[Samba] Multi-homed Samba 4 file server on Samba 4 AD domain - cross network authentication

David Lomax dave at davidlomax.co.uk
Thu May 14 17:58:21 UTC 2020 

Hi Rowland,

Thank you very much, you were spot on.  I had changed the Windows 7 client to LM compatibility level, and now that I reverted it back to 5 (use NTLMv2) it works.  It was this registry key that made it start working:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"LmCompatibilityLevel"=dword:00000005

I was ignoring the old LM options and the "NTLMv1" in the logs, until you pointed it out, so thanks.

Your questions are good points, and I'll answer them for the benefit of anyone else reading this thread.

* There are two networks, and both the server and the client are connected to both of them.  To override the default 1G network, I map the network drive by IP address.
* Good point about the reverse lookup zone.  I forgot about that, I will create it.
* I take your point about vfs objects and ZFS.  I've had a lot of problems;  it's working at the moment, but still trying to understand how permissions are stored...
* Sorry, I initially wrote Samba 3 but when I checked my versions Proxmox is Samba 4.9.5; just forgot to replace it in the email :-)
* I removed the lanman and client lanman options from the file server.  That was an earlier act of desperation!
* I removed the dns forwarder clause - wasn't sure if it gets used on a domain member
* I removed the unix password sync clause - I was never sure about that
* I removed the idmap_ldb:use rfc2307 clause - again, wasn't sure if the client uses it
* I changed the username map as you suggested:

>     #username map = /etc/samba/user.map
>     username map script = /bin/echo
you need the one you commented out and you don't need the one below it.

(Should it be "username map" or "username map script"?)

* I removed the [netlogon] share.  Should I also remove [profiles] from the client?  I have user directories on the file server, but not sure if it is the role of the DC or not to host that.
* I removed winbind from nsswitch.conf as you suggest, but isn't it needed to look up computer names from the DC?  Or it uses regular DNS nowadays?
* I removed the domain line from resolv.conf, although I'm still not sure what it does  :-)
* I removed the nameserver entry for the gateway, and added 2 nameserver entries with each of the DCs IPs.

Question ... I configured my gateway (pfsense) to delegate DNS lookups for nsa.int to the DCs.  Does that mean I can keep all machines pointing their DNS lookups to the gateway?
Or do domain members need to make the DCs their first port-of-call for DNS lookups?

I've always scratched my head over trying to understand what are the samba options applicable to the latest version.  What resources can you recommend I look at?

Switching off LM & NTLM has really nailed it - thank you - I just hope my "trust relationship failed" issues don't come back!!!

Cheers Rowland.

Thanks,
Dave



-----Original Message-----
From: Rowland penny [mailto:rpenny at samba.org] 
Sent: 13 May 2020 21:13
To: samba at lists.samba.org
Subject: Re: [Samba] Multi-homed Samba 4 file server on Samba 4 AD domain - cross network authentication

On 13/05/2020 18:52, David Lomax via samba wrote:
> Hi all,
>
> I have a question about a multi-homed Samba file server and interoperability
> with AD.  It's a bit complicated, so please bear with me.

Your problem is probably because your DC knows your Samba ADS client by 
its 192.168.42.0/24 Ipaddress.

Also, why only use 10G on part of your network, surely the network speed 
will be dictated by the slowest part of your network, if your clients 
only have 1G, then that is what the network speed will be, or have I got 
it wrong ?

> The problem is I cannot map a network drive using the 10G IP address,
> because it asks for a username/password and authentication fails.
Do the DC's know about the 192.168.84.0/24 network, have you created a 
reverse zone ?
> 	. 192.168.42.70   Proxmox, also used as my monster file server
> running the default version of Samba (3.x).  This machine also has a 10G
> card.
You do know that Samba 3.x.x is dead, this probably means that your 
Proxmox needs updating.
> In /var/log/samba/log.192.168.84.101:
>
> 	[2020/05/13 16:28:04.654299,  2]
> ../auth/auth_log.c:610(log_authentication_event_human_readable)
> 	  Auth: [SMB2,(null)] user [NSA]\[lomaxd] at [Wed, 13 May 2020
> 16:28:04.654290 BST] with [NTLMv1] status [NT_STATUS_WRONG_PASSWORD]
'NTLMv1' ? You do know that this is insecure.
> My /etc/samba/smb.conf:
> (My file share is fs$)
>
> [global]
>
> ## Browsing/Identification ###
>
>     vfs objects = acl_xattr
'acl_xattr' doesn't work with ZFS
>
>
>
>     lanman auth = yes
>     client lanman auth = yes
Why lanman ? do you have any Win 95/98 clients ?
>     dns forwarder = 192.168.42.253
'dns forwarder' is only used on a DC
>     unix password sync = yes
This isn't allowed on a domain member, you cannot have the same user in 
AD and /etc/passwd
>     idmap_ldb:use rfc2307 = yes
That is only used on a DC
>     #username map = /etc/samba/user.map
>     username map script = /bin/echo
you need the one you commented out and you don't need the one below it.
> [netlogon]
>     comment = Network Logon Service
>     path = /home/samba/netlogon
>     #guest ok = yes
>     writeable = yes
>     #valid users = %S, NSA.INT\%S
>     write list = root, NSA.INT\Domain Users
'netlogon' on a domain member ?
> [fs$]
>     comment = ZPool FS
>     browseable = yes
>     path = /tank/fs
>     writeable = yes
>     #valid users = %S, NSA.INT\%S
>     write list = root, NSA.INT\Domain Users
>     create mask = 0700
>     directory mask = 0700
>
>
> My /etc/nsswitch.conf:
>
> hosts:          files dns winbind
Remove 'winbind' from the hosts line
> My /etc/resolv.conf:
>
> search nsa.int
> domain nsa.int
> nameserver 192.168.42.253
Remove the 'domain' line and point the nameserver to one of your DC's

Rowland

More information about the samba mailing list