[Samba] samba fails to connect to windows file share joined to domain

jacek burghardt jaceksburghardt at gmail.com
Tue Dec 12 16:46:51 UTC 2023


I am using arch linux
This is my fstab entry using cred for windows domain user

//winnas/radio /radio cifs
credentials=/etc/samba/credentials/radiorec,vers=2.0,uid=1000,gid=1000,iocharset=utf8,sec=krb5i,nofail
0 0

I run hardening kitty scripts .

Windows and osx clients can mount the shares but linux has an issue.


[global]

        netbios name = radiorec

        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384

        winbind sealed pipes = false

        require strong key = false

        winbind sealed pipes:HEBE = true

        require strong key:HEBE = true

        lanman auth = no

        ntlm auth = yes

        ntlm auth = mschapv2-and-ntlmv2-only

        client signing = auto

        server signing = auto

        winbind enum users = yes

        winbind gid = 10000-20000

        workgroup = hebe

        os level = 20

        winbind enum groups = yes

        password server = den-dc01.hebe.us

        preferred master = no

        winbind separator = +

        max log size = 50

        log file = /var/log/samba/log.%m

        dns proxy = no

        realm = hebe.us

        security = ADS

        wins server = 192.168.1.8

        wins proxy = no

        client signing = auto

        server signing = auto

        domain master = auto

        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate

        idmap_ldb:use rfc2307 = yes

        ldap server require strong auth = No

        idmap config * : backend = tdb

        idmap config * : range = 10000-20000

        winbind use default domain = Yes

        winbind enum users = Yes

        winbind enum groups = Yes

        winbind nested groups = Yes

        winbind separator = +

        winbind refresh tickets = yes

        winbind offline logon = yes

        winbind cache time = 300

        template shell = /bin/bash

        template homedir = /home/%D/%U


        inherit acls = Yes

        map acl inherit = Yes

        acl group control = yes


        load printers = no

        debug level = 3

        use sendfile = no

        vfs objects = acl_xattr shadow_copy2

[sysvol]

         path = /usr/share/samba/sysvol

         read only = No

[netlogon]

On Tue, Dec 12, 2023 at 1:26 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Mon, 11 Dec 2023 19:07:47 -0700
> jacek burghardt via samba <samba at lists.samba.org> wrote:
>
> > After running hardening scripts samba cant mount windows shares.
>
> What 'hardening scripts', what did they do ?
> Samba doesn't mount anything, it provides the shares to mount.
>
> > I get error trying to mount share
> >
> > [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and keyutils
> > is installed
> > [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126
> > [72860.509158] CIFS: VFS: cifs_mount failed w/return code = -126
> > [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and keyutils
> > is installed
> > [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126
> >
>
> That is actually coming from mount.cifs and '-126' is 'Required key not
> available', so does the user that is doing the mount have a kerberos
> ticket ?
>
> > I get following errors:
> >
> > [root at radiorec admin]# smbclient -k -L winnas
> > WARNING: The option -k|--kerberos is deprecated!
> > lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
> > deprecated
> > gensec_spnego_client_negTokenInit_step: Could not find a suitable
> > mechtype in NEG_TOKEN_INIT
> > session setup failed: NT_STATUS_INVALID_PARAMETER
> >
> > [root at radiorec admin]# smbclient  -L winnas
> > lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
> > deprecated
> > Password for [HEBE\root]:
> >
> > [root at radiorec admin]# smbclient  -L winnas -U jacek
> > lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
> > deprecated
> > Password for [HEBE\jacek]:
> > session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
> >
> > Is there gpo I need to disable or I can change config in samba to get
> > shares to mount?
> >
> > I see domain relationship failure but  wbinfo works
>
> I think you need to give us more information:
> What OS ?
> What version of Samba ?
> The contents of your smb.conf
> The mount command you are using
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list