Web lists-archives.com

Re: [Samba] Using GPO to mount shares on Linux




Hello, tanks for the info.

El 20 oct. 2017 16:06, "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx>
escribió:

Hai,

now realmd sssd and autofs are all not my cookies.. but..

i see 2 things.
1) you missing the CIFS spn.
here is shows how to make them and extract them.
https://wiki.samba.org/index.php/Generating_Keytabs
https://wiki.samba.org/index.php/Keytab_Extraction



I've to do this on member server with the shares or in client machine?. I'm
pretty sure that on client machine, but to be fully sure ;)



2) for the smblcient try :

smbclient //server.domain.dom/escaner -U user -W DOMAIN.DOM -R host -k -d 3
-m SMB2

....added -m SMB2 at the end.


last, i see :  /var/run/samba/gencache_notrans.tdb
Can you post also an output of  samba -b
That path is normaly /var/cache/samba/ not that its wrong, but it may help
so see how samba was builded.



I don't know when I'll have access to that computer again, but I've
installed samba from xUbuntu 16.04 official repository.

Anyway, on that errors appear both paths, but I've granted permissions to
user to modify on the other path to see if maybe was the problem and then
the error has disappeared.

Thanks!!!




Greetz,

Louis




Van: Daniel Carrasco [mailto:d.carrasco@xxxxxxxxx]
Verzonden: vrijdag 20 oktober 2017 14:58
Aan: L.P.H. van Belle
CC: samba@xxxxxxxxxxxxxxx
Onderwerp: Re: [Samba] Using GPO to mount shares on Linux



Hello,

Sorry for take so long to answer, but I was not able to do the tests
because the computer is in use and out of my office.


Finally I've progressed in this topic with realmd, sssd and autofs, but now
I'm locked on mounting shares from my member server.
I'm able to use autofs and smbclient to mount and connect to sysvol share
on my DC server, but when I try to connect to my member server I get this
error:
----------------
smbclient //server.domain.dom/escaner -U user -W DOMAIN.DOM -R host -k -d 3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
added interface enp1s0 ip=192.168.0.xx bcast=192.168.0.255
netmask=255.255.255.0
Client started (version 4.3.11-Ubuntu).
tdb(/var/run/samba/gencache_notrans.tdb): tdb_open_ex: could not open file
/var/run/samba/gencache_notrans.tdb: Permiso denegado
tdb(/var/run/samba/gencache_notrans.tdb): tdb_open_ex: could not open file
/var/run/samba/gencache_notrans.tdb: Permiso denegado
resolve_hosts: Attempting host lookup for name server.domain.dom<0x20>
tdb(/var/run/samba/gencache_notrans.tdb): tdb_open_ex: could not open file
/var/run/samba/gencache_notrans.tdb: Permiso denegado
Connecting to 192.168.0.xxx at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
cli_session_setup_spnego: using target hostname not SPNEGO principal
cli_session_setup_spnego: guessed server principal=cifs/server.domain.
dom@xxxxxxxxxx
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
gss_init_sec_context failed with [ Miscellaneous failure (see text): Server
(cifs/server@xxxxxxxxxx) unknown]
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INTERNAL_ERROR
SPNEGO login failed: An internal error occurred.
session setup failed: NT_STATUS_INTERNAL_ERROR

----------


I've missed something?.


My member server has joined Samba DC and is able to authenticate the
Windows clients.


Thanks!!


2017-10-11 16:52 GMT+02:00 L.P.H. van Belle via samba <samba@xxxxxxxxxxxxxxx
>:
Wohoo, finaly i could help Rowland :-p  ;-)

I follow this as guidance:

1 server ( all in one ) use RID, easy to setup etc, but .. If you go to ...
Or have plans to..

2 servers ( DC + a member )
        use backend RID if you dont need access with a windows account to a
shared home folder. ( cifs or nfs )
                you use a dedicated local "linuxAdmin" for maintanace. (
often the first created user in linux )
        use backend AD if you do need access with ssh for example or shared
homefolders.

3 server or more, all server where ssh or access to a server with a shared
folder is needed, use backend AD.
        adviced is all servers with file shares.
        Optional, mix this with RID, for example for a dedicated print
server, or proxy server (auth).

I use setup 3.
Multiple servers with AD and RID mixed on the members, based on function.

A NFS pointer is.
Make sure you set you home folder 755, kerberos ( MIT ), lookf or .klogin
in the home dir.
If the setup is to tight this fails.  ( workaround: disable .klogin
checking in krb5.conf )
And nfs/hostname.FQDN needs to be added to HOSTNAME$ where its needed.

For Cifs. You may need to add these lines in krb5.conf cifs uses them nfs
not.
; for Windows 2008 with AES
    default_tgs_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
rc4-hmac des-cbc-crc des-cbc-md5

Now here, if you see, Required keys not available, no matter what you do
Then you probley are missing these line in krb5.conf.

The source i use for above info :
http://www.cs.rug.nl/~jurjen/ApprenticesNotes/mount_ms_
cifs_using_ad_krb.html
http://www.cs.rug.nl/~jurjen/ApprenticesNotes/ad_nfs4.html

Its a .nl domain but its in english  ;-) and contains still good info.
Just beware its based on debian squeeze.
And a handy to know.
https://support.microsoft.com/en-us/help/977321/kdc-event-
id-16-or-27-is-logged-if-des-for-kerberos-is-disabled

Greetz,

Louis


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






--
_________________________________________

      Daniel Carrasco Marín

      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba