I have set up samba but it has been years. I have scoured the net for tips all day before making this post. This install is fresh with a single test user and just samba with neth AD. The only non-defaults I set was the NETBIOS name to be the FQDN host portion name and the IP. Aside from the authentication it appears to be working. That is I can create a share and if it is tied to the user I can see the folder but not enter it. If I have the rights set to guest read write then I can enter the folder. This is both Windows 10 and a Ubuntu 18.04 host looking at the share.
I guess I am wondering if there is some magic like in the past at some point you had to have all caps and no special characters in the password, install x version SSL…stuff like that you just had to know. I have installed on a few different machines but out-of-the-box it is not working for me. Oh almost forgot there was a complaint by a test tool that workgroup and netbios were the same and needed to be unique. I made them unique which didn’t matter. I can also use some samba tools to talk to the AD server and get some user information though not all of it as it is rejecting the authentication.
I noticed maybe a minor bug in some places the output indicating the host is “92” instead of “192” not that it means anything but it stood out to me.
The workgroup is set automatically. I haven’t mixed case, that’s the output. The tool is outputting 92 instead of 192. I can ping test to resolve 192.168.100.65
When I install neth, the full name is files.testit.com. When I install samba it autopopulates the netbios name with testit. I change it to files. I will completely reinstall with a unique domain from my others and see what happens.
Fresh install with unique names and a couple additional tests. It looks like shares are working as long as I have guest enabled. One of the tests indicate the user is being authenticated however the file is not ? I’m going to see what ls -l shows me and add it to the bottom of this output. I’m currently installing a dedicated ubuntu samba ad and see what happens. I need to note the neth environment has been very reliable for me so wondering what I have done here
Domain zrchq.local
NetBIOS domain name: ZRCHQ
LDAP server: 192.168.100.96
LDAP server name: nsdc-files.zrchq.local
Realm: ZRCHQ.LOCAL
Bind Path: dc=ZRCHQ,dc=LOCAL
LDAP port: 389
Server time: Thu, 07 Nov 2019 13:33:14 EST
KDC server: 192.168.100.96
Server time offset: 0
Last machine account password change: Thu, 07 Nov 2019 13:14:46 EST
Join is OK
whenCreated: 20191107181445.0Z
whenChanged: 20191107181445.0Z
name: files
objectSid: S-1-5-21-2696135020-1594646949-2149067568-1104
accountExpires: 9223372036854775807
sAMAccountName: files$
pwdLastSet: 132176240855268580
dNSHostName: files.zrchq.local
servicePrincipalName: HOST/FILES
servicePrincipalName: HOST/files.zrchq.local
lastLogon: 132176250353129480
distinguishedName: CN=files,CN=Computers,DC=zrchq,DC=local
[root@files admin]# smbclient -d 10 -U "test@$(config getprop sssd Realm)" //$(hostname)/share01
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_password_audit: 10
dsdb_password_json_audit: 10
dsdb_transaction_audit: 10
dsdb_transaction_json_audit: 10
dsdb_group_audit: 10
dsdb_group_json_audit: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_password_audit: 10
dsdb_password_json_audit: 10
dsdb_transaction_audit: 10
dsdb_transaction_json_audit: 10
dsdb_group_audit: 10
dsdb_group_json_audit: 10
Processing section "[global]"
doing parameter workgroup = ZRCHQ
doing parameter server string = NethServer 7.7.1908 final (Samba %v)
doing parameter security = ADS
doing parameter realm = ZRCHQ.LOCAL
doing parameter kerberos method = secrets and keytab
doing parameter password server = nsdc-files.zrchq.local
doing parameter netbios name = FILES
Processing section "[global]"
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter deadtime = 10080
doing parameter netbios aliases =
doing parameter wins server =
doing parameter remote announce =
doing parameter remote browse sync =
doing parameter map to guest = Bad User
doing parameter obey pam restrictions = yes
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 10000-99999
doing parameter idmap config ZRCHQ : backend = nss
doing parameter idmap config ZRCHQ : range = 200000-2147483647
doing parameter inherit owner = no
doing parameter full_audit:prefix = smbauditlog|%T|%u|%I|%S|%U
doing parameter full_audit:success = read write open unlink mkdir rmdir rename chmod
doing parameter full_audit:failure = read write open unlink mkdir rmdir rename chmod
doing parameter full_audit:facility = LOCAL7
doing parameter full_audit:priority = INFO
Processing section "[global]"
pm_process() returned Yes
lp_servicenumber: couldn't find homes
messaging_dgm_ref: messaging_dgm_init returned Success
messaging_dgm_ref: unique = 15007052572931451870
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
Registering messaging pointer for type 51 - private_data=(nil)
messaging_init_internal: my id: 11772
lp_load_ex: refreshing parameters
Freeing parametrics:
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_password_audit: 10
dsdb_password_json_audit: 10
dsdb_transaction_audit: 10
dsdb_transaction_json_audit: 10
dsdb_group_audit: 10
dsdb_group_json_audit: 10
Processing section "[global]"
doing parameter workgroup = ZRCHQ
doing parameter server string = NethServer 7.7.1908 final (Samba %v)
doing parameter security = ADS
doing parameter realm = ZRCHQ.LOCAL
doing parameter kerberos method = secrets and keytab
doing parameter password server = nsdc-files.zrchq.local
doing parameter netbios name = FILES
Processing section "[global]"
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter deadtime = 10080
doing parameter netbios aliases =
doing parameter wins server =
doing parameter remote announce =
doing parameter remote browse sync =
doing parameter map to guest = Bad User
doing parameter obey pam restrictions = yes
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 10000-99999
doing parameter idmap config ZRCHQ : backend = nss
doing parameter idmap config ZRCHQ : range = 200000-2147483647
doing parameter inherit owner = no
doing parameter full_audit:prefix = smbauditlog|%T|%u|%I|%S|%U
doing parameter full_audit:success = read write open unlink mkdir rmdir rename chmod
doing parameter full_audit:failure = read write open unlink mkdir rmdir rename chmod
doing parameter full_audit:facility = LOCAL7
doing parameter full_audit:priority = INFO
Processing section "[global]"
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface br0 ip=192.168.100.65 bcast=192.168.100.255 netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="FILES"
Client started (version 4.9.1).
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
sitename_fetch: Returning sitename for realm 'ZRCHQ.LOCAL': "Default-First-Site-Name"
internal_resolve_name: looking up files.zrchq.local#20 (sitename Default-First-Site-Name)
gencache_set_data_blob: Adding cache entry with key=[NBT/FILES.ZRCHQ.LOCAL#20] and timeout=[Wed Dec 31 07:00:00 PM 1969 EST] (-1573151498 seconds in the past)
no entry for files.zrchq.local#20 found.
resolve_hosts: Attempting host lookup for name files.zrchq.local<0x20>
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for files.zrchq.local#20: 192.168.100.65
gencache_set_data_blob: Adding cache entry with key=[NBT/FILES.ZRCHQ.LOCAL#20] and timeout=[Thu Nov 7 01:42:38 PM 2019 EST] (660 seconds ahead)
internal_resolve_name: returning 1 addresses: 192.168.100.65:0
Connecting to 192.168.100.65 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 1061296
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
session request ok
negotiated dialect[SMB3_11] against server[files.zrchq.local]
got OID=1.2.840.48018.1.2.2
Enter test@ZRCHQ.LOCAL's password:
cli_session_creds_prepare_krb5: Doing kinit for test@ZRCHQ.LOCAL to access files.zrchq.local
kerberos_kinit_password: as test@ZRCHQ.LOCAL using [MEMORY:cliconnect] as ccache and config [(null)]
cli_session_creds_prepare_krb5: Successfully authenticated as test@ZRCHQ.LOCAL to access files.zrchq.local using Kerberos
cli_session_setup_spnego_send: Connect to files.zrchq.local as test@ZRCHQ.LOCAL using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gensec_update_send: gse_krb5[0x55f569187dc0]: subreq: 0x55f569185300
gensec_update_send: spnego[0x55f569186c60]: subreq: 0x55f569187620
gensec_update_done: gse_krb5[0x55f569187dc0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55f569185300/../source3/librpc/crypto/gse.c:841]: state[2] error[0 (0x0)] state[struct gensec_gse_update_state (0x55f5691854b0)] timer[(nil)] finish[../source3/librpc/crypto/gse.c:851]
gensec_update_done: spnego[0x55f569186c60]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55f569187620/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x55f5691877d0)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
SPNEGO login failed: {Operation Failed} The requested operation was unsuccessful.
session setup failed: NT_STATUS_UNSUCCESSFUL
[root@files admin]#
* note initially made type in user name and displayed same output with no error
[root@files admin]# smbclient -U ZRCHQ\\test -L 192.168.100.65
Enter ZRCHQ\test's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer drivers
share01 Disk share01
IPC$ IPC IPC Service (NethServer 7.7.1908 final (Samba 4.9.1))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
NAS ZRC
WORKGROUP FILES
[root@files admin]#
*share01 has domain user group and test user acl rw
[root@files admin]# smbclient //192.168.100.65/share01 -U test
Enter ZRCHQ\test's password:
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@files admin]# ls -al /var/lib/nethserver/ibay/share01
total 0
drwxrws---. 2 root domain users@zrchq.local 6 Nov 7 13:23 .
drwxrwxr-x. 3 root root 21 Nov 7 13:23 ..
*share01 enabled guest rw
[root@files admin]# smbclient //192.168.100.65/share01 -U test
Enter ZRCHQ\test's password:
Try "help" to get a list of possible commands.
smb: \> l
. D 0 Thu Nov 7 13:23:17 2019
.. D 0 Thu Nov 7 13:23:17 2019
2141317572 blocks of size 1024. 2138325184 blocks available
[root@files admin]# ls -al /var/lib/nethserver/ibay/share01
total 0
drwxrwsrwx. 2 root domain users@zrchq.local 6 Nov 7 13:23 .
drwxrwxr-x. 3 root root 21 Nov 7 13:23 ..
I added ZRCHQ to the FILES host files for giggles. Nothing. Removed it. It works. o_O! The system shared fine when connecting from an Ubuntu 18.04 based host. A Windows 10 Pro with current updates did not connect. I managed to connect after some research.
The Windows 10 connect required a change described at this StackExchange post. I’ll supply the sentences so it can be searched:
Run > Secpol.msc
then I set Local Policies > Security Options > Network Security: LAN Manager authentication level to 'Send NTLMv2 response only. Refuse LM & NTLM'
I’m glad it is working but there is a hole in my knowledge of what was/is going on that needs filled. I don’t like magic solutions. I do appreciate the assistance I found here !