SMB access denied with VPNs

sharpec · October 4, 2017, 3:08pm

Buongiorno,
I continue to not solve this problem.
now I’m on the remote site.

I installed a second nethserver, with a vpn tunnel I published the 2 net directly
1.x with samba services
and 18.x the network that must access remotely
(i remove completly alias 12.x)

the folders without authentication navigate, those protected no, keep asking me for the password.

I’m looking at all the logs

message / firewall / log.smb
but I find nothing.

Where should I look? do you have some advice?
Thanks

in prompt i have run

net use * /delete

and retry connection

192.168.18.130 my pc
192.168.1.241 samba server

davidep · October 4, 2017, 4:29pm

Any error from smbd or nmbd in /var/log/messages?

sharpec · October 4, 2017, 4:56pm

any

can a Windows Active Directory domain interfere with authentication?

to avoid dns problems I have put on pc in

c: \ windows \ system32 \ etc \ hosts
192.168.1.2 nsdc-samba.domain.it domain.it domain
192.168.1.241 samba.domain.it

sharpec · October 4, 2017, 5:29pm

no! i have try with only my pc…

sharpec · October 5, 2017, 6:12am

i have try from another network through another tunnel vpn.
same result.
autentication dosen’t work!

someone uses shared folder with ACL through the vpn tunnel?

my pc		    -> nethserver 	-> internet  <- nethserver 	    <- samba server
192.168.18.130  192.168.18.254			        192.168.1.254 	192.168.1.241

davidep · October 5, 2017, 7:04am

Hi Enzo,

what do you think about this?

STATUS_ACCESS_DENIED sounds as if a program on the client tried to open or create a file to which the account being used for the SMB connection did not have access - i.e., it’s not a networking problem or an SMB packet-signing problem, it’s a file permissions problem.

https://ask.wireshark.org/questions/71/smb-troubleshooting

sharpec · October 5, 2017, 8:10am

Isn’t permission problem, i have check via GUI and Reset Permission on folder.
I have try with my user and admin user.

yet I am convinced that it is a name resolution problem.
I tried to insert the entry into the LMHOST file in ipv4 protocol
192.168.1.2 DOMAIN

1.2 is the nsdc ip

for once it has been authenticated,
I restarted the pc and you no longer logged in

davidep · October 5, 2017, 8:24am

once? Can you test it from smbclient? I prefer it because has no “caching” and error messages are more useful

sharpec · October 5, 2017, 8:43am

connection through OpenVpn Gui via OpenVPN roadwarrior work perfectly.

sharpec · October 5, 2017, 9:49am

[root@dbo ~]# smbclient //192.168.1.241/officina -U enzo@domain.it
Enter enzo@domain.it's password:
OS=[Windows 6.1] Server=[Samba 4.4.4]
tree connect failed: NT_STATUS_ACCESS_DENIED

[root@dbo ~]# smbclient //192.168.1.241/officina -U enzo -W domain
Enter DOMAIN\enzo's password:
session setup failed: NT_STATUS_LOGON_FAILURE

davidep · October 5, 2017, 10:21am

Do those commands work if the client is in the same LAN of the file server?

Ctek · October 5, 2017, 11:13am

Just a silly questions. I did not understand very well the setup so:

Is the client using the DNS of the server ?
Also is the second NS joined to the AD ?

what format is the username you use?:
DOMAIN\username or username@domain.suffix

try using only “domain” and do not apend the suffix ".it"
Example username@domain

Also a good thing will be to check what level of protocol is used by the client to negociate NT/SMB/SMB2/SMB3 etc

sharpec · October 5, 2017, 1:35pm

they actually do not seem to run, I did a lot of tests, but I do not find any errors in the logs, I also checked in sssd. host-specific samba logs are empty (0 kb)

no and no, but I’ve tried all the combinations of dns (local NS, remote NS, remote SAMBA)

in primary network (not vpn) both work well. I use it indiscriminately for joining in the domain

wireshark say SMB2

i have try but dont solve

davidep · October 5, 2017, 1:57pm

I’m quite confused… can we focus on a File Server (with remote AD account provider) scenario? Can we ignore the VPN?

This is puzzling! Ensure your remote network is considered “trusted” (see Trusted networks page).

sharpec · October 5, 2017, 2:17pm

i have setup in remote dns client only ip of VB-nsdc
client now login, both > domain\user and > user@domain.it

obviously not a solution, but maybe it’s the explanation of the problem

i have insert remote network vpn tunnel in trusted network, since he did not see anything

maybe I’m wrong with the commands in smbclient, now I’m looking for the right combination

sharpec · October 13, 2017, 6:30am

ok i found solution.

for correct name resolution in remote vpn tunnel fw i have insert as a secondary dns the ip of my primary fw

in samba server i have added ip subnet of vpn tunnel into the trusted network

now domain authentication work right with DOMAIN\username over vpn tunnel

hoping they will

davidep · June 7, 2018, 8:02pm

You’re lucky: mixing private and public DNS forwarding leads to weird issues! I’d not recommend it at all!

dnutan · May 30, 2021, 9:00am

7 posts were split to a new topic: Unable to join/access AD domain through VPN