SMB access denied with VPNs

v7
sharedfolders
activedirectory
openvpn

(EnzoC) #1

Buongiorno,
I continue to not solve this problem.
now I’m on the remote site.

I installed a second nethserver, with a vpn tunnel I published the 2 net directly
1.x with samba services
and 18.x the network that must access remotely
(i remove completly alias 12.x)

the folders without authentication navigate, those protected no, keep asking me for the password.

I’m looking at all the logs

message / firewall / log.smb
but I find nothing.

Where should I look? do you have some advice?
Thanks

in prompt i have run

net use * /delete

and retry connection

192.168.18.130 my pc
192.168.1.241 samba server


Shared folders not working with WIN 10
SMB do not listen on alias ip
(Davide Principi) #2

Any error from smbd or nmbd in /var/log/messages?


(EnzoC) #3

any :triumph:

can a Windows Active Directory domain interfere with authentication?

to avoid dns problems I have put on pc in

c: \ windows \ system32 \ etc \ hosts
192.168.1.2 nsdc-samba.domain.it domain.it domain
192.168.1.241 samba.domain.it

(EnzoC) #4

no! i have try with only my pc…


(EnzoC) #5

i have try from another network through another tunnel vpn.
same result.
autentication dosen’t work!

someone uses shared folder with ACL through the vpn tunnel?

my pc		    -> nethserver 	-> internet  <- nethserver 	    <- samba server
192.168.18.130  192.168.18.254			        192.168.1.254 	192.168.1.241

(Davide Principi) #6

Hi Enzo,

what do you think about this?

STATUS_ACCESS_DENIED sounds as if a program on the client tried to open or create a file to which the account being used for the SMB connection did not have access - i.e., it’s not a networking problem or an SMB packet-signing problem, it’s a file permissions problem.

https://ask.wireshark.org/questions/71/smb-troubleshooting


(EnzoC) #7

Isn’t permission problem, i have check via GUI and Reset Permission on folder.
I have try with my user and admin user.

yet I am convinced that it is a name resolution problem.
I tried to insert the entry into the LMHOST file in ipv4 protocol
192.168.1.2 DOMAIN

1.2 is the nsdc ip

for once it has been authenticated,
I restarted the pc and you no longer logged in


(Davide Principi) #8

:astonished: once? Can you test it from smbclient? I prefer it because has no “caching” and error messages are more useful


(EnzoC) #9

connection through OpenVpn Gui via OpenVPN roadwarrior work perfectly.


(EnzoC) #10
[root@dbo ~]# smbclient //192.168.1.241/officina -U enzo@domain.it
Enter enzo@domain.it's password:
OS=[Windows 6.1] Server=[Samba 4.4.4]
tree connect failed: NT_STATUS_ACCESS_DENIED

[root@dbo ~]# smbclient //192.168.1.241/officina -U enzo -W domain
Enter DOMAIN\enzo's password:
session setup failed: NT_STATUS_LOGON_FAILURE

(Davide Principi) #11

Do those commands work if the client is in the same LAN of the file server?


(Bogdan Costin) #12

Just a silly questions. I did not understand very well the setup so:

Is the client using the DNS of the server ?
Also is the second NS joined to the AD ?

what format is the username you use?:
DOMAIN\username or username@domain.suffix

try using only “domain” and do not apend the suffix ".it"
Example username@domain

Also a good thing will be to check what level of protocol is used by the client to negociate NT/SMB/SMB2/SMB3 etc


(EnzoC) #13

they actually do not seem to run, I did a lot of tests, but I do not find any errors in the logs, I also checked in sssd. host-specific samba logs are empty (0 kb)

no and no, but I’ve tried all the combinations of dns (local NS, remote NS, remote SAMBA)

in primary network (not vpn) both work well. I use it indiscriminately for joining in the domain

wireshark say SMB2

i have try but dont solve


(Davide Principi) #14

I’m quite confused… can we focus on a File Server (with remote AD account provider) scenario? Can we ignore the VPN?

This is puzzling! Ensure your remote network is considered “trusted” (see Trusted networks page).


(EnzoC) #15

i have setup in remote dns client only ip of VB-nsdc
client now login, both > domain\user and > user@domain.it

obviously not a solution, but maybe it’s the explanation of the problem

i have insert remote network vpn tunnel in trusted network, since he did not see anything

maybe I’m wrong with the commands in smbclient, now I’m looking for the right combination


(EnzoC) #16

ok i found solution. :scream:

for correct name resolution in remote vpn tunnel fw i have insert as a secondary dns the ip of my primary fw

in samba server i have added ip subnet of vpn tunnel into the trusted network

now domain authentication work right with DOMAIN\username over vpn tunnel

hoping they will :grin:


Nethserver join AD with VPN
(Davide Principi) #17

You’re lucky: mixing private and public DNS forwarding leads to weird issues! I’d not recommend it at all!