active directory – srv records in a Samba AD

In a debian samba server environment a second domain controller was added.
The plan is to move over to this new one, and later add another one.
I want to be sure it all works fine, though looking in DNS.
I noted that the various service locater records all point to the old domain server.
Despite we did a role transfer to the new server

I’d assume they should point to the new DC or at least both.

I’m curious how it should be as i’m not sure about how samba handles this vs windows.
I got a windows background and samba is kinda new te me.

centos7 – Connecting to samba share fails

I have setted up a cluster in mirror of 2 nodes with glusterfs(7.7), everything is working properly, no fails in all the logfiles, CTDB is ok, samba is working properly…but can’t connect from a windows client :-(. Firewall is disabled! Somebody an idea? Checked for samba(4.10.4) bugs but nothing special what could be a block.

networking – Windows 10: Samba networked drive on Ubuntu machine frequently gets “tuckered out”

I don’t know how else to describe it. I’m pecking away at a long-term project updating a lot of MP3 tags on ~300GB of music files on an Ubuntu computer running Plex somewhere else in the house; lots of folder renaming, file renaming, and updating MP3 tags with MP3Tag from my Windows computer.

Both computers are wired to the router; I’m not running over wifi.

Periodically — a few times a day — the connection to the Ubuntu box gets “tired”. It might keep transferring data, but very, very slowly — like 1 kb/hour — or a file will save with a tag update in MP3Tag, but take 15 minutes to save a 3MB file.

While this is happening, I can ping the Ubuntu box with normal (time <1ms) speed, I can play music from the Plex server normally… but Windows Explorer either won’t respond when I try to access the mapped network drive, or do it very, very slowly; same with MP3Tag.

Is there something I can fix here? I’m not sure how to further diagnose the problem. Ideally there’s a way to give the connection a quick shake and ‘wake it up,’ but I have no idea how to do that. Right now, I just wait until I get frustrated, restart the computers, and it’s fine again for a while.

fedora – Allow Samba and Podman to rw on same dir

I’m new to SElinux so I don’t know much about how to use it. I want to run my Fedora Server using a samba share (already configured and working) and configured a podman container, mounting the same directory. But while SElinux is on, the container cannot access the mounted directory. Turning SElinux off (setenforce 0) “solves” that.

So currently I’ve tried using public_content_rw_t on that directory, but still not works.

# first try
$ semanage fcontext -a -t samba_share_t "/srv/downloads(/.*)?"
$ restorecon -Rv /srv/downloads

# second try
$ semanage fcontext -m -t public_content_rw_t "/srv/downloads(/.*)?"
$ restorecon -Rv /srv/downloads

In both cases, podman container is not able to access the same directory. SElinux is preventing it (logs: setroubleshoot(1232603): SELinux is preventing java from write access on the directory /srv/downloads). For example using: podman exec -it $CONTAINER ls -l /downloads (mounted /srv/downloads:/downloads with rw).

I want to run my server with SElinux. What do I need to configure, that both processes are able to use the same directory?

samba4 – SAMBA: valid users ignores local samba user

I have a linux server (SLES12 SP5) in a Windows domain.

>smbd -V
Version 4.10.5-git.192.26ffbcd72313.11.1-SUSE-SLE_12-x86_64

Accessing samba shares with a domain user works very well.

Unfortunately I can’t access the share with a local samba user, if valid users is active.

>useradd -r -g tomcat test
>smbpasswd -a test
>systemctl restart smb.service

>getent passwd test
test:x:480:1002::/home/test:/bin/bash

smb.conf

(global)
    security = ADS
    realm = STL.BWL.NET
    workgroup = STL

    domain master = NO
    local master = NO
    preferred master = NO
    os level = 0

    template homedir = /home/%U
    template shell = /bin/bash
    kerberos method = secrets and keytab
    allow trusted domains = NO

    winbind enum users = YES
    winbind enum groups = YES
    winbind cache time = 10
    winbind use default domain = YES
    winbind refresh tickets = YES

    idmap config STL : backend = rid
    idmap config STL : range = 100000-400000

    idmap config * : backend = tdb
    idmap config * : range = 500000-800000

    ntlm auth = NO
    lanman auth = NO
    client use spnego = YES
    client ntlmv2 auth = YES
    encrypt passwords = YES
    restrict anonymous = 2
    usershare allow guests = NO

    printing = bsd
    printcap name = /dev/null

    map acl inherit = YES
    store dos attributes = YES
    ea support = YES

    public = NO
    browseable = YES
    writeable = YES
    guest ok = NO

    create mask = 0660
    directory mask = 0770

(web)
        path = /web
        valid users = @GRP_R13_QS STL1408

(tomcat)
        path = /web/tomcat
        valid users = test

linux – How to block external traffic *except* to specific samba host from libvirtd subnet with firewalld?

I’m kind of baffled I’m unable to come up with so little information on the topic after days of research, but I’m experimenting with Centos8 in my lab and would like to use it as a vm host machine using libvirt. Let’s say it’s 192.168.2.3. I’d like to have a libvirt network (192.168.100.0/24) with a couple windows machines on it that need to have access to a samba file share at 192.168.2.4. Since I don’t particularly trust windows, I want to block ALL network traffic from machines on this virtual network, except for what’s required for them to mount and share samba files with 192.168.2.4.

At first I was messing with firewalld zones and trying to target the virtual NIC that was associated with the libvirt network, but I think what I need to do is actually apply a pair of rules to the FORWARD chain on the vm host. In “pseudocode”:

allow all ipv4 samba (port 137-139,445?) from 192.168.100.0/24 to 192.168.2.4
deny all ipv4 traffic from the 192.168.100.0/24

I don’t know how to express this correctly. Am I on the right track, and can someone point me in the right direction here?

– Samba – Different file and directory permissions for guest and non-guest users

I am configuring a samba server for file sharing. I was wondering if there is a configuration setting to map different file or directory masks to different users.

I am attempting to allow admin users to have full access to a share while restricting guest users from listing directory contents.

Ive looked through the samba config manpages and found nothing helpful.

Currently my samba share config looks like this:

[Public]
   Comment = Pi public share
   Path = /Samba/Public
   Browseable = yes
   Writeable = yes
   create mask = 0666
   directory mask = 1337
   Public = yes
   Guest ok = yes

This config works perfectly if a guest were to create a directory but if an admin tries the same, they are restricted in this new directory.

I was wondering if there is a way solve this problem in the configuration or if necessary, in a pre/postrun script.

iptables – libvirt with qemu/kvm guest, guest can ssh to host and vice versa, but failed to samba or ftp to host

I am running libvirt/qemu-kvm on Fedora32, guest OS is CentOS7.

I use ‘nat’ mode virtual networking.

root@fedora ~)# virsh net-dumpxml default
<network connections='1'>
  <name>default</name>
  <uuid>36ca4070-160a-47bf-b35e-aa7bee028ec1</uuid>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:e1:1e:c3'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.122.2' end='192.168.122.254'/>
    </dhcp>
  </ip>
</network>

On host I can ssh to guest by its ip (192.168.122.230).

On guest, I can access internet, also can ssh to my host,
but failed to access samba and ftp on my host.

For example, I type ‘smbclient -L ‘192.168.122.1’‘ on guest,
host ‘tcpdump -i vnet0‘ shows:

10:03:00.267931 IP 192.168.122.230.57754 > 192.168.122.1.microsoft-ds: Flags (S), seq 1417555984, win 29200, options (mss 1460,sackOK,TS val 4294755489 ecr 0,nop,wscale 7), length 0
10:03:00.267977 IP 192.168.122.1 > 192.168.122.230: ICMP 192.168.122.1 tcp port microsoft-ds unreachable, length 68
10:03:00.273271 IP 192.168.122.230.39152 > 192.168.122.1.netbios-ssn: Flags (S), seq 2454440184, win 29200, options (mss 1460,sackOK,TS val 4294755494 ecr 0,nop,wscale 7), length 0
10:03:00.273290 IP 192.168.122.1 > 192.168.122.230: ICMP 192.168.122.1 tcp port netbios-ssn unreachable, length 68

And ‘smbclient’ eventually reports ‘* do_connect: Connection to 192.168.122.1 failed (Error NT_STATUS_CONNECTION_REFUSED)*’.

In case of ‘ftp’, it is similar to ‘samba’.

0:06:11.030486 IP 192.168.122.230.44748 > 192.168.122.1.ftp: Flags (S), seq 4205484033, win 29200, options (mss 1460,sackOK,TS val 4294946254 ecr 0,nop,wscale 7), length 0
10:06:11.030539 IP 192.168.122.1 > 192.168.122.230: ICMP 192.168.122.1 tcp port ftp unreachable, length 68

I am sure on guest, firewall is turned off, and I can samba to host from other machine in lan.

I checked host ‘iptables -L -nv ‘ and ‘iptables -L -nv -t nat’, no packet got ‘REJECT’ed or ‘DROP’ed.

They look like this:

# iptables -L -nv 
Chain INPUT (policy ACCEPT 56760 packets, 31M bytes)
 pkts bytes target     prot opt in     out     source               destination         
68394   45M LIBVIRT_INP  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
19326   23M LIBVIRT_FWX  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
19326   23M LIBVIRT_FWI  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 9344 1092K LIBVIRT_FWO  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 19706 packets, 2824K bytes)
 pkts bytes target     prot opt in     out     source               destination         
28243 3880K LIBVIRT_OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_FWI (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 9982   22M ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWO (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 9344 1092K ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           

Chain LIBVIRT_INP (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  102  6959 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    9  3028 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67

Chain LIBVIRT_OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    9  3004 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     tcp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            tcp dpt:68

and

# iptables -L -nv -t nat
Chain PREROUTING (policy ACCEPT 6314 packets, 5976K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 4463 packets, 5827K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 546 packets, 73524 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 526 packets, 69524 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1910  218K LIBVIRT_PRT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LIBVIRT_PRT (1 references)
 pkts bytes target     prot opt in     out     source               destination
   13  1359 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24
    0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255
   87  4628 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
  192 19180 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24

Am I missing something? What could be the cause?
Thanks.

networking – libvirt on fedora, qemu/kvm guest, guest can ssh to host, but failed to samba or ftp to host

I am running libvirt/qemu-kvm on Fedora32, guest OS is win10 with spice-guest-tool in use.

I use ‘nat’ mode virtual networking.

root@fedora ~)# virsh net-dumpxml default
<network connections='1'>
  <name>default</name>
  <uuid>36ca4070-160a-47bf-b35e-aa7bee028ec1</uuid>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:e1:1e:c3'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.122.2' end='192.168.122.254'/>
    </dhcp>
  </ip>
</network>

While guest is running, ‘brctl show‘ seems fine.

(root@fedora ~)# brctl show
bridge name bridge id       STP enabled interfaces
virbr0      8000.525400e11ec3   yes     virbr0-nic
                                        vnet0

On host I can ping guest by its ip (192.168.122.159).

On guest, I can access internet, also can ssh to my host,
but failed to access samba and ftp on my host.

For example, I type ‘net view 192.168.122.1‘ on guest,
host ‘tcpdump -i vnet0‘ shows:

15:47:39.041395 IP 192.168.122.159.49717 > fedora.bear.microsoft-ds: Flags (S), seq 160880283, win 64240, options (mss 1460,nop,wscale 8,nop,nop,sackOK), length 0
15:47:39.041526 IP fedora.bear > 192.168.122.159: ICMP fedora.bear tcp port microsoft-ds unreachable, length 60

And ‘net view’ eventually reports ‘System error 53: network path not found‘.
I also checked ‘iptables -L -v‘ (too verbose to paste here), no one got ‘REJECT’ed.

In case of ‘ftp’, it is similar to ‘samba’.

15:54:13.232366 IP 192.168.122.159.49721 > fedora.bear.ftp: Flags (S), seq 669575524, win 8192, options (mss 1460,nop,wscale 0,nop,nop,sackOK), length 0
15:54:13.232468 IP fedora.bear > 192.168.122.159: ICMP fedora.bear tcp port ftp unreachable, length 60

It seems that host can not send package back to guest.

Am I missing something? What could be the cause?
Thanks.

cifs – samba server mount points stopped working on CentOS 8 install, error: Failed to start SPNEGO handler for negprot OID list

After about 6 months of smb working flawlessly on a home server, it is now failing to allow remote systems to mount with the following error message in /var/log/messages:

Jun 27 12:53:10 bike3 smbd(19385): (2020/06/27 12:53:10.706872,  0) ../../source3/smbd/negprot.c:211(negprot_spnego)
Jun 27 12:53:10 bike3 smbd(19385):  Failed to start SPNEGO handler for negprot OID list!

I am using a very basic smb.conf configuration, and have tried a variety of googled settings, with no luck:

(global)
        workgroup = WORKGROUP
        security = user
        log level = 3
        map to guest = bad user
        dns proxy = no
; tested various combinations:
        client use spnego = no
        client ntlmv2 auth = no
        client min protocol = SMB2
        client max protocol = SMB3


(pictures)
       comment = pictures
       path = /mnt/pictures
       public = yes
       browsable = yes
       writable = yes
       guest ok = yes
       read only = no

I have reinstalled all samba packages:

Reinstalled:
  samba-4.11.2-13.el8.x86_64                  samba-client-4.11.2-13.el8.x86_64            samba-client-libs-4.11.2-13.el8.x86_64      samba-common-4.11.2-13.el8.noarch
  samba-common-libs-4.11.2-13.el8.x86_64      samba-common-tools-4.11.2-13.el8.x86_64

I have tested from Windows 10 and OS X Mojave, both fail with the same error, here is the log level 3
in the log.smb:

(2020/06/27 13:06:11.367462,  3) ../../lib/util/access.c:371(allow_access)
  Allowed connection from 192.168.xxx.xxx (192.168.xxx.xxx)
(2020/06/27 13:06:11.368276,  3) ../../source3/smbd/oplock.c:1414(init_oplocks)
  init_oplocks: initializing messages.
(2020/06/27 13:06:11.368563,  3) ../../source3/smbd/server_exit.c:244(exit_server_common)
  Server exit (failed to receive smb request)
(2020/06/27 13:06:11.372050,  3) ../../lib/util/access.c:371(allow_access)
  Allowed connection from 192.168.1.197 (192.168.1.197)
(2020/06/27 13:06:11.372676,  3) ../../source3/smbd/oplock.c:1414(init_oplocks)
  init_oplocks: initializing messages.
(2020/06/27 13:06:11.372763,  3) ../../source3/smbd/process.c:1956(process_smb)
  Transaction 0 of length 73 (0 toread)
(2020/06/27 13:06:11.372787,  3) ../../source3/smbd/process.c:1549(switch_message)
  switch message SMBnegprot (pid 21109) conn 0x0
(2020/06/27 13:06:11.373194,  3) ../../source3/smbd/negprot.c:636(reply_negprot)
  Requested protocol (NT LM 0.12)
(2020/06/27 13:06:11.373220,  3) ../../source3/smbd/negprot.c:636(reply_negprot)
  Requested protocol (SMB 2.002)
(2020/06/27 13:06:11.373237,  3) ../../source3/smbd/negprot.c:636(reply_negprot)
  Requested protocol (SMB 2.???)
(2020/06/27 13:06:11.373469,  3) ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_FF
(2020/06/27 13:06:11.373856,  3) ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
(2020/06/27 13:06:11.373880,  3) ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
(2020/06/27 13:06:11.373895,  3) ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
(2020/06/27 13:06:11.373911,  3) ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'spnego' registered
(2020/06/27 13:06:11.373929,  3) ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'schannel' registered
(2020/06/27 13:06:11.373954,  3) ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
(2020/06/27 13:06:11.373970,  3) ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
(2020/06/27 13:06:11.373984,  3) ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'ntlmssp' registered
(2020/06/27 13:06:11.374000,  3) ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
(2020/06/27 13:06:11.374016,  3) ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'http_basic' registered
(2020/06/27 13:06:11.374031,  3) ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'http_ntlm' registered
(2020/06/27 13:06:11.374048,  3) ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'http_negotiate' registered
(2020/06/27 13:06:11.374124,  1) ../../auth/gensec/spnego.c:418(gensec_spnego_create_negTokenInit_step)
  gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request
(2020/06/27 13:06:11.374149,  0) ../../source3/smbd/negprot.c:211(negprot_spnego)
  Failed to start SPNEGO handler for negprot OID list!
(2020/06/27 13:06:11.374316,  3) ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx(1) status(NT_STATUS_NO_MEMORY) || at ../../source3/smbd/smb2_negprot.c:307
(2020/06/27 13:06:11.374367,  3) ../../source3/smbd/negprot.c:771(reply_negprot)
  Selected protocol SMB 2.???
(2020/06/27 13:06:11.377729,  3) ../../source3/smbd/server_exit.c:244(exit_server_common)
  Server exit (NT_STATUS_END_OF_FILE)

Thanks in advance for any help.