[Samba] Domain admin can't access share on samba dm-server
cn at brain-biotech.de
cn at brain-biotech.de
Wed Dec 29 18:37:01 UTC 2021
Maybe it is the resent security updates? Have you tried setting min domain uid=0?
Regards
Am 29. Dezember 2021 17:49:31 MEZ schrieb "Stefan G. Weichinger via samba" <samba at lists.samba.org>:
>Am 29.12.21 um 15:07 schrieb L.P.H. van Belle via samba:
>> First..
>>
>> Use FQDN's in you shares.
>
>But ... it worked like this for years ;-)
>
>> Server 2019, (Guest access in SMB2 and SMB3 disabled by default in Windows)
>> https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default
>
>I am not guest, I am the domain admin in this context.
>
>> klist -ke shows? Can you show the full output.
>
>here you are:
>
>Keytab name: FILE:/etc/krb5.keytab
>
>KVNO Principal
>
>---- --------------------------------------------------------------------------
>
> 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-crc)
>
> 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-md5)
>
> 5 host/pre01svdeb01.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96)
>
> 5 host/pre01svdeb01.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96)
>
> 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac)
>
> 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:des-cbc-crc)
>
> 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:des-cbc-md5)
>
> 5 host/pre01svdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96)
>
> 5 host/pre01svdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96)
>
> 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac)
>
> 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:des-cbc-crc)
>
> 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:des-cbc-md5)
>
> 2 PRE01SVDEB01$@MYDOM.AT (aes128-cts-hmac-sha1-96)
>
> 2 PRE01SVDEB01$@MYDOM.AT (aes256-cts-hmac-sha1-96)
>
> 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:arcfour-hmac)
>
> 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-crc)
>
> 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-md5)
>
> 2 host/server.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96)
>
> 2 host/server.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96)
>
> 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac)
>
> 2 host/server at MYDOM.AT (DEPRECATED:des-cbc-crc)
>
> 2 host/server at MYDOM.AT (DEPRECATED:des-cbc-md5)
>
> 2 host/server at MYDOM.AT (aes128-cts-hmac-sha1-96)
>
> 2 host/server at MYDOM.AT (aes256-cts-hmac-sha1-96)
>
> 2 host/server at MYDOM.AT (DEPRECATED:arcfour-hmac)
>
> 2 SERVER$@MYDOM.AT (DEPRECATED:des-cbc-crc)
>
> 2 SERVER$@MYDOM.AT (DEPRECATED:des-cbc-md5)
>
> 2 SERVER$@MYDOM.AT (aes128-cts-hmac-sha1-96)
>
> 2 SERVER$@MYDOM.AT (aes256-cts-hmac-sha1-96)
>
> 2 SERVER$@MYDOM.AT (DEPRECATED:arcfour-hmac)
>
> 2 host/SERVER at MYDOM.AT (DEPRECATED:des-cbc-crc)
>
> 3 host/server at MYDOM.AT (DEPRECATED:des-cbc-crc)
>
> 2 host/SERVER at MYDOM.AT (DEPRECATED:des-cbc-md5)
>
> 3 host/server at MYDOM.AT (DEPRECATED:des-cbc-md5)
>
> 2 host/SERVER at MYDOM.AT (aes128-cts-hmac-sha1-96)
>
> 3 host/server at MYDOM.AT (aes128-cts-hmac-sha1-96)
>
> 2 host/SERVER at MYDOM.AT (aes256-cts-hmac-sha1-96)
>
> 3 host/server at MYDOM.AT (aes256-cts-hmac-sha1-96)
>
> 2 host/SERVER at MYDOM.AT (DEPRECATED:arcfour-hmac)
>
> 3 host/server at MYDOM.AT (DEPRECATED:arcfour-hmac)
>
> 2 cifs/SERVER at MYDOM.AT (aes128-cts-hmac-sha1-96)
>
> 2 cifs/SERVER at MYDOM.AT (DEPRECATED:arcfour-hmac)
>
> 2 cifs/SERVER at MYDOM.AT (aes256-cts-hmac-sha1-96)
>
> 2 cifs/server.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96)
>
> 2 cifs/server.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96)
>
> 2 cifs/server.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac)
>
> 2 cifs/PRE01SVdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96)
>
> 2 cifs/PRE01SVdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96)
>
> 2 cifs/PRE01SVdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac)
>
> 2 cifs/pre01svdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96)
>
> 2 cifs/pre01svdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96)
>
> 2 cifs/pre01svdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac)
>
>
>
>
>
>
>> For cifs (and nfs) you need the spn format like this.
>> cifs/hostname.internal.domain.tld at REALM.TLD
>> (net ads adds the REALM part automaticly)
>>
>> If your host is using an CNAME for cifs then you need to add,
>> cifs/cname.internal.domain.tld at REALM.TLD also
>
>
>And WHY do I have to set that up again? I understand that kerberos has to work behind the curtains, but it doesn't sound efficient to me that this isn't negotiated by the machines themselves.
>
>I mean, in the start I didn't do that either, correct?
>
>> And its really adviced to give these server a PTR record.
>
>There is a PTR
>
>> How i do it.
>> And ALWAYS backup you krb5.keytab file first.
>> Dont know why sometimes ( in my case ) the KNVO is off
>> When that happens i restore the original keytab file.
>>
>> cp /etc/krb5.keytab{,.backup}
>> kinit Administrator
>> net ads keytab add_update_ads cifs/$(hostname -f)
>>
>> Removing wrong entries i do like this, and maybe
>> someone has beter ideas on this, please add it..
>>
>> !! MAKE THAT BACKUP FIRST !!
>> ktutil
>> rkt /etc/krb5.keytab
>> ? For help.
>> wkt /etc/krb5.keytab.new
>>
>> cp /etc/krb5.keytab.new /etc/krb5.keytab
>>
>> !! If you write the keytab as show above directly into /etc/krb5.keytab
>> You get everything double.
>>
>> When you use delent nr and you have 1-40 entries. Lets say entry 21 to 40 are wrong.
>> delent 21 << only one you need.. Just repeat it untill its all gone.
>>
>> Hope this helped a bit.
>
>Sure, thanks.
>
>I see the path but have to think twice before I touch this production file server. users use it 24/7 ... my access from that windows server isn't that important right now (transferred my ISO via another server ...).
>
>> Ps. Im picky but..
>>> idmap config buero:range = 10000-99999
>>> idmap config buero:backend = rid
>>
>> bero should be BUERO
>
>sigh
>
>I showed the smb.conf-files of that site maybe 10 times here and every time I get another parameter pointed out as wrong. I wonder if it ever gets finished ;-)
>
>Thanks anyway, I appreciate it!
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
--
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development
BRAIN Biotech AG
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11
Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender),
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
More information about the samba
mailing list