[Samba] samba fails to connect to windows file share joined to domain

Stefan Kania stefan at kania-online.de
Tue Dec 12 18:32:10 UTC 2023



Am 12.12.23 um 17:46 schrieb jacek burghardt via samba:
> I am using arch linux
> This is my fstab entry using cred for windows domain user
> 
> //winnas/radio /radio cifs
> credentials=/etc/samba/credentials/radiorec,vers=2.0,uid=1000,gid=1000,iocharset=utf8,sec=krb5i,nofail
> 0 0
> 
> I run hardening kitty scripts .
> 
> Windows and osx clients can mount the shares but linux has an issue.
> 
> 
> [global]
> 
>          netbios name = radiorec
> 
>          socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
> 
>          winbind sealed pipes = false
> 
>          require strong key = false
> 
>          winbind sealed pipes:HEBE = true
> 
>          require strong key:HEBE = true
> 
>          lanman auth = no
> 
>          ntlm auth = yes
> 
>          ntlm auth = mschapv2-and-ntlmv2-only
> 
>          client signing = auto
> 
>          server signing = auto
> 
>          winbind enum users = yes
> 
>          winbind gid = 10000-20000
> 
>          workgroup = hebe
> 
>          os level = 20
> 
>          winbind enum groups = yes
> 
>          password server = den-dc01.hebe.us
> 
>          preferred master = no
> 
>          winbind separator = +
> 
>          max log size = 50
> 
>          log file = /var/log/samba/log.%m
> 
>          dns proxy = no
> 
>          realm = hebe.us
> 
>          security = ADS
> 
>          wins server = 192.168.1.8
> 
>          wins proxy = no
> 
>          client signing = auto
> 
>          server signing = auto
> 
>          domain master = auto
> 
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
> 
>          idmap_ldb:use rfc2307 = yes
> 
>          ldap server require strong auth = No
> 
>          idmap config * : backend = tdb
> 
>          idmap config * : range = 10000-20000
> 
>          winbind use default domain = Yes
> 
>          winbind enum users = Yes
> 
>          winbind enum groups = Yes
> 
>          winbind nested groups = Yes
> 
>          winbind separator = +
> 
>          winbind refresh tickets = yes
> 
>          winbind offline logon = yes
> 
>          winbind cache time = 300
> 
>          template shell = /bin/bash
> 
>          template homedir = /home/%D/%U
> 
> 
>          inherit acls = Yes
> 
>          map acl inherit = Yes
> 
>          acl group control = yes
> 
> 
>          load printers = no
> 
>          debug level = 3
> 
>          use sendfile = no
> 
>          vfs objects = acl_xattr shadow_copy2
> 
> [sysvol]
> 
>           path = /usr/share/samba/sysvol
> 
>           read only = No
> 
> [netlogon]
> 
> On Tue, Dec 12, 2023 at 1:26 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
>> On Mon, 11 Dec 2023 19:07:47 -0700
>> jacek burghardt via samba <samba at lists.samba.org> wrote:
>>
>>> After running hardening scripts samba cant mount windows shares.
>>
>> What 'hardening scripts', what did they do ?
>> Samba doesn't mount anything, it provides the shares to mount.
>>
>>> I get error trying to mount share
>>>
>>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and keyutils
>>> is installed
>>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126
>>> [72860.509158] CIFS: VFS: cifs_mount failed w/return code = -126
>>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and keyutils
>>> is installed
>>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126
>>>
>>
>> That is actually coming from mount.cifs and '-126' is 'Required key not
>> available', so does the user that is doing the mount have a kerberos
>> ticket ?
>>
>>> I get following errors:
>>>
>>> [root at radiorec admin]# smbclient -k -L winnas
>>> WARNING: The option -k|--kerberos is deprecated!
>>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
>>> deprecated
>>> gensec_spnego_client_negTokenInit_step: Could not find a suitable
>>> mechtype in NEG_TOKEN_INIT
>>> session setup failed: NT_STATUS_INVALID_PARAMETER
>>>
>>> [root at radiorec admin]# smbclient  -L winnas
>>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
>>> deprecated
>>> Password for [HEBE\root]:
>>>
>>> [root at radiorec admin]# smbclient  -L winnas -U jacek
>>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
>>> deprecated
>>> Password for [HEBE\jacek]:
>>> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
>>>
>>> Is there gpo I need to disable or I can change config in samba to get
>>> shares to mount?
>>>
>>> I see domain relationship failure but  wbinfo works
>>
>> I think you need to give us more information:
>> What OS ?
>> What version of Samba ?
>> The contents of your smb.conf
>> The mount command you are using
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
Yoiu did not told us, if you could join the domain ( I think with your 
smb.conf "NO" "NEVER"). If you Linux-Client (I think that's what you are 
talking about) is not a domain member, you can't use Kerberos. Your 
smb.conf is (let's be kind) not working.

This could be a start for your smb.conf:
-----------------------
[global]
       workgroup = hebe
       realm = hebe.us
       security = ADS
       winbind refresh tickets = Yes
       winbind use default domain = yes
       idmap config * : range = 10000 - 19999
       idmap config hebe : backend = rid
       idmap config hebe : range =  100000 - 199999
-----------------------

Then join the domain with "net ads join -U administrator" (or any other 
user who is member of "domain admins" group.

Then to mount the share you can try it via fstab and credential-file but 
every time you chage your password the mount will fail. Better use 
libpam-mount. (You will find a lot of info's about configure 
libpam-mount with google.

With libpam-mount AND as a domainmember your linux-client can mount 
shares using Kerberos for authetnication.

Stefan




More information about the samba mailing list