[Samba] Trouble in ssh into Windows machines in the Windows/Samba Domain
L.P.H. van Belle
belle at bazuin.nl
Tue Apr 13 14:37:51 UTC 2021
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nicola Mingotti
> via samba
> Verzonden: dinsdag 13 april 2021 16:26
> Aan: Rowland penny; sambalist
> Onderwerp: Re: [Samba] Trouble in ssh into Windows machines in the
> Windows/Samba Domain
>
>
>
> They are both Linux debian in the WINDOM Domain.
>
> output of the two programs.
>
> A note, in one of the computer 'kinit' was not installed ! this seems
> quite strange.
>
>
>
> =================== LINTE
> Collected config --- 2021-04-13-16:11 -----------
>
> Hostname: linte
> DNS Domain: borghi.lan << that "might" give problems
> FQDN: linte.borghi.lan
> ipaddress: 172.16.3.37
the "might" is, i might to go the wrong DNS server first.
also.. .lan is reserved TLD for Apple;'m mDNS (AVAHI)
>
> -----------
>
> Kerberos SRV _kerberos._tcp.borghi.lan record verified ok, sample output:
> Server: 172.16.3.51
> Address: 172.16.3.51#53
>
> Non-authoritative answer:
> *** Can't find _kerberos._tcp.borghi.lan: No answer
This looks like it "might" be right it looks in the wrong dns server.
>
> Authoritative answers can be found from:
> borghi.lan
> origin = borghi.lan.borghi.lan << that looks wrong
> mail addr = root.borghi.lan.borghi.lan << that looks wrong
> serial = 2021022500
> refresh = 3600
> retry = 900
> expire = 604800
> minimum = 86400
> Samba is running as a Unix domain member
>
> -----------
> Checking file: /etc/os-release
>
> PRETTY_NAME="Debian GNU/Linux 10 (buster)"
> NAME="Debian GNU/Linux"
> VERSION_ID="10"
> VERSION="10 (buster)"
> VERSION_CODENAME=buster
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
> -----------
>
>
> This computer is running Debian 10.7 x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> 2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> link/ether 52:54:00:da:ea:ce brd ff:ff:ff:ff:ff:ff
> inet 172.16.3.37/24 brd 172.16.3.255 scope global enp1s0
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 127.0.1.1 linte.borghi.lan linte
why isnt the "real" ip here.
run : hostname -I and take the realy and replace 127.0.1.1
>
> # The following lines are desirable for IPv6 capable hosts
> # ::1 localhost ip6-localhost ip6-loopback
> # ff02::1 ip6-allnodes
> # ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> domain windom.borghi.lan
> search windom.borghi.lan
> nameserver 172.16.3.51
> # nameserver 172.16.3.49
> # nameserver 172.16.3.54
but above i see linte.borghi.lan and not
linte.windom.borghi.lan
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = WINDOM.BORGHI.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
> # per ssh con Kerberos
> forwardable = true
> proxiable = true
>
> # [realm]
> # WINDOM.BORGHI.LAN = {
> # auth_to_local = RULE:[1:WINDOM\$1]
> # }
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files winbind systemd
> group: files winbind systemd
> shadow: files winbind < you can remove winbind here.
> gshadow: files
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
hosts: files dns myhostname mdns4_minimal [NOTFOUND=return]
changing , dns first, then mdns.
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> [global]
> workgroup = WINDOM
> security = ADS
> realm = WINDOM.BORGHI.LAN
>
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> # ho un solo dominio, quindi mi conviene non dover digitare sempre
> # user invece di "WINDOM\user"
> # winbind use default domain = yes
>
> # rimuovere dopo il testing
> winbind enum users = yes
> winbind enum groups = yes
>
> # disable printing
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> # logs
> log file = /var/log/samba/%m.log
> log level = 1
>
> # ---- ID mapping backend rid -------
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # - You must set a DOMAIN backend configuration
> # idmap config for the SAMDOM domain
> idmap config WINDOM : backend = rid
> idmap config WINDOM : range = 10000-999999
>
> # Template settings for login shell and home directory
> template shell = /bin/bash
> template homedir = /home/WINDOM-%U
>
> # mappare "Administrator" a "root"
> username map = /usr/local/samba/etc/user.map
>
> # directory che funge da disco in condivisione
> # ok- this is working !
> # [sambaDisk]
> # path = /home/WINDOM-nicola/testSamba
> # read only = no
> # vfs objects = shadow_copy2
> # shadow:snapdir = /home/WINDOM-nicola/snapshots
> # shadow:basedir = /home/WINDOM-nicola/testSamba
> # shadow:sort = desc
>
>
> # [sambaDisk]
> # path = /home/WINDOM-nicola/testSamba
> # read only = no
> # vfs objects = shadow_copy2
> # shadow:mountpoint = /home/WINDOM-nicola/testSamba
> # # richiesto relative se si usa 'snapdirseverywhere'
> # shadow:snapdir = snapshots
> # # shadow:snapdir = /home/WINDOM-nicola/testSamba/snapshots
> # # shadow:basedir = toSnap
> # shadow:sort = desc
> # # shadow:localtime = yes
> # # shadow:format = '%Y.%m.%d-%H.%M.%S'
> # shadow:snapdirseverywhere = yes
>
>
> -----------
>
> Running as Unix domain member and user.map detected.
>
> Contents of /usr/local/samba/etc/user.map
>
> !root = WINDOM\adam1
>
> Server Role is set to : auto
>
> -----------
>
> Installed packages:
> ii acl 2.2.53-4 amd64 access
> control list - utilities
> ii attr 1:2.4.48-4 amd64
> utilities for manipulating filesystem extended attributes
> ii fonts-quicksand 0.2016-2
> all sans-serif font with round attributes
> ii krb5-config 2.6 all
> Configuration files for Kerberos Version 5
> ii krb5-locales 1.17-3+deb10u1 all
> internationalization support for MIT Kerberos
> ii krb5-user 1.17-3+deb10u1 amd64
> basic programs to authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.53-4
> amd64 access control list - shared library
> ii libattr1:amd64 1:2.4.48-4
> amd64 extended attribute handling - shared library
> ii libgssapi-krb5-2:amd64 1.17-3+deb10u1
> amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii libkrb5-26-heimdal:amd64
> 7.5.0+dfsg-3 amd64 Heimdal
> Kerberos - libraries
> ii libkrb5-3:amd64 1.17-3+deb10u1
> amd64 MIT Kerberos runtime libraries
> ii libkrb5support0:amd64 1.17-3+deb10u1
> amd64 MIT Kerberos runtime libraries - Support library
> ii libnss-winbind:amd64 2:4.9.5+dfsg-5+deb10u1
> amd64 Samba nameservice integration plugins
> ii libpam-winbind:amd64 2:4.9.5+dfsg-5+deb10u1
> amd64 Windows domain authentication integration plugin
> ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1
> amd64 shared library for communication with SMB/CIFS servers
> ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1
> amd64 Samba winbind client library
> ii python-samba 2:4.9.5+dfsg-5+deb10u1
> amd64 Python bindings for Samba
> ii python3-xattr 0.9.6-1
> amd64 module for manipulating filesystem extended attributes -
> Python 3
> ii samba 2:4.9.5+dfsg-5+deb10u1 amd64
> SMB/CIFS file, print, and login server for Unix
> ii samba-common 2:4.9.5+dfsg-5+deb10u1
> all common files used by both the Samba server and client
> ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1
> amd64 Samba common files used by both the server and the client
> ii samba-dsdb-modules:amd64
> 2:4.9.5+dfsg-5+deb10u1 amd64 Samba
> Directory Services Database
> ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1
> amd64 Samba core libraries
> ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1
> amd64 Samba Virtual FileSystem plugins
> ii spice-client-glib-usb-acl-helper
> 0.35-2 amd64 Helper tool to
> validate usb ACLs
> ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64
> service to resolve user and group information from Windows NT servers
> ii xattr 0.9.6-1 amd64 tool
> for manipulating filesystem extended attributes
>
> -----------
> =================================================
>
Re-check same things for below part.
diff the output.. the "should be" almost the same.
>
> =========== BETA
> Collected config --- 2021-04-13-16:19 -----------
>
> Hostname: beta
> DNS Domain: borghi.lan
> FQDN: beta.borghi.lan
> ipaddress: 172.16.3.44
>
> -----------
>
> Kerberos SRV _kerberos._tcp.borghi.lan record verified ok, sample output:
> Server: 172.16.3.51
> Address: 172.16.3.51#53
>
> Non-authoritative answer:
> *** Can't find _kerberos._tcp.borghi.lan: No answer
>
> Authoritative answers can be found from:
> borghi.lan
> origin = borghi.lan.borghi.lan
> mail addr = root.borghi.lan.borghi.lan
> serial = 2021022500
> refresh = 3600
> retry = 900
> expire = 604800
> minimum = 86400
> Samba is running as a Unix domain member
>
> -----------
> Checking file: /etc/os-release
>
> PRETTY_NAME="Debian GNU/Linux 10 (buster)"
> NAME="Debian GNU/Linux"
> VERSION_ID="10"
> VERSION="10 (buster)"
> VERSION_CODENAME=buster
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
> -----------
>
>
> This computer is running Debian 10.5 x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> link/ether 00:0c:29:de:b7:e7 brd ff:ff:ff:ff:ff:ff
> inet 172.16.3.44/24 brd 172.16.3.255 scope global ens33
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> # 127.0.1.1 beta.borghigroup.it beta
> 172.16.3.44 beta.borghi.lan beta
>
> #
> # -- copiati il 21-oct-2020 da deb4 ---
> #
> 188.219.105.237 nat b.nat # nat.borghigroup.com
> 188.219.105.235 wifi b.wifi
> 188.219.105.234 vpn b.vpn # vpn.borghigroup.com
> 172.16.3.252 b.test1 # openbsd di test
> 172.16.3.40 b.vser1 # server macchine virtuali n.1
> 10.1.1.12 bap2
> 10.1.1.13 bap3
> 172.16.3.42 b.db1 db1
> 172.16.3.44 b.beta beta
>
>
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> domain windom.borghi.lan
> search windom.borghi.lan
> nameserver 172.16.3.51
>
> # domain borghi.lan
> # search borghi.lan
> # nameserver 172.16.3.49
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = WINDOM.BORGHI.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
> # tento attivare login con kerberos
> forwardable = true
> proxiable = true
>
> # [realm]
> # WINDOM.BORGHI.LAN = {
> # auth_to_local = RULE:[1:WINDOM\$1]
> # }
>
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files winbind systemd
> group: files winbind systemd
> shadow: files
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
>
> [global]
> workgroup = WINDOM
> security = ADS
> realm = WINDOM.BORGHI.LAN
>
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> # ho un solo dominio, quindi potrei supporre "WINDOM"
> # ma preferisco visualizzare gli utenti del dominio come
> "WINDOM\userX"
> # per chiarezza, quindi tengo quest'opzione commentata.
> # winbind use default domain = yes
>
> # rimuovere dopo il testing
> # -> senza questi "getent passwd" e "getent group" danno solo gli
> user locali
> winbind enum users = yes
> winbind enum groups = yes
>
> # disable printing
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> # logs
> log file = /var/log/samba/%m.log
> log level = 1
>
> # ---- ID mapping backend rid -------
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # - You must set a DOMAIN backend configuration
> # idmap config for the SAMDOM domain
> idmap config SAMDOM : backend = rid
> idmap config SAMDOM : range = 10000-999999
>
> # Template settings for login shell and home directory
> template shell = /bin/bash
> template homedir = /home/WINDOM-%U
>
> # mappare "Administrator" a "root"
> username map = /usr/local/samba/etc/user.map
>
> # directory che funge da disco in condivisione
> # Non ho nessun disco da condividere quindi tengo questa parte
> commentata
> # [sambaDisk]
> # path = /mnt/sambaShared
> # read only = no
>
> -----------
>
> Running as Unix domain member and user.map detected.
>
> Contents of /usr/local/samba/etc/user.map
>
> !root = WINDOM\adam1
>
> Server Role is set to : auto
>
> -----------
>
> Installed packages:
> ii acl 2.2.53-4 amd64 access control list -
> utilities
> ii attr 1:2.4.48-4 amd64 utilities for
> manipulating filesystem extended attributes
> ii fonts-quicksand 0.2016-2 all sans-serif
> font with round attributes
> ii krb5-config 2.6 all Configuration
> files for Kerberos Version 5
> ii krb5-locales 1.17-3 all
> internationalization support for MIT Kerberos
> ii krb5-user 1.17-3+deb10u1 amd64 basic programs
> to authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.53-4 amd64 access
> control list - shared library
> ii libattr1:amd64 1:2.4.48-4 amd64 extended
> attribute handling - shared library
> ii libgssapi-krb5-2:amd64 1.17-3+deb10u1 amd64 MIT
> Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii libkrb5-3:amd64 1.17-3+deb10u1 amd64 MIT
> Kerberos runtime libraries
> ii libkrb5support0:amd64 1.17-3+deb10u1 amd64 MIT
> Kerberos runtime libraries - Support library
> ii libnss-winbind:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba
> nameservice integration plugins
> ii libpam-winbind:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
> Windows domain authentication integration plugin
> ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 shared
> library for communication with SMB/CIFS servers
> ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba
> winbind client library
> ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64 Python
> bindings for Samba
> ii samba 2:4.9.5+dfsg-5+deb10u1 amd64 SMB/CIFS file,
> print, and login server for Unix
> ii samba-common 2:4.9.5+dfsg-5+deb10u1 all common files
> used by both the Samba server and client
> ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64 Samba
> common files used by both the server and the client
> ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
> Samba Directory Services Database
> ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba
> core libraries
> ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64
> Samba Virtual FileSystem plugins
> ii smbclient 2:4.9.5+dfsg-5+deb10u1 amd64 command-line
> SMB/CIFS clients for Unix
> ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64 service to resolve
> user and group information from Windows NT servers
>
> -----------
> ==============================================================
>
>
>
>
>
>
>
> On 4/13/21 12:52 PM, Rowland penny via samba wrote:
> > On 13/04/2021 11:26, Nicola Mingotti wrote:
> >>
> >> Hi Rowland,
> >>
> >> this is all what I can get, I see some files that are not found with
> >> 'strace', nothing more.
> >>
> >> . the client does
> >> p at linte> ssh -p 2222 -vv -K 'WINDOM\nicola'@beta
> >
> >
> > Are you doing this from a Linux domain member to another Linux domain
> > member ?
> >
> > If so, can you please download this script:
> > https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
> >
> > Run it on both Linux domain members and post the outputs in a reply to
> > to this, do not attach them, this list strips attachments.
> >
> > if you are not doing this between Linux domain members, please
> > describe your set up.
> >
> > Rowland
> >
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list