[Samba] Domain admin can't access share on samba dm-server
Stefan G. Weichinger
lists at xunil.at
Wed Dec 29 16:49:31 UTC 2021
Am 29.12.21 um 15:07 schrieb L.P.H. van Belle via samba:
> First..
>
> Use FQDN's in you shares.
But ... it worked like this for years ;-)
> Server 2019, (Guest access in SMB2 and SMB3 disabled by default in Windows)
> https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default
I am not guest, I am the domain admin in this context.
> klist -ke shows? Can you show the full output.
here you are:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-crc)
5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-md5)
5 host/pre01svdeb01.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96)
5 host/pre01svdeb01.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96)
5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac)
5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:des-cbc-crc)
5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:des-cbc-md5)
5 host/pre01svdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96)
5 host/pre01svdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96)
5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac)
2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:des-cbc-crc)
2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:des-cbc-md5)
2 PRE01SVDEB01$@MYDOM.AT (aes128-cts-hmac-sha1-96)
2 PRE01SVDEB01$@MYDOM.AT (aes256-cts-hmac-sha1-96)
2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:arcfour-hmac)
2 host/server.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-crc)
2 host/server.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-md5)
2 host/server.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96)
2 host/server.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96)
2 host/server.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac)
2 host/server at MYDOM.AT (DEPRECATED:des-cbc-crc)
2 host/server at MYDOM.AT (DEPRECATED:des-cbc-md5)
2 host/server at MYDOM.AT (aes128-cts-hmac-sha1-96)
2 host/server at MYDOM.AT (aes256-cts-hmac-sha1-96)
2 host/server at MYDOM.AT (DEPRECATED:arcfour-hmac)
2 SERVER$@MYDOM.AT (DEPRECATED:des-cbc-crc)
2 SERVER$@MYDOM.AT (DEPRECATED:des-cbc-md5)
2 SERVER$@MYDOM.AT (aes128-cts-hmac-sha1-96)
2 SERVER$@MYDOM.AT (aes256-cts-hmac-sha1-96)
2 SERVER$@MYDOM.AT (DEPRECATED:arcfour-hmac)
2 host/SERVER at MYDOM.AT (DEPRECATED:des-cbc-crc)
3 host/server at MYDOM.AT (DEPRECATED:des-cbc-crc)
2 host/SERVER at MYDOM.AT (DEPRECATED:des-cbc-md5)
3 host/server at MYDOM.AT (DEPRECATED:des-cbc-md5)
2 host/SERVER at MYDOM.AT (aes128-cts-hmac-sha1-96)
3 host/server at MYDOM.AT (aes128-cts-hmac-sha1-96)
2 host/SERVER at MYDOM.AT (aes256-cts-hmac-sha1-96)
3 host/server at MYDOM.AT (aes256-cts-hmac-sha1-96)
2 host/SERVER at MYDOM.AT (DEPRECATED:arcfour-hmac)
3 host/server at MYDOM.AT (DEPRECATED:arcfour-hmac)
2 cifs/SERVER at MYDOM.AT (aes128-cts-hmac-sha1-96)
2 cifs/SERVER at MYDOM.AT (DEPRECATED:arcfour-hmac)
2 cifs/SERVER at MYDOM.AT (aes256-cts-hmac-sha1-96)
2 cifs/server.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96)
2 cifs/server.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96)
2 cifs/server.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac)
2 cifs/PRE01SVdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96)
2 cifs/PRE01SVdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96)
2 cifs/PRE01SVdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac)
2 cifs/pre01svdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96)
2 cifs/pre01svdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96)
2 cifs/pre01svdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac)
> For cifs (and nfs) you need the spn format like this.
> cifs/hostname.internal.domain.tld at REALM.TLD
> (net ads adds the REALM part automaticly)
>
> If your host is using an CNAME for cifs then you need to add,
> cifs/cname.internal.domain.tld at REALM.TLD also
And WHY do I have to set that up again? I understand that kerberos has
to work behind the curtains, but it doesn't sound efficient to me that
this isn't negotiated by the machines themselves.
I mean, in the start I didn't do that either, correct?
> And its really adviced to give these server a PTR record.
There is a PTR
> How i do it.
> And ALWAYS backup you krb5.keytab file first.
> Dont know why sometimes ( in my case ) the KNVO is off
> When that happens i restore the original keytab file.
>
> cp /etc/krb5.keytab{,.backup}
> kinit Administrator
> net ads keytab add_update_ads cifs/$(hostname -f)
>
> Removing wrong entries i do like this, and maybe
> someone has beter ideas on this, please add it..
>
> !! MAKE THAT BACKUP FIRST !!
> ktutil
> rkt /etc/krb5.keytab
> ? For help.
> wkt /etc/krb5.keytab.new
>
> cp /etc/krb5.keytab.new /etc/krb5.keytab
>
> !! If you write the keytab as show above directly into /etc/krb5.keytab
> You get everything double.
>
> When you use delent nr and you have 1-40 entries. Lets say entry 21 to 40 are wrong.
> delent 21 << only one you need.. Just repeat it untill its all gone.
>
> Hope this helped a bit.
Sure, thanks.
I see the path but have to think twice before I touch this production
file server. users use it 24/7 ... my access from that windows server
isn't that important right now (transferred my ISO via another server ...).
> Ps. Im picky but..
>> idmap config buero:range = 10000-99999
>> idmap config buero:backend = rid
>
> bero should be BUERO
sigh
I showed the smb.conf-files of that site maybe 10 times here and every
time I get another parameter pointed out as wrong. I wonder if it ever
gets finished ;-)
Thanks anyway, I appreciate it!
More information about the samba
mailing list