Re: [SOLVED] Samba+Kerberos inside LXC container...

To: debian-user@lists.debian.org
Subject: Re: [SOLVED] Samba+Kerberos inside LXC container...
From: nimrod <nimrod@paralog.it>
Date: Mon, 02 Oct 2023 16:19:03 +0200
Message-id: <[🔎] 6b7964736e5aae20d1bcaab96b5de55580722292.camel@paralog.it>
In-reply-to: <e35cc01d96dad325b3940bab80a11dadbf9144e4.camel@paralog.it>
References: <e35cc01d96dad325b3940bab80a11dadbf9144e4.camel@paralog.it>

I've found a decent workaround for this issue.

I set a public IP for the container and put it in the DNS with hostname "samba".

Et voilà:

$ smbclient //samba/dati -k

WARNING: The option -k|--kerberos is deprecated!

Try "help" to get a list of possible commands.

smb: \>

The share is also perfectly accessible from Windows and Linux machines in the same Active Directory domain without prompting for credentials, provided that the user has logged in the machine with domain credentials.

That's exactly what I need.

Assigning a public IP to an LXD container is a bit tricky, because you need to set up a specific profile, removing the default profile from the container and assign this new profile to it. But it works, that's enough for me.

Hope this could help someone else.

On Tue, 2023-09-19 at 14:50 +0200, nimrod wrote:

Hi,

I'm running an LXC container on a Debian 12 host. The container, named "samba", aims to share a directory in an Active Directory environment (functional level 2016).

The container is joined to the domain using the realm command. Inside the container I can login with any domain user without any problem.

I can also access the share with a command like:

$ smbclient //dl560/dati -U someuser -W BNCRM

and issuing the right credentials when prompted.

What I cannot absolutely get working is access the same share with Kerberos:

$ smbclient -k //dl560/dati

The above command is run as an authenticated user, who can perfectly well access another share on a virtual Debian 10 server. If I issue the above command with the -d10 option I get the long output below.

I've mapped 445 port this way:

$ lxc config device add samba port445 proxy listen=tcp:0.0.0.0:445 connect=tcp:10.65.65.147:445

Any suggestionwould be very appreciated. I can try to provide any missing information.giuli

Best regards.

---------------------
$ smbclient -k //dl560/dati
WARNING: The option -k|--kerberos is deprecated!
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_password_audit: 10
dsdb_password_json_audit: 10
dsdb_transaction_audit: 10
dsdb_transaction_json_audit: 10
dsdb_group_audit: 10
dsdb_group_json_audit: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
smb2: 10
smb2_credits: 10
dsdb_audit: 10
dsdb_json_audit: 10
dsdb_password_audit: 10
dsdb_password_json_audit: 10
dsdb_transaction_audit: 10
dsdb_transaction_json_audit: 10
dsdb_group_audit: 10
dsdb_group_json_audit: 10
Processing section "[global]"
doing parameter workgroup = WORKGROUP
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter logging = file
doing parameter panic action = "" %d
doing parameter server role = standalone server
doing parameter obey pam restrictions = yes
doing parameter unix password sync = yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
doing parameter pam password change = yes
doing parameter map to guest = bad user
doing parameter usershare allow guests = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface lxcbr0 ip=10.0.3.1 bcast=10.0.3.255 netmask=255.255.255.0
added interface lxdbr0 ip=10.190.52.1 bcast=10.190.52.255 netmask=255.255.255.0
added interface eno1 ip=192.168.0.77 bcast=192.168.1.255 netmask=255.255.254.0
Client started (version 4.17.10-Debian).
Opening cache file at /run/samba/gencache.tdb
tdb(/run/samba/gencache.tdb): tdb_open_ex: could not open file /run/samba/gencache.tdb: Permission denied
gencache_init: Opening user cache file /home/someuser/.cache/samba/gencache.tdb.
sitename_fetch: No stored sitename for realm ''
internal_resolve_name: looking up dl560#20 (sitename (null))
namecache_fetch: name dl560#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 192.168.0.5 at port 445
socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0
session request ok
negotiated dialect[SMB3_11] against server[dl560]
cli_session_setup_spnego_send: Connect to dl560 as someuser@BNCRM.ROMA using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'ncalrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gensec_update_send: gse_krb5[0x56310b62e5d0]: subreq: 0x56310b629720
gensec_update_send: spnego[0x56310b628330]: subreq: 0x56310b62d830
gensec_update_done: gse_krb5[0x56310b62e5d0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x56310b629720/../../source3/librpc/crypto/gse.c:895]: state[2] error[0 (0x0)] state[struct gensec_gse_update_state (0x56310b6298e0)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:906]
gensec_update_done: spnego[0x56310b628330]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x56310b62d830/../../auth/gensec/spnego.c:1631]: state[2] error[0 (0x0)] state[struct gensec_spnego_update_state (0x56310b62d9f0)] timer[(nil)] finish[../../auth/gensec/spnego.c:2116]
SPNEGO login failed: The attempted logon is invalid. This is either due to a bad username or authentication information.
session setup failed: NT_STATUS_LOGON_FAILURE

Reply to:

Prev by Date: Re: How can I find packages manually installed using "dpkg -i"?
Next by Date: Re: Debian will not boot any more, wrong UUID
Previous by thread: Re: systemctl status mariadb - Access denied for user root at localhost using password NO
Next by thread: Re: Debian live boot corrupting secure boot
Index(es):
- Date
- Thread