[Samba] samba fails to connect to windows file share joined to domain

jacek burghardt jaceksburghardt at gmail.com
Wed Dec 13 15:44:48 UTC 2023


I see this in logs what is causing it ?

[2023/12/13 07:38:25.104382,  1]
../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done)

  wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE -
NT_STATUS_LOGON_FAILURE

[2023/12/13 07:38:55.142864,  1]
../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done)

  wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE -
NT_STATUS_LOGON_FAILURE

[2023/12/13 07:39:25.152964,  1]
../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done)

  wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE -
NT_STATUS_LOGON_FAILURE

[2023/12/13 07:39:55.130647,  1]
../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done)

  wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE -
NT_STATUS_LOGON_FAILURE

[2023/12/13 07:40:25.150802,  1]
../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done)

  wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE -
NT_STATUS_LOGON_FAILURE

[2023/12/13 07:40:55.162914,  1]
../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done)

On Tue, Dec 12, 2023 at 11:51 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Tue, 12 Dec 2023 19:32:10 +0100
> Stefan Kania via samba <samba at lists.samba.org> wrote:
>
> >
> >
> > Am 12.12.23 um 17:46 schrieb jacek burghardt via samba:
> > > I am using arch linux
> > > This is my fstab entry using cred for windows domain user
> > >
> > > //winnas/radio /radio cifs
> > >
> credentials=/etc/samba/credentials/radiorec,vers=2.0,uid=1000,gid=1000,iocharset=utf8,sec=krb5i,nofail
> > > 0 0
> > >
> > > I run hardening kitty scripts .
> > >
> > > Windows and osx clients can mount the shares but linux has an issue.
> > >
> > >
> > > [global]
> > >
> > >          netbios name = radiorec
> > >
> > >          socket options = TCP_NODELAY SO_RCVBUF=16384
> > > SO_SNDBUF=16384
> > >
> > >          winbind sealed pipes = false
> > >
> > >          require strong key = false
> > >
> > >          winbind sealed pipes:HEBE = true
> > >
> > >          require strong key:HEBE = true
> > >
> > >          lanman auth = no
> > >
> > >          ntlm auth = yes
> > >
> > >          ntlm auth = mschapv2-and-ntlmv2-only
> > >
> > >          client signing = auto
> > >
> > >          server signing = auto
> > >
> > >          winbind enum users = yes
> > >
> > >          winbind gid = 10000-20000
> > >
> > >          workgroup = hebe
> > >
> > >          os level = 20
> > >
> > >          winbind enum groups = yes
> > >
> > >          password server = den-dc01.hebe.us
> > >
> > >          preferred master = no
> > >
> > >          winbind separator = +
> > >
> > >          max log size = 50
> > >
> > >          log file = /var/log/samba/log.%m
> > >
> > >          dns proxy = no
> > >
> > >          realm = hebe.us
> > >
> > >          security = ADS
> > >
> > >          wins server = 192.168.1.8
> > >
> > >          wins proxy = no
> > >
> > >          client signing = auto
> > >
> > >          server signing = auto
> > >
> > >          domain master = auto
> > >
> > >          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > > drepl, winbindd, ntp_signd, kcc, dnsupdate
> > >
> > >          idmap_ldb:use rfc2307 = yes
> > >
> > >          ldap server require strong auth = No
> > >
> > >          idmap config * : backend = tdb
> > >
> > >          idmap config * : range = 10000-20000
> > >
> > >          winbind use default domain = Yes
> > >
> > >          winbind enum users = Yes
> > >
> > >          winbind enum groups = Yes
> > >
> > >          winbind nested groups = Yes
> > >
> > >          winbind separator = +
> > >
> > >          winbind refresh tickets = yes
> > >
> > >          winbind offline logon = yes
> > >
> > >          winbind cache time = 300
> > >
> > >          template shell = /bin/bash
> > >
> > >          template homedir = /home/%D/%U
> > >
> > >
> > >          inherit acls = Yes
> > >
> > >          map acl inherit = Yes
> > >
> > >          acl group control = yes
> > >
> > >
> > >          load printers = no
> > >
> > >          debug level = 3
> > >
> > >          use sendfile = no
> > >
> > >          vfs objects = acl_xattr shadow_copy2
> > >
> > > [sysvol]
> > >
> > >           path = /usr/share/samba/sysvol
> > >
> > >           read only = No
> > >
> > > [netlogon]
> > >
> > > On Tue, Dec 12, 2023 at 1:26 AM Rowland Penny via samba <
> > > samba at lists.samba.org> wrote:
> > >
> > >> On Mon, 11 Dec 2023 19:07:47 -0700
> > >> jacek burghardt via samba <samba at lists.samba.org> wrote:
> > >>
> > >>> After running hardening scripts samba cant mount windows shares.
> > >>
> > >> What 'hardening scripts', what did they do ?
> > >> Samba doesn't mount anything, it provides the shares to mount.
> > >>
> > >>> I get error trying to mount share
> > >>>
> > >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and
> > >>> keyutils is installed
> > >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126
> > >>> [72860.509158] CIFS: VFS: cifs_mount failed w/return code = -126
> > >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and
> > >>> keyutils is installed
> > >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126
> > >>>
> > >>
> > >> That is actually coming from mount.cifs and '-126' is 'Required
> > >> key not available', so does the user that is doing the mount have
> > >> a kerberos ticket ?
> > >>
> > >>> I get following errors:
> > >>>
> > >>> [root at radiorec admin]# smbclient -k -L winnas
> > >>> WARNING: The option -k|--kerberos is deprecated!
> > >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
> > >>> deprecated
> > >>> gensec_spnego_client_negTokenInit_step: Could not find a suitable
> > >>> mechtype in NEG_TOKEN_INIT
> > >>> session setup failed: NT_STATUS_INVALID_PARAMETER
> > >>>
> > >>> [root at radiorec admin]# smbclient  -L winnas
> > >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
> > >>> deprecated
> > >>> Password for [HEBE\root]:
> > >>>
> > >>> [root at radiorec admin]# smbclient  -L winnas -U jacek
> > >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
> > >>> deprecated
> > >>> Password for [HEBE\jacek]:
> > >>> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
> > >>>
> > >>> Is there gpo I need to disable or I can change config in samba to
> > >>> get shares to mount?
> > >>>
> > >>> I see domain relationship failure but  wbinfo works
> > >>
> > >> I think you need to give us more information:
> > >> What OS ?
> > >> What version of Samba ?
> > >> The contents of your smb.conf
> > >> The mount command you are using
> > >>
> > >> Rowland
> > >>
> > >>
> > >> --
> > >> To unsubscribe from this list go to the following URL and read the
> > >> instructions:  https://lists.samba.org/mailman/options/samba
> > >>
> > Yoiu did not told us, if you could join the domain ( I think with
> > your smb.conf "NO" "NEVER"). If you Linux-Client (I think that's what
> > you are talking about) is not a domain member, you can't use
> > Kerberos. Your smb.conf is (let's be kind) not working.
> >
> > This could be a start for your smb.conf:
> > -----------------------
> > [global]
> >        workgroup = hebe
> >        realm = hebe.us
> >        security = ADS
> >        winbind refresh tickets = Yes
> >        winbind use default domain = yes
> >        idmap config * : range = 10000 - 19999
> >        idmap config hebe : backend = rid
> >        idmap config hebe : range =  100000 - 199999
> > -----------------------
> >
> > Then join the domain with "net ads join -U administrator" (or any
> > other user who is member of "domain admins" group.
> >
> > Then to mount the share you can try it via fstab and credential-file
> > but every time you chage your password the mount will fail. Better
> > use libpam-mount. (You will find a lot of info's about configure
> > libpam-mount with google.
> >
> > With libpam-mount AND as a domainmember your linux-client can mount
> > shares using Kerberos for authetnication.
> >
> > Stefan
> >
> >
>
> Hi Stefan,
> Whilst I cannot argue with anything you have written and would agree
> your setup will work, I still feel we need more information, it seems
> we are only being told half the story.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list