[Samba] Trouble in ssh into Windows machines in the Windows/Samba Domain
Nicola Mingotti
nmingotti at gmail.com
Tue Apr 13 14:25:54 UTC 2021
They are both Linux debian in the WINDOM Domain.
output of the two programs.
A note, in one of the computer 'kinit' was not installed ! this seems
quite strange.
=================== LINTE
Collected config --- 2021-04-13-16:11 -----------
Hostname: linte
DNS Domain: borghi.lan
FQDN: linte.borghi.lan
ipaddress: 172.16.3.37
-----------
Kerberos SRV _kerberos._tcp.borghi.lan record verified ok, sample output:
Server: 172.16.3.51
Address: 172.16.3.51#53
Non-authoritative answer:
*** Can't find _kerberos._tcp.borghi.lan: No answer
Authoritative answers can be found from:
borghi.lan
origin = borghi.lan.borghi.lan
mail addr = root.borghi.lan.borghi.lan
serial = 2021022500
refresh = 3600
retry = 900
expire = 604800
minimum = 86400
Samba is running as a Unix domain member
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.7 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 52:54:00:da:ea:ce brd ff:ff:ff:ff:ff:ff
inet 172.16.3.37/24 brd 172.16.3.255 scope global enp1s0
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
127.0.1.1 linte.borghi.lan linte
# The following lines are desirable for IPv6 capable hosts
# ::1 localhost ip6-localhost ip6-loopback
# ff02::1 ip6-allnodes
# ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
domain windom.borghi.lan
search windom.borghi.lan
nameserver 172.16.3.51
# nameserver 172.16.3.49
# nameserver 172.16.3.54
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = WINDOM.BORGHI.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
# per ssh con Kerberos
forwardable = true
proxiable = true
# [realm]
# WINDOM.BORGHI.LAN = {
# auth_to_local = RULE:[1:WINDOM\$1]
# }
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind systemd
group: files winbind systemd
shadow: files winbind
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
workgroup = WINDOM
security = ADS
realm = WINDOM.BORGHI.LAN
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# ho un solo dominio, quindi mi conviene non dover digitare sempre
# user invece di "WINDOM\user"
# winbind use default domain = yes
# rimuovere dopo il testing
winbind enum users = yes
winbind enum groups = yes
# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# logs
log file = /var/log/samba/%m.log
log level = 1
# ---- ID mapping backend rid -------
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config WINDOM : backend = rid
idmap config WINDOM : range = 10000-999999
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/WINDOM-%U
# mappare "Administrator" a "root"
username map = /usr/local/samba/etc/user.map
# directory che funge da disco in condivisione
# ok- this is working !
# [sambaDisk]
# path = /home/WINDOM-nicola/testSamba
# read only = no
# vfs objects = shadow_copy2
# shadow:snapdir = /home/WINDOM-nicola/snapshots
# shadow:basedir = /home/WINDOM-nicola/testSamba
# shadow:sort = desc
# [sambaDisk]
# path = /home/WINDOM-nicola/testSamba
# read only = no
# vfs objects = shadow_copy2
# shadow:mountpoint = /home/WINDOM-nicola/testSamba
# # richiesto relative se si usa 'snapdirseverywhere'
# shadow:snapdir = snapshots
# # shadow:snapdir = /home/WINDOM-nicola/testSamba/snapshots
# # shadow:basedir = toSnap
# shadow:sort = desc
# # shadow:localtime = yes
# # shadow:format = '%Y.%m.%d-%H.%M.%S'
# shadow:snapdirseverywhere = yes
-----------
Running as Unix domain member and user.map detected.
Contents of /usr/local/samba/etc/user.map
!root = WINDOM\adam1
Server Role is set to : auto
-----------
Installed packages:
ii acl 2.2.53-4 amd64 access
control list - utilities
ii attr 1:2.4.48-4 amd64
utilities for manipulating filesystem extended attributes
ii fonts-quicksand 0.2016-2
all sans-serif font with round attributes
ii krb5-config 2.6 all
Configuration files for Kerberos Version 5
ii krb5-locales 1.17-3+deb10u1 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-3+deb10u1 amd64
basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4
amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-4
amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-3+deb10u1
amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64
7.5.0+dfsg-3 amd64 Heimdal
Kerberos - libraries
ii libkrb5-3:amd64 1.17-3+deb10u1
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3+deb10u1
amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.9.5+dfsg-5+deb10u1
amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.9.5+dfsg-5+deb10u1
amd64 Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1
amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1
amd64 Samba winbind client library
ii python-samba 2:4.9.5+dfsg-5+deb10u1
amd64 Python bindings for Samba
ii python3-xattr 0.9.6-1
amd64 module for manipulating filesystem extended attributes -
Python 3
ii samba 2:4.9.5+dfsg-5+deb10u1 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1
all common files used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1
amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64
2:4.9.5+dfsg-5+deb10u1 amd64 Samba
Directory Services Database
ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1
amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1
amd64 Samba Virtual FileSystem plugins
ii spice-client-glib-usb-acl-helper
0.35-2 amd64 Helper tool to
validate usb ACLs
ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64
service to resolve user and group information from Windows NT servers
ii xattr 0.9.6-1 amd64 tool
for manipulating filesystem extended attributes
-----------
=================================================
=========== BETA
Collected config --- 2021-04-13-16:19 -----------
Hostname: beta
DNS Domain: borghi.lan
FQDN: beta.borghi.lan
ipaddress: 172.16.3.44
-----------
Kerberos SRV _kerberos._tcp.borghi.lan record verified ok, sample output:
Server: 172.16.3.51
Address: 172.16.3.51#53
Non-authoritative answer:
*** Can't find _kerberos._tcp.borghi.lan: No answer
Authoritative answers can be found from:
borghi.lan
origin = borghi.lan.borghi.lan
mail addr = root.borghi.lan.borghi.lan
serial = 2021022500
refresh = 3600
retry = 900
expire = 604800
minimum = 86400
Samba is running as a Unix domain member
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.5 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 00:0c:29:de:b7:e7 brd ff:ff:ff:ff:ff:ff
inet 172.16.3.44/24 brd 172.16.3.255 scope global ens33
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
# 127.0.1.1 beta.borghigroup.it beta
172.16.3.44 beta.borghi.lan beta
#
# -- copiati il 21-oct-2020 da deb4 ---
#
188.219.105.237 nat b.nat # nat.borghigroup.com
188.219.105.235 wifi b.wifi
188.219.105.234 vpn b.vpn # vpn.borghigroup.com
172.16.3.252 b.test1 # openbsd di test
172.16.3.40 b.vser1 # server macchine virtuali n.1
10.1.1.12 bap2
10.1.1.13 bap3
172.16.3.42 b.db1 db1
172.16.3.44 b.beta beta
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
domain windom.borghi.lan
search windom.borghi.lan
nameserver 172.16.3.51
# domain borghi.lan
# search borghi.lan
# nameserver 172.16.3.49
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = WINDOM.BORGHI.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
# tento attivare login con kerberos
forwardable = true
proxiable = true
# [realm]
# WINDOM.BORGHI.LAN = {
# auth_to_local = RULE:[1:WINDOM\$1]
# }
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind systemd
group: files winbind systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
workgroup = WINDOM
security = ADS
realm = WINDOM.BORGHI.LAN
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# ho un solo dominio, quindi potrei supporre "WINDOM"
# ma preferisco visualizzare gli utenti del dominio come "WINDOM\userX"
# per chiarezza, quindi tengo quest'opzione commentata.
# winbind use default domain = yes
# rimuovere dopo il testing
# -> senza questi "getent passwd" e "getent group" danno solo gli
user locali
winbind enum users = yes
winbind enum groups = yes
# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# logs
log file = /var/log/samba/%m.log
log level = 1
# ---- ID mapping backend rid -------
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/WINDOM-%U
# mappare "Administrator" a "root"
username map = /usr/local/samba/etc/user.map
# directory che funge da disco in condivisione
# Non ho nessun disco da condividere quindi tengo questa parte commentata
# [sambaDisk]
# path = /mnt/sambaShared
# read only = no
-----------
Running as Unix domain member and user.map detected.
Contents of /usr/local/samba/etc/user.map
!root = WINDOM\adam1
Server Role is set to : auto
-----------
Installed packages:
ii acl 2.2.53-4 amd64 access control list -
utilities
ii attr 1:2.4.48-4 amd64 utilities for
manipulating filesystem extended attributes
ii fonts-quicksand 0.2016-2 all sans-serif
font with round attributes
ii krb5-config 2.6 all Configuration
files for Kerberos Version 5
ii krb5-locales 1.17-3 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-3+deb10u1 amd64 basic programs
to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64 access
control list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64 extended
attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-3+deb10u1 amd64 MIT
Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3+deb10u1 amd64 MIT
Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-3+deb10u1 amd64 MIT
Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba
nameservice integration plugins
ii libpam-winbind:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 shared
library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba
winbind client library
ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64 Python
bindings for Samba
ii samba 2:4.9.5+dfsg-5+deb10u1 amd64 SMB/CIFS file,
print, and login server for Unix
ii samba-common 2:4.9.5+dfsg-5+deb10u1 all common files
used by both the Samba server and client
ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64 Samba
common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba
core libraries
ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
Samba Virtual FileSystem plugins
ii smbclient 2:4.9.5+dfsg-5+deb10u1 amd64 command-line
SMB/CIFS clients for Unix
ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64 service to resolve
user and group information from Windows NT servers
-----------
==============================================================
On 4/13/21 12:52 PM, Rowland penny via samba wrote:
> On 13/04/2021 11:26, Nicola Mingotti wrote:
>>
>> Hi Rowland,
>>
>> this is all what I can get, I see some files that are not found with
>> 'strace', nothing more.
>>
>> . the client does
>> p at linte> ssh -p 2222 -vv -K 'WINDOM\nicola'@beta
>
>
> Are you doing this from a Linux domain member to another Linux domain
> member ?
>
> If so, can you please download this script:
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
>
> Run it on both Linux domain members and post the outputs in a reply to
> to this, do not attach them, this list strips attachments.
>
> if you are not doing this between Linux domain members, please
> describe your set up.
>
> Rowland
>
>
>
More information about the samba
mailing list