[Samba] Using GPO to mount shares on Linux
L.P.H. van Belle
belle at bazuin.nl
Fri Oct 20 14:03:30 UTC 2017
Hai,
now realmd sssd and autofs are all not my cookies.. but..
i see 2 things.
1) you missing the CIFS spn.
here is shows how to make them and extract them.
https://wiki.samba.org/index.php/Generating_Keytabs
https://wiki.samba.org/index.php/Keytab_Extraction
2) for the smblcient try :
smbclient //server.domain.dom/escaner -U user -W DOMAIN.DOM -R host -k -d 3 -m SMB2
....added -m SMB2 at the end.
last, i see : /var/run/samba/gencache_notrans.tdb
Can you post also an output of samba -b
That path is normaly /var/cache/samba/ not that its wrong, but it may help so see how samba was builded.
Greetz,
Louis
Van: Daniel Carrasco [mailto:d.carrasco at i2tic.com]
Verzonden: vrijdag 20 oktober 2017 14:58
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Using GPO to mount shares on Linux
Hello,
Sorry for take so long to answer, but I was not able to do the tests because the computer is in use and out of my office.
Finally I've progressed in this topic with realmd, sssd and autofs, but now I'm locked on mounting shares from my member server.
I'm able to use autofs and smbclient to mount and connect to sysvol share on my DC server, but when I try to connect to my member server I get this error:
----------------
smbclient //server.domain.dom/escaner -U user -W DOMAIN.DOM -R host -k -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
added interface enp1s0 ip=192.168.0.xx bcast=192.168.0.255 netmask=255.255.255.0
Client started (version 4.3.11-Ubuntu).
tdb(/var/run/samba/gencache_notrans.tdb): tdb_open_ex: could not open file /var/run/samba/gencache_notrans.tdb: Permiso denegado
tdb(/var/run/samba/gencache_notrans.tdb): tdb_open_ex: could not open file /var/run/samba/gencache_notrans.tdb: Permiso denegado
resolve_hosts: Attempting host lookup for name server.domain.dom<0x20>
tdb(/var/run/samba/gencache_notrans.tdb): tdb_open_ex: could not open file /var/run/samba/gencache_notrans.tdb: Permiso denegado
Connecting to 192.168.0.xxx at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/server.domain.dom at DOMAIN.DOM
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
gss_init_sec_context failed with [ Miscellaneous failure (see text): Server (cifs/server at DOMAIN.DOM) unknown]
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR
----------
I've missed something?.
My member server has joined Samba DC and is able to authenticate the Windows clients.
Thanks!!
2017-10-11 16:52 GMT+02:00 L.P.H. van Belle via samba <samba at lists.samba.org>:
Wohoo, finaly i could help Rowland :-p ;-)
I follow this as guidance:
1 server ( all in one ) use RID, easy to setup etc, but .. If you go to ... Or have plans to..
2 servers ( DC + a member )
use backend RID if you dont need access with a windows account to a shared home folder. ( cifs or nfs )
you use a dedicated local "linuxAdmin" for maintanace. ( often the first created user in linux )
use backend AD if you do need access with ssh for example or shared homefolders.
3 server or more, all server where ssh or access to a server with a shared folder is needed, use backend AD.
adviced is all servers with file shares.
Optional, mix this with RID, for example for a dedicated print server, or proxy server (auth).
I use setup 3.
Multiple servers with AD and RID mixed on the members, based on function.
A NFS pointer is.
Make sure you set you home folder 755, kerberos ( MIT ), lookf or .klogin in the home dir.
If the setup is to tight this fails. ( workaround: disable .klogin checking in krb5.conf )
And nfs/hostname.FQDN needs to be added to HOSTNAME$ where its needed.
For Cifs. You may need to add these lines in krb5.conf cifs uses them nfs not.
; for Windows 2008 with AES
default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
Now here, if you see, Required keys not available, no matter what you do
Then you probley are missing these line in krb5.conf.
The source i use for above info :
http://www.cs.rug.nl/~jurjen/ApprenticesNotes/mount_ms_cifs_using_ad_krb.html
http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_nfs4.html
Its a .nl domain but its in english ;-) and contains still good info.
Just beware its based on debian squeeze.
And a handy to know.
https://support.microsoft.com/en-us/help/977321/kdc-event-id-16-or-27-is-logged-if-des-for-kerberos-is-disabled
Greetz,
Louis
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
_________________________________________
Daniel Carrasco Marín
Ingeniería para la Innovación i2TIC, S.L.
Tlf: +34 911 12 32 84 Ext: 223
www.i2tic.com
_________________________________________
More information about the samba
mailing list