[Samba] samba fails to connect to windows file share joined to domain

Rowland Penny rpenny at samba.org
Tue Dec 12 18:50:51 UTC 2023


On Tue, 12 Dec 2023 19:32:10 +0100
Stefan Kania via samba <samba at lists.samba.org> wrote:

> 
> 
> Am 12.12.23 um 17:46 schrieb jacek burghardt via samba:
> > I am using arch linux
> > This is my fstab entry using cred for windows domain user
> > 
> > //winnas/radio /radio cifs
> > credentials=/etc/samba/credentials/radiorec,vers=2.0,uid=1000,gid=1000,iocharset=utf8,sec=krb5i,nofail
> > 0 0
> > 
> > I run hardening kitty scripts .
> > 
> > Windows and osx clients can mount the shares but linux has an issue.
> > 
> > 
> > [global]
> > 
> >          netbios name = radiorec
> > 
> >          socket options = TCP_NODELAY SO_RCVBUF=16384
> > SO_SNDBUF=16384
> > 
> >          winbind sealed pipes = false
> > 
> >          require strong key = false
> > 
> >          winbind sealed pipes:HEBE = true
> > 
> >          require strong key:HEBE = true
> > 
> >          lanman auth = no
> > 
> >          ntlm auth = yes
> > 
> >          ntlm auth = mschapv2-and-ntlmv2-only
> > 
> >          client signing = auto
> > 
> >          server signing = auto
> > 
> >          winbind enum users = yes
> > 
> >          winbind gid = 10000-20000
> > 
> >          workgroup = hebe
> > 
> >          os level = 20
> > 
> >          winbind enum groups = yes
> > 
> >          password server = den-dc01.hebe.us
> > 
> >          preferred master = no
> > 
> >          winbind separator = +
> > 
> >          max log size = 50
> > 
> >          log file = /var/log/samba/log.%m
> > 
> >          dns proxy = no
> > 
> >          realm = hebe.us
> > 
> >          security = ADS
> > 
> >          wins server = 192.168.1.8
> > 
> >          wins proxy = no
> > 
> >          client signing = auto
> > 
> >          server signing = auto
> > 
> >          domain master = auto
> > 
> >          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > drepl, winbindd, ntp_signd, kcc, dnsupdate
> > 
> >          idmap_ldb:use rfc2307 = yes
> > 
> >          ldap server require strong auth = No
> > 
> >          idmap config * : backend = tdb
> > 
> >          idmap config * : range = 10000-20000
> > 
> >          winbind use default domain = Yes
> > 
> >          winbind enum users = Yes
> > 
> >          winbind enum groups = Yes
> > 
> >          winbind nested groups = Yes
> > 
> >          winbind separator = +
> > 
> >          winbind refresh tickets = yes
> > 
> >          winbind offline logon = yes
> > 
> >          winbind cache time = 300
> > 
> >          template shell = /bin/bash
> > 
> >          template homedir = /home/%D/%U
> > 
> > 
> >          inherit acls = Yes
> > 
> >          map acl inherit = Yes
> > 
> >          acl group control = yes
> > 
> > 
> >          load printers = no
> > 
> >          debug level = 3
> > 
> >          use sendfile = no
> > 
> >          vfs objects = acl_xattr shadow_copy2
> > 
> > [sysvol]
> > 
> >           path = /usr/share/samba/sysvol
> > 
> >           read only = No
> > 
> > [netlogon]
> > 
> > On Tue, Dec 12, 2023 at 1:26 AM Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> > 
> >> On Mon, 11 Dec 2023 19:07:47 -0700
> >> jacek burghardt via samba <samba at lists.samba.org> wrote:
> >>
> >>> After running hardening scripts samba cant mount windows shares.
> >>
> >> What 'hardening scripts', what did they do ?
> >> Samba doesn't mount anything, it provides the shares to mount.
> >>
> >>> I get error trying to mount share
> >>>
> >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and
> >>> keyutils is installed
> >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126
> >>> [72860.509158] CIFS: VFS: cifs_mount failed w/return code = -126
> >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and
> >>> keyutils is installed
> >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126
> >>>
> >>
> >> That is actually coming from mount.cifs and '-126' is 'Required
> >> key not available', so does the user that is doing the mount have
> >> a kerberos ticket ?
> >>
> >>> I get following errors:
> >>>
> >>> [root at radiorec admin]# smbclient -k -L winnas
> >>> WARNING: The option -k|--kerberos is deprecated!
> >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
> >>> deprecated
> >>> gensec_spnego_client_negTokenInit_step: Could not find a suitable
> >>> mechtype in NEG_TOKEN_INIT
> >>> session setup failed: NT_STATUS_INVALID_PARAMETER
> >>>
> >>> [root at radiorec admin]# smbclient  -L winnas
> >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
> >>> deprecated
> >>> Password for [HEBE\root]:
> >>>
> >>> [root at radiorec admin]# smbclient  -L winnas -U jacek
> >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
> >>> deprecated
> >>> Password for [HEBE\jacek]:
> >>> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
> >>>
> >>> Is there gpo I need to disable or I can change config in samba to
> >>> get shares to mount?
> >>>
> >>> I see domain relationship failure but  wbinfo works
> >>
> >> I think you need to give us more information:
> >> What OS ?
> >> What version of Samba ?
> >> The contents of your smb.conf
> >> The mount command you are using
> >>
> >> Rowland
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> Yoiu did not told us, if you could join the domain ( I think with
> your smb.conf "NO" "NEVER"). If you Linux-Client (I think that's what
> you are talking about) is not a domain member, you can't use
> Kerberos. Your smb.conf is (let's be kind) not working.
> 
> This could be a start for your smb.conf:
> -----------------------
> [global]
>        workgroup = hebe
>        realm = hebe.us
>        security = ADS
>        winbind refresh tickets = Yes
>        winbind use default domain = yes
>        idmap config * : range = 10000 - 19999
>        idmap config hebe : backend = rid
>        idmap config hebe : range =  100000 - 199999
> -----------------------
> 
> Then join the domain with "net ads join -U administrator" (or any
> other user who is member of "domain admins" group.
> 
> Then to mount the share you can try it via fstab and credential-file
> but every time you chage your password the mount will fail. Better
> use libpam-mount. (You will find a lot of info's about configure 
> libpam-mount with google.
> 
> With libpam-mount AND as a domainmember your linux-client can mount 
> shares using Kerberos for authetnication.
> 
> Stefan
> 
> 

Hi Stefan,
Whilst I cannot argue with anything you have written and would agree
your setup will work, I still feel we need more information, it seems
we are only being told half the story.

Rowland




More information about the samba mailing list