[Samba] Trouble in ssh into Windows machines in the Windows/Samba Domain
Nicola Mingotti
nmingotti at gmail.com
Tue Apr 13 17:20:51 UTC 2021
I attach the output log from sshd which has new face
bye
===========================
debug1: sshd version OpenSSH_7.9, OpenSSL 1.1.1d 10 Sep 2019
debug1: private host key #0: ssh-rsa
SHA256:Ws/O2gohhnPF1XhTIW/RQzYoLZrQuteJw764ROC32T4
debug1: private host key #1: ecdsa-sha2-nistp256
SHA256:owNw4nDXOUN+FG+U/33lHhyTy6/bJW/vgIiSY0Jjw4E
debug1: private host key #2: ssh-ed25519
SHA256:/3UiTiW57CUmBunhe7sQSEZZZXi/c5P/iPVTAWmfsVo
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='2222'
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug1: Bind to port 2222 on ::.
Server listening on :: port 2222.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 172.16.3.37 port 51078 on 172.16.3.44 port 2222
debug1: Client protocol version 2.0; client software version
OpenSSH_7.9p1 Debian-10+deb10u2
debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat
0x04000000
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
debug1: permanently_set_uid: 105/65534 [preauth]
debug1: list_hostkey_types:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: Unspecified GSS failure. Minor code may provide more information
No key table entry found matching host/beta.windom.borghi.lan@
===========================
On 4/13/21 6:34 PM, Nicola Mingotti wrote:
>
> Ok, I corrected all what you found. Except for the name ".lan", which
> I can' change in short time.
>
> Still, ssh -K is not working unfortunately.
>
> these are the new outputs
>
>
> ====== LINTE============================
> Collected config --- 2021-04-13-18:28 -----------
>
> Hostname: linte
> DNS Domain: windom.borghi.lan
> FQDN: linte.windom.borghi.lan
> ipaddress: 172.16.3.37
>
> -----------
>
> Kerberos SRV _kerberos._tcp.windom.borghi.lan record verified ok,
> sample output:
> Server: 172.16.3.51
> Address: 172.16.3.51#53
>
> _kerberos._tcp.windom.borghi.lan service = 0 100 88
> dc1.windom.borghi.lan.
> Samba is running as a Unix domain member
>
> -----------
> Checking file: /etc/os-release
>
> PRETTY_NAME="Debian GNU/Linux 10 (buster)"
> NAME="Debian GNU/Linux"
> VERSION_ID="10"
> VERSION="10 (buster)"
> VERSION_CODENAME=buster
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
> -----------
>
>
> This computer is running Debian 10.7 x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> 2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> link/ether 52:54:00:da:ea:ce brd ff:ff:ff:ff:ff:ff
> inet 172.16.3.37/24 brd 172.16.3.255 scope global enp1s0
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 172.16.3.37 linte.windom.borghi.lan linte
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> domain windom.borghi.lan
> search windom.borghi.lan
> nameserver 172.16.3.51
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = WINDOM.BORGHI.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
> # per ssh con Kerberos
> forwardable = true
> proxiable = true
>
> [realm]
> WINDOM.BORGHI.LAN = {
> auth_to_local = RULE:[1:WINDOM\$1]
> }
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files winbind systemd
> group: files winbind systemd
> shadow: files
> gshadow: files
>
> hosts: files dns myhostname mdns4_minimal [NOTFOUND=return]
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> [global]
> workgroup = WINDOM
> security = ADS
> realm = WINDOM.BORGHI.LAN
>
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> # ho un solo dominio, quindi mi conviene non dover digitare sempre
> # user invece di "WINDOM\user"
> # winbind use default domain = yes
>
> # rimuovere dopo il testing
> winbind enum users = yes
> winbind enum groups = yes
>
> # disable printing
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> # logs
> log file = /var/log/samba/%m.log
> log level = 1
>
> # ---- ID mapping backend rid -------
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # - You must set a DOMAIN backend configuration
> # idmap config for the SAMDOM domain
> idmap config WINDOM : backend = rid
> idmap config WINDOM : range = 10000-999999
>
> # Template settings for login shell and home directory
> template shell = /bin/bash
> template homedir = /home/WINDOM-%U
>
> # mappare "Administrator" a "root"
> username map = /usr/local/samba/etc/user.map
>
> # directory che funge da disco in condivisione
> # ok- this is working !
> # [sambaDisk]
> # path = /home/WINDOM-nicola/testSamba
> # read only = no
> # vfs objects = shadow_copy2
> # shadow:snapdir = /home/WINDOM-nicola/snapshots
> # shadow:basedir = /home/WINDOM-nicola/testSamba
> # shadow:sort = desc
>
>
> # [sambaDisk]
> # path = /home/WINDOM-nicola/testSamba
> # read only = no
> # vfs objects = shadow_copy2
> # shadow:mountpoint = /home/WINDOM-nicola/testSamba
> # # richiesto relative se si usa 'snapdirseverywhere'
> # shadow:snapdir = snapshots
> # # shadow:snapdir = /home/WINDOM-nicola/testSamba/snapshots
> # # shadow:basedir = toSnap
> # shadow:sort = desc
> # # shadow:localtime = yes
> # # shadow:format = '%Y.%m.%d-%H.%M.%S'
> # shadow:snapdirseverywhere = yes
>
>
> -----------
>
> Running as Unix domain member and user.map detected.
>
> Contents of /usr/local/samba/etc/user.map
>
> !root = WINDOM\adam1
>
> Server Role is set to : auto
>
> -----------
>
> Installed packages:
> ii acl 2.2.53-4 amd64 access
> control list - utilities
> ii attr 1:2.4.48-4 amd64 utilities
> for manipulating filesystem extended attributes
> ii fonts-quicksand 0.2016-2 all sans-serif font with round
> attributes
> ii krb5-config 2.6 all
> Configuration files for Kerberos Version 5
> ii krb5-locales 1.17-3+deb10u1 all
> internationalization support for MIT Kerberos
> ii krb5-user 1.17-3+deb10u1 amd64 basic programs to
> authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.53-4 amd64 access control list - shared
> library
> ii libattr1:amd64 1:2.4.48-4 amd64 extended attribute handling
> - shared library
> ii libgssapi-krb5-2:amd64
> 1.17-3+deb10u1 amd64 MIT Kerberos
> runtime libraries - krb5 GSS-API Mechanism
> ii libkrb5-26-heimdal:amd64
> 7.5.0+dfsg-3 amd64 Heimdal
> Kerberos - libraries
> ii libkrb5-3:amd64 1.17-3+deb10u1 amd64 MIT Kerberos runtime
> libraries
> ii libkrb5support0:amd64 1.17-3+deb10u1
> amd64 MIT Kerberos runtime libraries - Support library
> ii libnss-winbind:amd64 2:4.9.5+dfsg-5+deb10u1
> amd64 Samba nameservice integration plugins
> ii libpam-winbind:amd64 2:4.9.5+dfsg-5+deb10u1
> amd64 Windows domain authentication integration plugin
> ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1
> amd64 shared library for communication with SMB/CIFS servers
> ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1
> amd64 Samba winbind client library
> ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64 Python bindings
> for Samba
> ii python3-xattr 0.9.6-1 amd64 module for manipulating
> filesystem extended attributes - Python 3
> ii samba 2:4.9.5+dfsg-5+deb10u1 amd64 SMB/CIFS file, print,
> and login server for Unix
> ii samba-common 2:4.9.5+dfsg-5+deb10u1 all common files used
> by both the Samba server and client
> ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64 Samba common
> files used by both the server and the client
> ii samba-dsdb-modules:amd64
> 2:4.9.5+dfsg-5+deb10u1 amd64 Samba
> Directory Services Database
> ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba core
> libraries
> ii samba-vfs-modules:amd64
> 2:4.9.5+dfsg-5+deb10u1 amd64 Samba
> Virtual FileSystem plugins
> ii spice-client-glib-usb-acl-helper
> 0.35-2 amd64 Helper tool
> to validate usb ACLs
> ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64 service to resolve
> user and group information from Windows NT servers
> ii xattr 0.9.6-1 amd64 tool for manipulating filesystem
> extended attributes
>
> -----------
> ====================================================
>
>
> ===== BETA
> Collected config --- 2021-04-13-18:30 -----------
>
> Hostname: beta
> DNS Domain: windom.borghi.lan
> FQDN: beta.windom.borghi.lan
> ipaddress: 172.16.3.44
>
> -----------
>
> Kerberos SRV _kerberos._tcp.windom.borghi.lan record verified ok,
> sample output:
> Server: 172.16.3.51
> Address: 172.16.3.51#53
>
> _kerberos._tcp.windom.borghi.lan service = 0 100 88
> dc1.windom.borghi.lan.
> Samba is running as a Unix domain member
>
> -----------
> Checking file: /etc/os-release
>
> PRETTY_NAME="Debian GNU/Linux 10 (buster)"
> NAME="Debian GNU/Linux"
> VERSION_ID="10"
> VERSION="10 (buster)"
> VERSION_CODENAME=buster
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
> -----------
>
>
> This computer is running Debian 10.5 x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> link/ether 00:0c:29:de:b7:e7 brd ff:ff:ff:ff:ff:ff
> inet 172.16.3.44/24 brd 172.16.3.255 scope global ens33
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 172.16.3.44 beta.windom.borghi.lan beta
>
> #
> # -- copiati il 21-oct-2020 da deb4 ---
> #
> # ... some my stuff, irrelevant.
>
>
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> domain windom.borghi.lan
> search windom.borghi.lan
> nameserver 172.16.3.51
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = WINDOM.BORGHI.LAN
> dns_lookup_realm = false
> dns_lookup_kdc = true
> # tento attivare login con kerberos
> forwardable = true
> proxiable = true
>
> [realm]
> WINDOM.BORGHI.LAN = {
> auth_to_local = RULE:[1:WINDOM\$1]
> }
>
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files winbind systemd
> group: files winbind systemd
> shadow: files
> gshadow: files
>
> hosts: files dns myhostname mdns4_minimal [NOTFOUND=return]
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
>
> [global]
> workgroup = WINDOM
> security = ADS
> realm = WINDOM.BORGHI.LAN
>
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> # ho un solo dominio, quindi potrei supporre "WINDOM"
> # ma preferisco visualizzare gli utenti del dominio come
> "WINDOM\userX"
> # per chiarezza, quindi tengo quest'opzione commentata.
> # winbind use default domain = yes
>
> # rimuovere dopo il testing
> # -> senza questi "getent passwd" e "getent group" danno solo gli
> user locali
> winbind enum users = yes
> winbind enum groups = yes
>
> # disable printing
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> # logs
> log file = /var/log/samba/%m.log
> log level = 1
>
> # ---- ID mapping backend rid -------
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # - You must set a DOMAIN backend configuration
> # idmap config for the SAMDOM domain
> idmap config WINDOM : backend = rid
> idmap config WINDOM : range = 10000-999999
>
> # Template settings for login shell and home directory
> template shell = /bin/bash
> template homedir = /home/WINDOM-%U
>
> # mappare "Administrator" a "root"
> username map = /usr/local/samba/etc/user.map
>
> # directory che funge da disco in condivisione
> # Non ho nessun disco da condividere quindi tengo questa parte
> commentata
> # [sambaDisk]
> # path = /mnt/sambaShared
> # read only = no
>
> -----------
>
> Running as Unix domain member and user.map detected.
>
> Contents of /usr/local/samba/etc/user.map
>
> !root = WINDOM\adam1
>
> Server Role is set to : auto
>
> -----------
>
> Installed packages:
> ii acl 2.2.53-4 amd64 access control list
> - utilities
> ii attr 1:2.4.48-4 amd64 utilities for
> manipulating filesystem extended attributes
> ii fonts-quicksand 0.2016-2 all sans-serif font
> with round attributes
> ii krb5-config 2.6 all Configuration files
> for Kerberos Version 5
> ii krb5-locales 1.17-3 all internationalization
> support for MIT Kerberos
> ii krb5-user 1.17-3+deb10u1 amd64 basic programs
> to authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.53-4 amd64 access
> control list - shared library
> ii libattr1:amd64 1:2.4.48-4 amd64 extended
> attribute handling - shared library
> ii libgssapi-krb5-2:amd64 1.17-3+deb10u1 amd64 MIT Kerberos
> runtime libraries - krb5 GSS-API Mechanism
> ii libkrb5-3:amd64 1.17-3+deb10u1 amd64 MIT
> Kerberos runtime libraries
> ii libkrb5support0:amd64 1.17-3+deb10u1 amd64 MIT Kerberos
> runtime libraries - Support library
> ii libnss-winbind:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba
> nameservice integration plugins
> ii libpam-winbind:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Windows
> domain authentication integration plugin
> ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 shared
> library for communication with SMB/CIFS servers
> ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba
> winbind client library
> ii python-samba 2:4.9.5+dfsg-5+deb10u1 amd64 Python
> bindings for Samba
> ii samba 2:4.9.5+dfsg-5+deb10u1 amd64 SMB/CIFS file,
> print, and login server for Unix
> ii samba-common 2:4.9.5+dfsg-5+deb10u1 all common
> files used by both the Samba server and client
> ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1 amd64 Samba common
> files used by both the server and the client
> ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba
> Directory Services Database
> ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba core
> libraries
> ii samba-vfs-modules:amd64 2:4.9.5+dfsg-5+deb10u1 amd64 Samba
> Virtual FileSystem plugins
> ii smbclient 2:4.9.5+dfsg-5+deb10u1 amd64 command-line SMB/CIFS
> clients for Unix
> ii winbind 2:4.9.5+dfsg-5+deb10u1 amd64 service to
> resolve user and group information from Windows NT servers
>
> -----------
> ===============================================
>
>
>
>
>
>
>
> On 4/13/21 5:21 PM, Rowland penny via samba wrote:
>> On 13/04/2021 16:03, Nicola Mingotti wrote:
>>>
>>> Ohh,
>>>
>>> the DNS, yes, that is kind of cyborg config in my network.
>>>
>>> There are 2 DNS on 172.16.3.0/24 because most of the computer existed
>>> before the domain, and some of them will probably never enter it.
>>> (there are PC to control manufacturing processes which should not be
>>> touched)
>>>
>>> So, the story is, Bind gives name like : foo.borghi.lan
>>> instead Samba DNS gives name like : foo.windom.borghi.lan
>>> Samba DNS rolls back to Bind when it is not able to resolve something.
>>>
>>> beta was not in the domain a few days ago so it could contain more
>>> mistakes.
>>>
>>> linte was born as a linux domain experiment so it should be more or
>>> less ok.
>>>
>>> If you think the problem is the DNS I can try to clean up a bit.
>>
>>
>> Its the dns !
>>
>> I have an AD domain where machines come and go, but all the domain
>> machines are in the same dns domain, I have also have printers,
>> standalone servers etc in the dns domain. You appear to be using
>> 'windom.borghi.lan' as your AD dns domain, yet 'linte' is in the
>> 'borghi.lan' dns domain, How did you get it to join the
>> 'WINDOM.BORGHI.LAN' realm ?
>>
>> I would leave the domain, fix your dns and then rejoin the domain.
>>
>> If you do not want to use the DC directly as a dns server, you can
>> use another dns server, but it must forward everything to the
>> 'windom.borghi.lan' dns domain to the DC. this means that the other
>> dns server cannot be authoritative for the 'windom.borghi.lan' dns
>> domain or hold any of its records, though it could be authoritative
>> for the 'borghi.lan' dns domain.
>>
>> Rowland
>>
>>
>>
>
More information about the samba
mailing list