[Samba] Domain admin can't access share on samba dm-server
L.P.H. van Belle
belle at bazuin.nl
Thu Dec 30 10:15:27 UTC 2021
That a good point yes.. ( the : min domain uid=0 options in smb.conf )
Thanks Christian for pointing it out.
Stefan i commented a bit below also.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> cn--- via samba
> Verzonden: woensdag 29 december 2021 19:37
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain admin can't access share on
> samba dm-server
>
> Maybe it is the resent security updates? Have you tried
> setting min domain uid=0?
>
> Regards
>
>
> Am 29. Dezember 2021 17:49:31 MEZ schrieb "Stefan G.
> Weichinger via samba" <samba at lists.samba.org>:
> >Am 29.12.21 um 15:07 schrieb L.P.H. van Belle via samba:
> >> First..
> >>
> >> Use FQDN's in you shares.
> >
> >But ... it worked like this for years ;-)
And.. After some big security updates it stopped working.
It happens ;-)
> >
> >> Server 2019, (Guest access in SMB2 and SMB3 disabled by
> default in Windows)
> >>
> https://docs.microsoft.com/en-us/troubleshoot/windows-server/n
> etworking/guest-access-in-smb2-is-disabled-by-default
> >
> >I am not guest, I am the domain admin in this context.
> >
> >> klist -ke shows? Can you show the full output.
> >
> >here you are:
> >
> >Keytab name: FILE:/etc/krb5.keytab
> >
> >KVNO Principal
> >
> >----
> --------------------------------------------------------------
> ------------
> >
> > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-crc)
> >
> > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-md5)
> >
> > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96)
> >
> > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96)
> >
> > 5 host/pre01svdeb01.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac)
> >
> > 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:des-cbc-crc)
> >
> > 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:des-cbc-md5)
> >
> > 5 host/pre01svdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96)
> >
> > 5 host/pre01svdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96)
> >
> > 5 host/pre01svdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac)
> >
> > 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:des-cbc-crc)
> >
> > 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:des-cbc-md5)
> >
> > 2 PRE01SVDEB01$@MYDOM.AT (aes128-cts-hmac-sha1-96)
> >
> > 2 PRE01SVDEB01$@MYDOM.AT (aes256-cts-hmac-sha1-96)
> >
> > 2 PRE01SVDEB01$@MYDOM.AT (DEPRECATED:arcfour-hmac)
> >
> > 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-crc)
> >
> > 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:des-cbc-md5)
> >
> > 2 host/server.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96)
> >
> > 2 host/server.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96)
> >
> > 2 host/server.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac)
> >
> > 2 host/server at MYDOM.AT (DEPRECATED:des-cbc-crc)
> >
> > 2 host/server at MYDOM.AT (DEPRECATED:des-cbc-md5)
> >
> > 2 host/server at MYDOM.AT (aes128-cts-hmac-sha1-96)
> >
> > 2 host/server at MYDOM.AT (aes256-cts-hmac-sha1-96)
> >
> > 2 host/server at MYDOM.AT (DEPRECATED:arcfour-hmac)
> >
> > 2 SERVER$@MYDOM.AT (DEPRECATED:des-cbc-crc)
> >
> > 2 SERVER$@MYDOM.AT (DEPRECATED:des-cbc-md5)
> >
> > 2 SERVER$@MYDOM.AT (aes128-cts-hmac-sha1-96)
> >
> > 2 SERVER$@MYDOM.AT (aes256-cts-hmac-sha1-96)
> >
> > 2 SERVER$@MYDOM.AT (DEPRECATED:arcfour-hmac)
> >
> > 2 host/SERVER at MYDOM.AT (DEPRECATED:des-cbc-crc)
> >
> > 3 host/server at MYDOM.AT (DEPRECATED:des-cbc-crc)
> >
> > 2 host/SERVER at MYDOM.AT (DEPRECATED:des-cbc-md5)
> >
> > 3 host/server at MYDOM.AT (DEPRECATED:des-cbc-md5)
> >
> > 2 host/SERVER at MYDOM.AT (aes128-cts-hmac-sha1-96)
> >
> > 3 host/server at MYDOM.AT (aes128-cts-hmac-sha1-96)
> >
> > 2 host/SERVER at MYDOM.AT (aes256-cts-hmac-sha1-96)
> >
> > 3 host/server at MYDOM.AT (aes256-cts-hmac-sha1-96)
> >
> > 2 host/SERVER at MYDOM.AT (DEPRECATED:arcfour-hmac)
> >
> > 3 host/server at MYDOM.AT (DEPRECATED:arcfour-hmac)
> >
> > 2 cifs/SERVER at MYDOM.AT (aes128-cts-hmac-sha1-96)
> >
> > 2 cifs/SERVER at MYDOM.AT (DEPRECATED:arcfour-hmac)
> >
> > 2 cifs/SERVER at MYDOM.AT (aes256-cts-hmac-sha1-96)
> >
> > 2 cifs/server.mydom.at at MYDOM.AT (aes256-cts-hmac-sha1-96)
> >
> > 2 cifs/server.mydom.at at MYDOM.AT (aes128-cts-hmac-sha1-96)
> >
> > 2 cifs/server.mydom.at at MYDOM.AT (DEPRECATED:arcfour-hmac)
> >
> > 2 cifs/PRE01SVdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96)
> >
> > 2 cifs/PRE01SVdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96)
> >
> > 2 cifs/PRE01SVdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac)
> >
> > 2 cifs/pre01svdeb01 at MYDOM.AT (aes256-cts-hmac-sha1-96)
> >
> > 2 cifs/pre01svdeb01 at MYDOM.AT (aes128-cts-hmac-sha1-96)
> >
> > 2 cifs/pre01svdeb01 at MYDOM.AT (DEPRECATED:arcfour-hmac)
> >
> >
All the entries look fine, i only dont get why i see KVNO 2 and 3
But thats me, i just dont know that..
> >
> >
> >
> >
> >> For cifs (and nfs) you need the spn format like this.
> >> cifs/hostname.internal.domain.tld at REALM.TLD
> >> (net ads adds the REALM part automaticly)
> >>
> >> If your host is using an CNAME for cifs then you need to add,
> >> cifs/cname.internal.domain.tld at REALM.TLD also
> >
> >
> >And WHY do I have to set that up again? I understand that
> kerberos has to work behind the curtains, but it doesn't
> sound efficient to me that this isn't negotiated by the
> machines themselves.
Did i say setup again? I'll rephrase it next time.
I only shows the options and what to set.
For example, none of my servers have.
cifs/hostname all use FQDN. *( for cifs and nfs that at least)
> >
> >I mean, in the start I didn't do that either, correct?
> >
> >> And its really adviced to give these server a PTR record.
> >
> >There is a PTR
Great, that always helps.
> >
> >> How i do it.
> >> And ALWAYS backup you krb5.keytab file first.
> >> Dont know why sometimes ( in my case ) the KNVO is off
> >> When that happens i restore the original keytab file.
> >>
> >> cp /etc/krb5.keytab{,.backup}
> >> kinit Administrator
> >> net ads keytab add_update_ads cifs/$(hostname -f)
> >>
> >> Removing wrong entries i do like this, and maybe
> >> someone has beter ideas on this, please add it..
> >>
> >> !! MAKE THAT BACKUP FIRST !!
> >> ktutil
> >> rkt /etc/krb5.keytab
> >> ? For help.
> >> wkt /etc/krb5.keytab.new
> >>
> >> cp /etc/krb5.keytab.new /etc/krb5.keytab
> >>
> >> !! If you write the keytab as show above directly into
> /etc/krb5.keytab
> >> You get everything double.
> >>
> >> When you use delent nr and you have 1-40 entries. Lets say
> entry 21 to 40 are wrong.
> >> delent 21 << only one you need.. Just repeat it untill
> its all gone.
> >>
> >> Hope this helped a bit.
> >
> >Sure, thanks.
> >
> >I see the path but have to think twice before I touch this
> production file server. users use it 24/7 ... my access from
> that windows server isn't that important right now
> (transferred my ISO via another server ...).
Hahah, you know, i had this problem also, 2 weeks ago..
I suggest, first try that min domain uid=0 option.
> >
> >> Ps. Im picky but..
> >>> idmap config buero:range = 10000-99999
> >>> idmap config buero:backend = rid
> >>
> >> bero should be BUERO
> >
> >sigh
> >
> >I showed the smb.conf-files of that site maybe 10 times here
> and every time I get another parameter pointed out as wrong.
> I wonder if it ever gets finished ;-)
Hihi.. Yeah, or you missed a comment ;-)
At least it wasnt wrong, it was good and now its perfect. :-))
> >
> >Thanks anyway, I appreciate it!
Your welkom.
More information about the samba
mailing list