[Samba] Multi-homed Samba 4 file server on Samba 4 AD domain - cross network authentication

Rowland penny rpenny at samba.org
Wed May 13 20:13:12 UTC 2020 

On 13/05/2020 18:52, David Lomax via samba wrote:
> Hi all,
>
> I have a question about a multi-homed Samba file server and interoperability
> with AD.  It's a bit complicated, so please bear with me.

Your problem is probably because your DC knows your Samba ADS client by 
its 192.168.42.0/24 Ipaddress.

Also, why only use 10G on part of your network, surely the network speed 
will be dictated by the slowest part of your network, if your clients 
only have 1G, then that is what the network speed will be, or have I got 
it wrong ?

> The problem is I cannot map a network drive using the 10G IP address,
> because it asks for a username/password and authentication fails.
Do the DC's know about the 192.168.84.0/24 network, have you created a 
reverse zone ?
> 	. 192.168.42.70   Proxmox, also used as my monster file server
> running the default version of Samba (3.x).  This machine also has a 10G
> card.
You do know that Samba 3.x.x is dead, this probably means that your 
Proxmox needs updating.
> In /var/log/samba/log.192.168.84.101:
>
> 	[2020/05/13 16:28:04.654299,  2]
> ../auth/auth_log.c:610(log_authentication_event_human_readable)
> 	  Auth: [SMB2,(null)] user [NSA]\[lomaxd] at [Wed, 13 May 2020
> 16:28:04.654290 BST] with [NTLMv1] status [NT_STATUS_WRONG_PASSWORD]
'NTLMv1' ? You do know that this is insecure.
> My /etc/samba/smb.conf:
> (My file share is fs$)
>
> [global]
>
> ## Browsing/Identification ###
>
>     vfs objects = acl_xattr
'acl_xattr' doesn't work with ZFS
>
>
>
>     lanman auth = yes
>     client lanman auth = yes
Why lanman ? do you have any Win 95/98 clients ?
>     dns forwarder = 192.168.42.253
'dns forwarder' is only used on a DC
>     unix password sync = yes
This isn't allowed on a domain member, you cannot have the same user in 
AD and /etc/passwd
>     idmap_ldb:use rfc2307 = yes
That is only used on a DC
>     #username map = /etc/samba/user.map
>     username map script = /bin/echo
you need the one you commented out and you don't need the one below it.
> [netlogon]
>     comment = Network Logon Service
>     path = /home/samba/netlogon
>     #guest ok = yes
>     writeable = yes
>     #valid users = %S, NSA.INT\%S
>     write list = root, NSA.INT\Domain Users
'netlogon' on a domain member ?
> [fs$]
>     comment = ZPool FS
>     browseable = yes
>     path = /tank/fs
>     writeable = yes
>     #valid users = %S, NSA.INT\%S
>     write list = root, NSA.INT\Domain Users
>     create mask = 0700
>     directory mask = 0700
>
>
> My /etc/nsswitch.conf:
>
> hosts:          files dns winbind
Remove 'winbind' from the hosts line
> My /etc/resolv.conf:
>
> search nsa.int
> domain nsa.int
> nameserver 192.168.42.253
Remove the 'domain' line and point the nameserver to one of your DC's

Rowland

More information about the samba mailing list