[Samba] samba fails to connect to windows file share joined to domain
jacek burghardt
jaceksburghardt at gmail.com
Wed Dec 13 15:44:48 UTC 2023
I see this in logs what is causing it ?
[2023/12/13 07:38:25.104382, 1]
../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done)
wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE -
NT_STATUS_LOGON_FAILURE
[2023/12/13 07:38:55.142864, 1]
../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done)
wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE -
NT_STATUS_LOGON_FAILURE
[2023/12/13 07:39:25.152964, 1]
../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done)
wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE -
NT_STATUS_LOGON_FAILURE
[2023/12/13 07:39:55.130647, 1]
../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done)
wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE -
NT_STATUS_LOGON_FAILURE
[2023/12/13 07:40:25.150802, 1]
../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done)
wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain: HEBE -
NT_STATUS_LOGON_FAILURE
[2023/12/13 07:40:55.162914, 1]
../../source3/winbindd/winbindd_util.c:772(wbd_ping_dc_done)
On Tue, Dec 12, 2023 at 11:51 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 12 Dec 2023 19:32:10 +0100
> Stefan Kania via samba <samba at lists.samba.org> wrote:
>
> >
> >
> > Am 12.12.23 um 17:46 schrieb jacek burghardt via samba:
> > > I am using arch linux
> > > This is my fstab entry using cred for windows domain user
> > >
> > > //winnas/radio /radio cifs
> > >
> credentials=/etc/samba/credentials/radiorec,vers=2.0,uid=1000,gid=1000,iocharset=utf8,sec=krb5i,nofail
> > > 0 0
> > >
> > > I run hardening kitty scripts .
> > >
> > > Windows and osx clients can mount the shares but linux has an issue.
> > >
> > >
> > > [global]
> > >
> > > netbios name = radiorec
> > >
> > > socket options = TCP_NODELAY SO_RCVBUF=16384
> > > SO_SNDBUF=16384
> > >
> > > winbind sealed pipes = false
> > >
> > > require strong key = false
> > >
> > > winbind sealed pipes:HEBE = true
> > >
> > > require strong key:HEBE = true
> > >
> > > lanman auth = no
> > >
> > > ntlm auth = yes
> > >
> > > ntlm auth = mschapv2-and-ntlmv2-only
> > >
> > > client signing = auto
> > >
> > > server signing = auto
> > >
> > > winbind enum users = yes
> > >
> > > winbind gid = 10000-20000
> > >
> > > workgroup = hebe
> > >
> > > os level = 20
> > >
> > > winbind enum groups = yes
> > >
> > > password server = den-dc01.hebe.us
> > >
> > > preferred master = no
> > >
> > > winbind separator = +
> > >
> > > max log size = 50
> > >
> > > log file = /var/log/samba/log.%m
> > >
> > > dns proxy = no
> > >
> > > realm = hebe.us
> > >
> > > security = ADS
> > >
> > > wins server = 192.168.1.8
> > >
> > > wins proxy = no
> > >
> > > client signing = auto
> > >
> > > server signing = auto
> > >
> > > domain master = auto
> > >
> > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > > drepl, winbindd, ntp_signd, kcc, dnsupdate
> > >
> > > idmap_ldb:use rfc2307 = yes
> > >
> > > ldap server require strong auth = No
> > >
> > > idmap config * : backend = tdb
> > >
> > > idmap config * : range = 10000-20000
> > >
> > > winbind use default domain = Yes
> > >
> > > winbind enum users = Yes
> > >
> > > winbind enum groups = Yes
> > >
> > > winbind nested groups = Yes
> > >
> > > winbind separator = +
> > >
> > > winbind refresh tickets = yes
> > >
> > > winbind offline logon = yes
> > >
> > > winbind cache time = 300
> > >
> > > template shell = /bin/bash
> > >
> > > template homedir = /home/%D/%U
> > >
> > >
> > > inherit acls = Yes
> > >
> > > map acl inherit = Yes
> > >
> > > acl group control = yes
> > >
> > >
> > > load printers = no
> > >
> > > debug level = 3
> > >
> > > use sendfile = no
> > >
> > > vfs objects = acl_xattr shadow_copy2
> > >
> > > [sysvol]
> > >
> > > path = /usr/share/samba/sysvol
> > >
> > > read only = No
> > >
> > > [netlogon]
> > >
> > > On Tue, Dec 12, 2023 at 1:26 AM Rowland Penny via samba <
> > > samba at lists.samba.org> wrote:
> > >
> > >> On Mon, 11 Dec 2023 19:07:47 -0700
> > >> jacek burghardt via samba <samba at lists.samba.org> wrote:
> > >>
> > >>> After running hardening scripts samba cant mount windows shares.
> > >>
> > >> What 'hardening scripts', what did they do ?
> > >> Samba doesn't mount anything, it provides the shares to mount.
> > >>
> > >>> I get error trying to mount share
> > >>>
> > >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and
> > >>> keyutils is installed
> > >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126
> > >>> [72860.509158] CIFS: VFS: cifs_mount failed w/return code = -126
> > >>> [72860.509128] CIFS: VFS: Verify user has a krb5 ticket and
> > >>> keyutils is installed
> > >>> [72860.509137] CIFS: VFS: \\winnas Send error in SessSetup = -126
> > >>>
> > >>
> > >> That is actually coming from mount.cifs and '-126' is 'Required
> > >> key not available', so does the user that is doing the mount have
> > >> a kerberos ticket ?
> > >>
> > >>> I get following errors:
> > >>>
> > >>> [root at radiorec admin]# smbclient -k -L winnas
> > >>> WARNING: The option -k|--kerberos is deprecated!
> > >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
> > >>> deprecated
> > >>> gensec_spnego_client_negTokenInit_step: Could not find a suitable
> > >>> mechtype in NEG_TOKEN_INIT
> > >>> session setup failed: NT_STATUS_INVALID_PARAMETER
> > >>>
> > >>> [root at radiorec admin]# smbclient -L winnas
> > >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
> > >>> deprecated
> > >>> Password for [HEBE\root]:
> > >>>
> > >>> [root at radiorec admin]# smbclient -L winnas -U jacek
> > >>> lpcfg_do_global_parameter: WARNING: The "lanman auth" option is
> > >>> deprecated
> > >>> Password for [HEBE\jacek]:
> > >>> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
> > >>>
> > >>> Is there gpo I need to disable or I can change config in samba to
> > >>> get shares to mount?
> > >>>
> > >>> I see domain relationship failure but wbinfo works
> > >>
> > >> I think you need to give us more information:
> > >> What OS ?
> > >> What version of Samba ?
> > >> The contents of your smb.conf
> > >> The mount command you are using
> > >>
> > >> Rowland
> > >>
> > >>
> > >> --
> > >> To unsubscribe from this list go to the following URL and read the
> > >> instructions: https://lists.samba.org/mailman/options/samba
> > >>
> > Yoiu did not told us, if you could join the domain ( I think with
> > your smb.conf "NO" "NEVER"). If you Linux-Client (I think that's what
> > you are talking about) is not a domain member, you can't use
> > Kerberos. Your smb.conf is (let's be kind) not working.
> >
> > This could be a start for your smb.conf:
> > -----------------------
> > [global]
> > workgroup = hebe
> > realm = hebe.us
> > security = ADS
> > winbind refresh tickets = Yes
> > winbind use default domain = yes
> > idmap config * : range = 10000 - 19999
> > idmap config hebe : backend = rid
> > idmap config hebe : range = 100000 - 199999
> > -----------------------
> >
> > Then join the domain with "net ads join -U administrator" (or any
> > other user who is member of "domain admins" group.
> >
> > Then to mount the share you can try it via fstab and credential-file
> > but every time you chage your password the mount will fail. Better
> > use libpam-mount. (You will find a lot of info's about configure
> > libpam-mount with google.
> >
> > With libpam-mount AND as a domainmember your linux-client can mount
> > shares using Kerberos for authetnication.
> >
> > Stefan
> >
> >
>
> Hi Stefan,
> Whilst I cannot argue with anything you have written and would agree
> your setup will work, I still feel we need more information, it seems
> we are only being told half the story.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list