[Samba] Connection dropping every 24 hours from Windows Client.
Hans Rasmussen
hans at sbsfor.com
Fri Jan 3 16:25:59 UTC 2020
I changed my SMB.conf on the DC's and the member as per your instructions. Now the connection dropped at 10 hours, which appears to be the default end time of the certificate.
KLIST on a windows box returns.....
Cached Tickets: (3)
#0> Client: hans @ MYNET.MYNET.COM
Server: krbtgt/ MYNET.MYNET.COM @ MYNET.MYNET.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 1/3/2020 7:59:07 (local)
End Time: 1/3/2020 17:59:07 (local)
Renew Time: 1/10/2020 7:59:07 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called: bobafett.mynet.mynet.com
#1> Client: hans @ MYNET.MYNET.COM
Server: LDAP/bigbird.mynet.mynet.com / mynet.mynet.com @ MYNET.MYNET.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40ac0000 -> forwardable renewable pre_authent ok_as_delegate 0x80000
Start Time: 1/3/2020 7:59:08 (local)
End Time: 1/3/2020 17:59:07 (local)
Renew Time: 1/10/2020 7:59:07 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: bobafett.mynet.mynet.com
#2> Client: hans @ MYNET.MYNET.COM
Server: host/han.mynet.mynet.com @ MYNET.MYNET.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a80000 -> forwardable renewable pre_authent 0x80000
Start Time: 1/3/2020 7:59:07 (local)
End Time: 1/3/2020 17:59:07 (local)
Renew Time: 1/10/2020 7:59:07 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: bobafett mynet.mynet.com
Where bigbird is my primary DC, bobafett and jabbathehut (not seen here) are my identical secondary dc's, and han is my windows 10 workstation.
On 02/01/2020 17:45, hans via samba wrote:
> I posted the following a month ago but have only managed to get to fixing on this over the holidays. Rowland mentions that I needed to add my domain info, it’s now included and I still have the same issue.
>
> Thanks and Happy New YearOld post begins below with edits Hello
>
> I have a problem with my Windows 10 drive connections dropping every
> 24 hours, very briefly. It's enough to cause me to be unable to save
> my file, or access a geodatabase. I have followed much trouble
> shooting and I believe that its due to the KDC Service ticket lifetime
> expiring, I have it set for 24 hours in smb.conf.
>
> I have a Samba 4.9 DC and an Ubuntu 18.04 member file server where the
> shares are running 4.7.6 and connected to the DC by Winbindd. I
> notice that when my 24 hours is up, smbstatus will show that I have a
> new PID. The files are unfortunately still being held open by the old
> PID and are no longer accessible (I think.).
>
> When I used to host the shares on the same DC, I never had this trouble.
> When I had kdc:service ticket lifetime = 10, then the connections
> dropped every 10 hours. Do I just keep upping that number to
> something useful and hope I don't get hacked, or is there something
> else I am missing. To me, it sounds a lot like this problem,
> https://lists.samba.org/archive/samba/2014-March/179555.html
>
> Thanks
>
OK, you do not need these lines in your DC smb.conf:
kdc:service ticket lifetime = 24
kdc:user ticket lifetime = 360
kdc:renewal lifetime = 1800
dsdb:schema update allowed = true
wins support = yes
Try this as the [global] part of your smb.conf on the Unix domain member:
[global]
workgroup = MYNET
security = ADS
realm = MYNET.MYNET.COM
dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MYNET : backend = rid
idmap config MYNET : range = 50000-1000000
# If your users log into the Unix domain member # uncomment the following two lines and alter to your requirements #template shell = /bin/bash #template homedir = /home/%U
username map = /etc/samba/user.map
vfs object = acl_xattr
map acl inherit = yes
store dos attributes = yes
client signing = yes
Create '/etc/samba/user.map' containing this:
!root = MYNET\Administrator
Run (as root):
net ads keytab create
Restart Samba and see how you go.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list