[Samba] Connection dropping every 24 hours from Windows Client.

Hans Rasmussen hans at sbsfor.com
Fri Jan 3 16:25:59 UTC 2020 

I changed my SMB.conf on the DC's and the member as per your instructions.  Now the connection dropped at 10 hours, which appears to be the default end time of the certificate.

KLIST on a windows box returns.....
Cached Tickets: (3)

#0>     Client: hans @ MYNET.MYNET.COM
        Server: krbtgt/ MYNET.MYNET.COM @ MYNET.MYNET.COM
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 1/3/2020 7:59:07 (local)
        End Time:   1/3/2020 17:59:07 (local)
        Renew Time: 1/10/2020 7:59:07 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called: bobafett.mynet.mynet.com

#1>     Client: hans @ MYNET.MYNET.COM
        Server: LDAP/bigbird.mynet.mynet.com / mynet.mynet.com @ MYNET.MYNET.COM
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40ac0000 -> forwardable renewable pre_authent ok_as_delegate 0x80000
        Start Time: 1/3/2020 7:59:08 (local)
        End Time:   1/3/2020 17:59:07 (local)
        Renew Time: 1/10/2020 7:59:07 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0
        Kdc Called: bobafett.mynet.mynet.com

#2>     Client: hans @ MYNET.MYNET.COM
        Server: host/han.mynet.mynet.com @ MYNET.MYNET.COM
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a80000 -> forwardable renewable pre_authent 0x80000
        Start Time: 1/3/2020 7:59:07 (local)
        End Time:   1/3/2020 17:59:07 (local)
        Renew Time: 1/10/2020 7:59:07 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0
        Kdc Called: bobafett mynet.mynet.com

Where bigbird is my primary DC, bobafett and jabbathehut (not seen here) are my identical secondary dc's, and han is my windows 10 workstation.


On 02/01/2020 17:45, hans via samba wrote:
> I posted the following a month ago but have only managed to get to fixing on this over the holidays.  Rowland mentions that I needed to add my domain info, it’s now included and I still have the same issue.
>
> Thanks and Happy New YearOld post begins below with edits Hello
>   
> I have a problem with my Windows 10 drive connections dropping every 
> 24 hours, very briefly.  It's enough to cause me to be unable to save 
> my file, or access a geodatabase.  I have followed much trouble 
> shooting and I believe that its due to the KDC Service ticket lifetime 
> expiring, I have it set for 24 hours in smb.conf.
>
> I have a Samba 4.9 DC and an Ubuntu 18.04 member file server where the 
> shares are running  4.7.6 and connected to the DC by Winbindd.  I 
> notice that when my 24 hours is up, smbstatus will show that I have a 
> new PID.  The files are unfortunately still being held open by the old 
> PID and are no longer accessible (I think.).
> 
> When I used to host the shares on the same DC, I never had this trouble.
> When I had kdc:service ticket lifetime = 10, then the connections 
> dropped every 10 hours.  Do I just keep upping that number to 
> something useful and hope I don't get hacked, or is there something 
> else I am missing.  To me, it sounds a lot like this problem, 
> https://lists.samba.org/archive/samba/2014-March/179555.html
>
> Thanks
>   

OK, you do not need these lines in your DC smb.conf:

         kdc:service ticket lifetime = 24
         kdc:user ticket lifetime = 360
         kdc:renewal lifetime = 1800
         dsdb:schema update allowed = true
         wins support = yes

Try this as the [global] part of your smb.conf on the Unix domain member:

[global]
workgroup = MYNET
security = ADS
realm = MYNET.MYNET.COM

dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab

winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MYNET : backend = rid
idmap config MYNET : range = 50000-1000000

# If your users log into the Unix domain member # uncomment the following two lines and alter to your requirements #template shell = /bin/bash #template homedir = /home/%U

username map = /etc/samba/user.map

vfs object = acl_xattr
map acl inherit = yes
store dos attributes = yes

client signing = yes

Create '/etc/samba/user.map' containing this:

!root = MYNET\Administrator

Run (as root):
net ads keytab create

Restart Samba and see how you go.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list