[Samba] Kerberos ticket renew causes a brief network interruption
Hans van Leeuwen
HansvanLeeuwen at mailstreet.nl
Mon Oct 28 13:41:11 UTC 2024
Hi Roland Penny,
Indeed the "idmap.config" parameter line is not added to the smb.conf file.
But the command below shows that the default values are used.
testparm -vs | grep idmap.config
idmap config * : range = 100000-200000
idmap config * : backend = tdb
I did not set sssd, so if sssd is used it happened automatically.
Can idmap.config and sssd affect the Kerberos usage?
Best regards,
Hans van Leeuwen.
-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Friday, October 25, 2024 10:51 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Kerberos ticket renew causes a brief network interruption
On Fri, 25 Oct 2024 08:35:08 +0000
Hans van Leeuwen via samba <samba at lists.samba.org> wrote:
> Hi Samba engineer,
>
> We use an Ubuntu 20.04.6 systems as Samba server.
> The Samba version is 4.15.13-Ubuntu.
> The SMC-Client is a Windows Server 2022 Standard 21H2.
>
> The hostname of the Ubuntu Samba server is "samba-srv"
> On the Windows system, Samba disk is shared with the command:
> C:>net use Y: \\samba-srv\customers /u:hans
> Enter the password for 'hans' to connect to 'samba-srv':
> The command completed successfully
>
> Now the Samba disk on system samba-srv can be accessed on the Y-drive.
> The network analyzer Wireshark show that Kerberos is used to encrypt
> the network packages. But on the moment that Kerberos ticket renewal,
> the Samba share is some seconds not available.
>
> An other DNS record is created with the name "samba-srv-alias"
> This is a "Alias (CNAME)" to the DNS "Host (A)" "samba-srv".
>
> The Y-drive is removed and created again and now with as host
> "samba-srv-alias". C:>net use Y: \\samba-srv-alias\customers /u:hans
>
> Also now the Samba disk on the samba-srv can be accessed on the
> Y-drive. But Wireshark show now that NTLM is used to encrypt the
> network packages. NTLM doesn't work with tickets that need to be
> renewed. The problem that the Samba shared is some seconds not
> available doesn't occur when NTML is used to encrypt the network
> packages.
>
> The problem that the share is some seconds not available also doesn't
> occur when the share is not on Samba but on an other Windows system,
> also when Kerberos is used.
>
> In the attachment contains the C-program source that can be used to
> reproduce the problem. This source can be compiled on Windows with
> e.g. gcc .
>
> The program read every 3 seconds a map on the share to check for
> files and write in a logfile when the share is not available and
> available again.
>
> Start the hotfolderscan program e.g. on the way below:
> C:>hotfolderscan.exe Y:\ C:\temp\folderscan.log
>
> After +/- 10 hours, when Kerberos renew the ticket, the lines below
> are written in de log file: 2024-10-23 09:09:13 Error 2 No such file
> or directory 2024-10-23 09:09:16 Share available again
>
> Is seems that Samba doesn't handle the Kerberos ticket renewal on the
> right way.
>
> Best regards,
> Ing. Hans van Leeuwen
>
>
> The used Samba parameters on the Samba-server
> # testparm -s
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> Weak crypto is allowed
>
> Server role: ROLE_DOMAIN_MEMBER
>
> # Global parameters
> [global]
> client min protocol = SMB3_02
> log file = /var/log/samba
> max open files = 65536
> realm = MAIL-STREET.LOCAL
> restrict anonymous = 2
> security = ADS
> server min protocol = SMB3_02
> server signing = required
> smb ports = 445
> template shell = /bin/bash
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind separator = ^
> winbind use default domain = Yes
> workgroup = MAIL-STREET
> full_audit:priority = notice
> full_audit:facility = local5
> full_audit:failure = none
> full_audit:success = open close read write mkdirat renameat
> unlinkat openat full_audit:prefix = %u|%I|%S
> idmap config * : range = 10000-20000
> idmap config * : backend = tdb
> vfs objects = full_audit
>
>
> [customers]
> create mask = 0777
> directory mask = 0777
> force directory mode = 0777
> force group = Yschijfusers
> path = /var/local/customers
> read only = No
> valid users = @Yschijfusers
One of two things seems to be going on here:
You just have a mis-configured smb.conf (no 'idmap.config' lines for
the 'MAIL-STREET' domain).
You are are also using sssd.
Which is it ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list