no
>
> On Thu, Dec 1, 2016 at 2:37 PM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Thu, 1 Dec 2016 14:08:55 +0100
>> Fujisan via samba <samba at lists.samba.org> wrote:
>>
>> > I have:
>> >   A/ 1 F25 freeipa server
>> >   B/ 1 F25 freeipa client
>> >   C/ 1 F24 freeipa client
>> >   D/ 1 windows desktop
>> >
>> > I can access linux shares of A from D.
>> > I can access linux shares of C from D.
>> > I *cannot* access linux shares of B from D.
>> >
>>
>> So, ignoring 'C', windows can access shares on a 'F25' computer (A),
>> but cannot access shares on a 'F25' computer (B)
>>
>> Can I suggest you compare the various conf files on 'A' & 'B'
>> Can I also point out the 'freeipa' & 'sssd' (which is also probably
>> involved here) have nothing to do with Samba. You may get better help
>> from their respective mailing lists.
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

More information about the samba mailing list