[Samba] samba fails to connect to windows file share joined to domain
Rowland Penny
rpenny at samba.org
Tue Dec 12 18:50:51 UTC 2023
On Tue, 12 Dec 2023 19:32:10 +0100
Stefan Kania via samba <samba at lists.samba.org> wrote:
>
>
> Am 12.12.23 um 17:46 schrieb jacek burghardt via samba:
> > I am using arch linux
> > This is my fstab entry using cred for windows domain user
> >
> > //winnas/radio /radio cifs
> > credentials=/etc/samba/credentials/radiorec,vers=2.0,uid=1000,gid=1000,iocharset=utf8,sec=krb5i,nofail
> > 0 0
> >
> > I run hardening kitty scripts .
> >
> > Windows and osx clients can mount the shares but linux has an issue.
> >
> >
> > [global]
> >
> > netbios name = radiorec
> >
> > socket options = TCP_NODELAY SO_RCVBUF=16384
> > SO_SNDBUF=16384
> >
> > winbind sealed pipes = false
> >
> > require strong key = false
> >
> > winbind sealed pipes:HEBE = true
> >
> > require strong key:HEBE = true
> >
> > lanman auth = no
> >
> > ntlm auth = yes
> >
> > ntlm auth = mschapv2-and-ntlmv2-only
> >
> > client signing = auto
> >
> > server signing = auto
> >
> > winbind enum users = yes
> >
> > winbind gid = 10000-20000
> >
> > workgroup = hebe
> >
> > os level = 20
> >
> > winbind enum groups = yes
> >
> > password server = den-dc01.hebe.us
> >
> > preferred master = no
> >
> > winbind separator = +
> >
> > max log size = 50
> >
> > log file = /var/log/samba/log.%m
> >
> > dns proxy = no
> >
> > realm = hebe.us
> >
> > security = ADS
> >
> > wins server = 192.168.1.8
> >
> > wins proxy = no
> >
> > client signing = auto
> >
> > server signing = auto
> >
> > domain master = auto
> >
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > drepl, winbindd, ntp_signd, kcc, dnsupdate
> >
> > idmap_ldb:use rfc2307 = yes
> >
> > ldap server require strong auth = No
> >
> > idmap config * : backend = tdb
> >
> > idmap config * : range = 10000-20000
> >
> > winbind use default domain = Yes
> >
> > winbind enum users = Yes
> >
> > winbind enum groups = Yes
> >
> > winbind nested groups = Yes
> >
> > winbind separator = +
> >
> > winbind refresh tickets = yes
> >
> > winbind offline logon = yes
> >
> > winbind cache time = 300
> >
> > template shell = /bin/bash
> >
> > template homedir = /home/%D/%U
> >
> >
> > inherit acls = Yes
> >
> > map acl inherit = Yes
> >
> > acl group control = yes
> >
> >
> > load printers = no
> >
> > debug level = 3
> >
> > use sendfile = no
> >
> > vfs objects = acl_xattr shadow_copy2
> >
> > [sysvol]
> >
> > path = /usr/share/samba/sysvol
> >
> > read only = No
> >
> > [netlogon]
> >
> > On Tue, Dec 12, 2023 at 1:26 AM Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> >
> >> On Mon, 11 Dec 2023 19:07:47 -0700
> >> jacek burghardt via samba <samba at lists.samba.org> wrote:
> >>
> >>> After running hardening scripts samba cant mount windows shares.
> >>
> >> What 'hardening scripts', what did they do ?
> >> Samba doesn't mount anything, it provides the shares to mount.
> >>
> >>> I get error trying to mount share
> >>>
> >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and
> >>> keyutils is installed
> >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126
> >>> [72860.509158] CIFS: VFS: cifs_mount failed w/return code = -126
> >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and
> >>> keyutils is installed
> >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126
> >>>
> >>
> >> That is actually coming from mount.cifs and '-126' is 'Required
> >> key not available', so does the user that is doing the mount have
> >> a kerberos ticket ?
> >>
> >>> I get following errors:
> >>>
> >>> [root at radiorec admin]# smbclient -k -L winnas
> >>> WARNING: The option -k|--kerberos is deprecated!
> >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
> >>> deprecated
> >>> gensec_spnego_client_negTokenInit_step: Could not find a suitable
> >>> mechtype in NEG_TOKEN_INIT
> >>> session setup failed: NT_STATUS_INVALID_PARAMETER
> >>>
> >>> [root at radiorec admin]# smbclient -L winnas
> >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
> >>> deprecated
> >>> Password for [HEBE\root]:
> >>>
> >>> [root at radiorec admin]# smbclient -L winnas -U jacek
> >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
> >>> deprecated
> >>> Password for [HEBE\jacek]:
> >>> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
> >>>
> >>> Is there gpo I need to disable or I can change config in samba to
> >>> get shares to mount?
> >>>
> >>> I see domain relationship failure but wbinfo works
> >>
> >> I think you need to give us more information:
> >> What OS ?
> >> What version of Samba ?
> >> The contents of your smb.conf
> >> The mount command you are using
> >>
> >> Rowland
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> Yoiu did not told us, if you could join the domain ( I think with
> your smb.conf "NO" "NEVER"). If you Linux-Client (I think that's what
> you are talking about) is not a domain member, you can't use
> Kerberos. Your smb.conf is (let's be kind) not working.
>
> This could be a start for your smb.conf:
> -----------------------
> [global]
> workgroup = hebe
> realm = hebe.us
> security = ADS
> winbind refresh tickets = Yes
> winbind use default domain = yes
> idmap config * : range = 10000 - 19999
> idmap config hebe : backend = rid
> idmap config hebe : range = 100000 - 199999
> -----------------------
>
> Then join the domain with "net ads join -U administrator" (or any
> other user who is member of "domain admins" group.
>
> Then to mount the share you can try it via fstab and credential-file
> but every time you chage your password the mount will fail. Better
> use libpam-mount. (You will find a lot of info's about configure
> libpam-mount with google.
>
> With libpam-mount AND as a domainmember your linux-client can mount
> shares using Kerberos for authetnication.
>
> Stefan
>
>
Hi Stefan,
Whilst I cannot argue with anything you have written and would agree
your setup will work, I still feel we need more information, it seems
we are only being told half the story.
Rowland
More information about the samba
mailing list