Thursday, December 31, 2015

Samba server - CIFS mount issues



Background:



I have a samba cifs server. It is not joined to a domain, but has a keytab for an MIT kerberosV realm.



Kerberized mounts (e.g. mount -t cifs //cifs.example.com/groups /mnt/cifs -o sec=krb5i) work from Linux clients.
Kerberized mounts from AD joined windows machines (joined to a domain configured with a trust to the Kerberos Realm). Password based mounts don't work for Linux clients (not a big deal).




Password based mounts for non AD joined Windows clients kind of work. Using explorer to go to \\cifs.example.com\groups will not work, and no password prompt will appear. However, if \\cifs.example.com\groups is mounted as a letter drive, the dialog will not complete, but the drive mapping will be established and work, and the dialog box can be canceled at this point while retaining the mount.



Question:




  1. How can a make the UNC path prompt for a password on non AD joined Windows machines?



Configs:




hostname: cifs.example.com
realm: EXAMPLE.COM
distro: CentOS release 6.5 (Final)
samba version: samba-3.6.9-167.el6_5.x86_64



smb.conf



syslog only = yes
syslog = 3


server string = %h server (Samba, CentOS)
workgroup = EXAMPLE.COM
security = ads
realm = EXAMPLE.COM
create krb5 conf = no
kerberos method = secrets and keytab
server signing = auto
smb encrypt = auto
smb ports = 445
use sendfile = yes


map to guest = Bad User
guest account = nobody

wins support = no
dns proxy = no

load printers = no
printing = bsd
printcap name = /dev/null

disable spoolss = yes

hide files = /Desktop.ini/$RECYCLE.BIN/Thumbs.db/~$.*/

[home]
path = /export/home/
writeable = yes
guest ok = no
browseable = no
create mask = 0600

directory mask = 0700

[groups]
path = /export/groups
writeable = yes
guest ok = no
browseable = yes
create mask = 0660
directory mask = 0770



*



klist -k



Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
8 host/cifs.example.com@EXAMPLE.COM
8 host/cifs.example.com@EXAMPLE.COM

8 host/cifs.example.com@EXAMPLE.COM
8 host/cifs.example.com@EXAMPLE.COM
8 cifs/cifs.example.com@EXAMPLE.COM
8 cifs/cifs.example.com@EXAMPLE.COM
8 cifs/cifs.example.com@EXAMPLE.COM
8 cifs/cifs.example.com@EXAMPLE.COM


getsebool -a | grep -e cifs -e samba




allow_ftpd_use_cifs --> off
cobbler_use_cifs --> off
git_cgi_use_cifs --> off
git_system_use_cifs --> off
httpd_use_cifs --> off
qemu_use_cifs --> on
rsync_use_cifs --> off
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off

samba_export_all_ro --> off
samba_export_all_rw --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
tftp_use_cifs --> off
use_samba_home_dirs --> off
virt_use_samba --> off



/etc/pam.d/samba



#%PAM-1.0
auth required pam_nologin.so
auth include password-auth
account include password-auth
session include password-auth
password include password-auth



/etc/pam.d/password-auth



#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet

auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=

password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so


Answer



Needed to change max protocol from the default NT1 to max protocol = SMB2.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...