[Samba] Kerberos ticket renew causes a brief network interruption

Hans van Leeuwen HansvanLeeuwen at mailstreet.nl
Mon Oct 28 13:41:11 UTC 2024


Hi Roland Penny,

Indeed the "idmap.config" parameter line is not added to the smb.conf file.
But the command below shows that the default values are used.
testparm -vs | grep idmap.config 
        idmap config * : range = 100000-200000
        idmap config * : backend = tdb

I did not set sssd, so if sssd is used it happened automatically.

Can idmap.config and sssd affect the Kerberos usage?

Best regards,
Hans van Leeuwen.


-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Friday, October 25, 2024 10:51 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Kerberos ticket renew causes a brief network interruption

On Fri, 25 Oct 2024 08:35:08 +0000
Hans van Leeuwen via samba <samba at lists.samba.org> wrote:

> Hi Samba engineer,
>
> We use an Ubuntu 20.04.6 systems as Samba server.
> The Samba version is 4.15.13-Ubuntu.
> The SMC-Client is a Windows Server 2022 Standard 21H2.
>
> The hostname of the Ubuntu Samba server is "samba-srv"
> On the Windows system, Samba disk is shared with the command:
> C:>net use Y: \\samba-srv\customers /u:hans
> Enter the password for 'hans' to connect to 'samba-srv':
> The command completed successfully
>
> Now the Samba disk on system samba-srv can be accessed on the Y-drive.
> The network analyzer Wireshark show that Kerberos is used to encrypt
> the network packages. But on the moment that Kerberos ticket renewal,
> the Samba share is some seconds not available.
>
> An other DNS record is created with the name "samba-srv-alias"
> This is a "Alias (CNAME)" to the DNS "Host (A)" "samba-srv".
>
> The Y-drive is removed and created again and now with as host
> "samba-srv-alias". C:>net use Y: \\samba-srv-alias\customers /u:hans
>
> Also now the Samba disk on the samba-srv can be accessed on the
> Y-drive. But Wireshark show now that NTLM is used to encrypt the
> network packages. NTLM doesn't work with tickets that need to be
> renewed. The problem that the Samba shared is some seconds not
> available doesn't occur when NTML is used to encrypt the network
> packages.
>
> The problem that the share is some seconds not available also doesn't
> occur when the share is not on Samba but on an other Windows system,
> also when Kerberos is used.
>
> In the attachment contains the C-program source that can be used to
> reproduce the problem. This source can be compiled on Windows with
> e.g. gcc .
>
> The program read every 3 seconds a map on the share to check for
> files and write in a logfile when the share is not available and
> available again.
>
> Start the hotfolderscan program e.g. on the way below:
> C:>hotfolderscan.exe  Y:\  C:\temp\folderscan.log
>
> After +/- 10 hours, when Kerberos renew the ticket, the lines below
> are written in de log file: 2024-10-23 09:09:13 Error 2 No such file
> or directory 2024-10-23 09:09:16 Share available again
>
> Is seems that Samba doesn't handle the Kerberos ticket renewal on the
> right way.
>
> Best regards,
> Ing. Hans van Leeuwen
>
>
> The used Samba parameters on the Samba-server
> # testparm -s
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> Weak crypto is allowed
>
> Server role: ROLE_DOMAIN_MEMBER
>
> # Global parameters
> [global]
>       client min protocol = SMB3_02
>       log file = /var/log/samba
>       max open files = 65536
>       realm = MAIL-STREET.LOCAL
>       restrict anonymous = 2
>       security = ADS
>       server min protocol = SMB3_02
>       server signing = required
>       smb ports = 445
>       template shell = /bin/bash
>       winbind enum groups = Yes
>       winbind enum users = Yes
>       winbind separator = ^
>       winbind use default domain = Yes
>       workgroup = MAIL-STREET
>       full_audit:priority = notice
>       full_audit:facility = local5
>       full_audit:failure = none
>       full_audit:success = open close read write mkdirat renameat
> unlinkat openat full_audit:prefix = %u|%I|%S
>       idmap config * : range = 10000-20000
>       idmap config * : backend = tdb
>       vfs objects = full_audit
>
>
> [customers]
>       create mask = 0777
>       directory mask = 0777
>       force directory mode = 0777
>       force group = Yschijfusers
>       path = /var/local/customers
>       read only = No
>       valid users = @Yschijfusers

One of two things seems to be going on here:
You just have a mis-configured smb.conf (no 'idmap.config' lines for
the 'MAIL-STREET' domain).

You are are also using sssd.

Which is it ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list