[Samba] samba fails to connect to windows file share joined to domain
Stefan Kania
stefan at kania-online.de
Tue Dec 12 18:32:10 UTC 2023
Am 12.12.23 um 17:46 schrieb jacek burghardt via samba:
> I am using arch linux
> This is my fstab entry using cred for windows domain user
>
> //winnas/radio /radio cifs
> credentials=/etc/samba/credentials/radiorec,vers=2.0,uid=1000,gid=1000,iocharset=utf8,sec=krb5i,nofail
> 0 0
>
> I run hardening kitty scripts .
>
> Windows and osx clients can mount the shares but linux has an issue.
>
>
> [global]
>
> netbios name = radiorec
>
> socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
>
> winbind sealed pipes = false
>
> require strong key = false
>
> winbind sealed pipes:HEBE = true
>
> require strong key:HEBE = true
>
> lanman auth = no
>
> ntlm auth = yes
>
> ntlm auth = mschapv2-and-ntlmv2-only
>
> client signing = auto
>
> server signing = auto
>
> winbind enum users = yes
>
> winbind gid = 10000-20000
>
> workgroup = hebe
>
> os level = 20
>
> winbind enum groups = yes
>
> password server = den-dc01.hebe.us
>
> preferred master = no
>
> winbind separator = +
>
> max log size = 50
>
> log file = /var/log/samba/log.%m
>
> dns proxy = no
>
> realm = hebe.us
>
> security = ADS
>
> wins server = 192.168.1.8
>
> wins proxy = no
>
> client signing = auto
>
> server signing = auto
>
> domain master = auto
>
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>
> idmap_ldb:use rfc2307 = yes
>
> ldap server require strong auth = No
>
> idmap config * : backend = tdb
>
> idmap config * : range = 10000-20000
>
> winbind use default domain = Yes
>
> winbind enum users = Yes
>
> winbind enum groups = Yes
>
> winbind nested groups = Yes
>
> winbind separator = +
>
> winbind refresh tickets = yes
>
> winbind offline logon = yes
>
> winbind cache time = 300
>
> template shell = /bin/bash
>
> template homedir = /home/%D/%U
>
>
> inherit acls = Yes
>
> map acl inherit = Yes
>
> acl group control = yes
>
>
> load printers = no
>
> debug level = 3
>
> use sendfile = no
>
> vfs objects = acl_xattr shadow_copy2
>
> [sysvol]
>
> path = /usr/share/samba/sysvol
>
> read only = No
>
> [netlogon]
>
> On Tue, Dec 12, 2023 at 1:26 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Mon, 11 Dec 2023 19:07:47 -0700
>> jacek burghardt via samba <samba at lists.samba.org> wrote:
>>
>>> After running hardening scripts samba cant mount windows shares.
>>
>> What 'hardening scripts', what did they do ?
>> Samba doesn't mount anything, it provides the shares to mount.
>>
>>> I get error trying to mount share
>>>
>>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and keyutils
>>> is installed
>>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126
>>> [72860.509158] CIFS: VFS: cifs_mount failed w/return code = -126
>>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and keyutils
>>> is installed
>>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126
>>>
>>
>> That is actually coming from mount.cifs and '-126' is 'Required key not
>> available', so does the user that is doing the mount have a kerberos
>> ticket ?
>>
>>> I get following errors:
>>>
>>> [root at radiorec admin]# smbclient -k -L winnas
>>> WARNING: The option -k|--kerberos is deprecated!
>>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
>>> deprecated
>>> gensec_spnego_client_negTokenInit_step: Could not find a suitable
>>> mechtype in NEG_TOKEN_INIT
>>> session setup failed: NT_STATUS_INVALID_PARAMETER
>>>
>>> [root at radiorec admin]# smbclient -L winnas
>>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
>>> deprecated
>>> Password for [HEBE\root]:
>>>
>>> [root at radiorec admin]# smbclient -L winnas -U jacek
>>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
>>> deprecated
>>> Password for [HEBE\jacek]:
>>> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
>>>
>>> Is there gpo I need to disable or I can change config in samba to get
>>> shares to mount?
>>>
>>> I see domain relationship failure but wbinfo works
>>
>> I think you need to give us more information:
>> What OS ?
>> What version of Samba ?
>> The contents of your smb.conf
>> The mount command you are using
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
Yoiu did not told us, if you could join the domain ( I think with your
smb.conf "NO" "NEVER"). If you Linux-Client (I think that's what you are
talking about) is not a domain member, you can't use Kerberos. Your
smb.conf is (let's be kind) not working.
This could be a start for your smb.conf:
-----------------------
[global]
workgroup = hebe
realm = hebe.us
security = ADS
winbind refresh tickets = Yes
winbind use default domain = yes
idmap config * : range = 10000 - 19999
idmap config hebe : backend = rid
idmap config hebe : range = 100000 - 199999
-----------------------
Then join the domain with "net ads join -U administrator" (or any other
user who is member of "domain admins" group.
Then to mount the share you can try it via fstab and credential-file but
every time you chage your password the mount will fail. Better use
libpam-mount. (You will find a lot of info's about configure
libpam-mount with google.
With libpam-mount AND as a domainmember your linux-client can mount
shares using Kerberos for authetnication.
Stefan
More information about the samba
mailing list