Project

General

Profile

Bug #25935

SMB shares to W10

Added by Ashley Drees about 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
No priority
Assignee:
John Hixson
Category:
OS
Target version:
Seen in:
Severity:
Low
Reason for Closing:
User Configuration Error
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

I have followed the walkthrough in the forums for getting SMB / Kerberos and Open Directory to play together.

I have SMB working for OSX clients but when i try and connect with a windows 10 client it fails. I am unsure of quite what i need to allow W10 clients access to our share - is there a document which outlines W10 connections to a share that does not have a domain login? i have tried many permutations of presenting the user name - and i know the passwords are correct as the OSX is able to use the same connection.

i am unable to de-select the button turning off the domain login in the GUI but i have tried both settings from the shell - it has no effect - the log.smb is generating lots of data that i am having difficulty interpreting.


Related issues

Copied to FreeNAS - Bug #40680: Kerberos authentication fixes for LDAP serversDone

Associated revisions

Revision 8e46054e (diff)
Added by John Hixson over 2 years ago

SSL fixes - Beginning Kerberos auth for LDAP servers Ticket: #25935

Revision ccdfef42 (diff)
Added by John Hixson over 2 years ago

Fix broken LDAP Kerberos Ticket: #25935

Revision 0c2ee97f (diff)
Added by John Hixson about 2 years ago

SSL fixes - Beginning Kerberos auth for LDAP servers Ticket: #25935 (cherry picked from commit 8e46054e6c2a4e19049bed20edf0ad60487d2b00) (11.1-stable) Ticket: #40680

History

#1 Updated by Dru Lavigne about 3 years ago

  • Status changed from Unscreened to 15

Ashley, please attach a debug (System -> Advanced -> Save Debug).

#2 Updated by Ashley Drees about 3 years ago

  • File debug-investigate-20170921081416.tgz added

Here you go.

To access the shares from OS X i use - which gets me in, however doing the same from windows 10 tells me that "There are currently no logon servers available to service the logon request"

#3 Updated by Dru Lavigne about 3 years ago

  • Status changed from 15 to Unscreened
  • Assignee changed from Release Council to John Hixson
  • Private changed from No to Yes

John: do you see anything in the config that would prevent Windows 10 from connecting?

#4 Updated by Ashley Drees about 3 years ago

Dru Lavigne wrote:

John: do you see anything in the config that would prevent Windows 10 from connecting?

One more bit of information - the windows in question (in this case is) W10 Professional, but stand alone, not attached to any domain or workgroup - and - actually in this case in a VM in fusion on OSX Sierra. This does not normally cause me any issues with connecting to whatever.

#5 Updated by John Hixson about 3 years ago

  • Status changed from Unscreened to Screened
  • Target version set to 11.1

#6 Avatar?id=14398&size=24x24 Updated by Kris Moore about 3 years ago

  • Target version changed from 11.1 to 11.1-U1

#7 Updated by Dru Lavigne almost 3 years ago

  • Status changed from Screened to 15

Ashley: is this still an issue after updating to 11.1? If so, please attach a new debug from the updated system.

#8 Updated by Ashley Drees almost 3 years ago

Dru Lavigne wrote:

Ashley: is this still an issue after updating to 11.1? If so, please attach a new debug from the updated system.

I attempted upgrading - though i was able to update, when i activated it - the resolve.conf did not contain any DNS servers and HTTPS was disabled as it did not like our wildcard cert. I rolled back to 11.0-U4 which works - as having a working https is important for us i immediately rolled back - but as the server did not like our cert - it is possible the LDAP connection to the OD master will not work either - but i have not tried that yet.

see

https://www.evernote.com/l/Aid2FK6_9fROeZU0y8PMJLDtap4zwy-ZKZs

I am working on our network during the weekend - so i will try 11.1 again saturday PM.

#9 Updated by Ashley Drees almost 3 years ago

Dru Lavigne wrote:

Ashley: is this still an issue after updating to 11.1? If so, please attach a new debug from the updated system.

I deleted the first 11.1 boot / update - and re-applied them - and then did not get the issues i said above.

I will re-work the SMB setup again from our OD on OSX and report back.

#10 Updated by Dru Lavigne almost 3 years ago

  • Status changed from 15 to Closed: Not Applicable
  • Target version changed from 11.1-U1 to N/A
  • Private changed from Yes to No
  • Seen in changed from Unspecified to 11.0-U3

Thanks for the update Ashley. I'll close this out for now. If you still have issues after your configuration, attach a debug from the 11.1 system to this ticket.

#11 Updated by Dru Lavigne almost 3 years ago

  • File deleted (debug-investigate-20170921081416.tgz)

#12 Avatar?id=14398&size=24x24 Updated by Kris Moore over 2 years ago

  • Status changed from Closed: Not Applicable to Closed

#13 Updated by Ashley Drees over 2 years ago

I have now migrated all our data over to the FreeNAS as AFP is working fine for us, but i am still unable to connect to the FreeNAS with SMB, at this time this is not a show stopper as AFP is still supported fully by Apple, but it would be great to get SMB working to allow us more flexibility.

I will post the diagnostics as soon as i have run them. I am still getting the "NT_STATUS_NO_LOGON_SERVERS" which is to be expected really, as we have OD but no AD.

#14 Updated by Ashley Drees over 2 years ago

  • File debug.gz added

Here is a debug -A run 4th April 2018.

#15 Updated by Dru Lavigne over 2 years ago

  • Status changed from Closed to Not Started
  • Assignee changed from John Hixson to Timur Bakeyev
  • Target version changed from N/A to 11.2-RC2
  • Private changed from No to Yes

#16 Updated by Nick Wolff over 2 years ago

  • Severity set to Low

#17 Updated by John Hixson over 2 years ago

  • Assignee changed from Timur Bakeyev to John Hixson
  • Target version changed from 11.2-RC2 to 11.3

Ashley Drees wrote:

I have now migrated all our data over to the FreeNAS as AFP is working fine for us, but i am still unable to connect to the FreeNAS with SMB, at this time this is not a show stopper as AFP is still supported fully by Apple, but it would be great to get SMB working to allow us more flexibility.

I will post the diagnostics as soon as i have run them. I am still getting the "NT_STATUS_NO_LOGON_SERVERS" which is to be expected really, as we have OD but no AD.

Have you configured the Samba domain schema for your Open Directory? If you have not, then LDAP authentication to your SMB shares will not work.

#18 Updated by Dru Lavigne over 2 years ago

  • Status changed from Not Started to Blocked
  • Reason for Blocked set to Need additional information from Author

#19 Updated by Ashley Drees over 2 years ago

Have you configured the Samba domain schema for your Open Directory? If you have not, then LDAP authentication to your SMB shares will not work.

Apple no longer uses samba for its SMB provision, so given apples proprietary way of working it is non trival to mess with the "apple" open ldap - and of course every update gives the possibly of them removing the schema or might have other interesting results - i also do not want to mess with the internals of the server.app as it and its services are vital to our org.

It DOES support kerberos authentication so i was assuming that as there was no Active Directory domain controller the FreeNAS would just get its auth from kerberos, which is indeed what i thought i had setup.

On a ubuntu server, i am able to use the LDAP on the OD to allow access, but as FreeNAS is an application, i have no wish to mess with the config files or scripts, i also have no wish to duplicate the users by having an AD on FreeNAS, if i am being stupid please insist that i install the Samba schema on Apple OD, but would i then have to modify all of my users to have the correct attributes to get them to login to the FreeNAS SMB shares that could get auth from the OD server?

#20 Updated by Dru Lavigne over 2 years ago

  • Status changed from Blocked to Unscreened
  • Reason for Blocked deleted (Need additional information from Author)

#21 Updated by John Hixson over 2 years ago

  • Status changed from Unscreened to Screened

#22 Updated by John Hixson over 2 years ago

I've been down this rabbit hole many times. There just isn't a way to do LDAP server authentication for Samba without the Samba schema installed and configured. In the pre-4.x days, you used to be able to turn off all the security and do plain text authentication via Pam, but that's no longer an option. Winbind can do Kerberos authentication, provided the LDAP server has the proper Samba attributes filled out. I've had many conversations with Samba team members about this as well, it's just not doable in a secure fashion (you need the NT hash). I'd love to be wrong about this, so if your Ubuntu Server can do this, if you wouldn't mind letting me poke around, I can reverse engineer how things are configured and make it work for FreeNAS. I suspect there is more to the story though. On the flip side, we could probably write our own Kerberos authentication module or some such. This has long been a sore point with me since I'm not a fan of the requirement to use the Samba LDAP schema either.

#23 Updated by John Hixson over 2 years ago

An alternative I didn't mention, is creating a samba user for every LDAP user. This is the only way I can think of currently to accomplish what you want. I know it's not very realistic, but it's the only way to give all your users NT hashes and SID's.

#24 Updated by John Hixson over 2 years ago

  • Status changed from Screened to Closed
  • Reason for Closing set to User Configuration Error

#25 Updated by Dru Lavigne over 2 years ago

  • File deleted (debug.gz)

#26 Updated by Dru Lavigne over 2 years ago

  • Target version changed from 11.3 to N/A
  • Private changed from Yes to No

#27 Updated by Ashley Drees over 2 years ago

Thanks for the attention John Hixson (about 7 hours ago) - if it were just Linux LDAP i would modify the schema and add the Samba stuff, but as the OD is on an Apple server there lies the issue as apple would rather we let the OD/LDAP alone (and actually i am wary of messing with it in case the apple OD falls over).

I am pretty lost now because we have had to move our file stores off the old Xserves and i jumped onto the FreeNAS because it seemed to fit what we need.

Is there a way to make the FreeNAS an AD master and get its kerb and ldap from the OD master?

#28 Updated by John Hixson over 2 years ago

Ashley Drees wrote:

Thanks for the attention John Hixson (about 7 hours ago) - if it were just Linux LDAP i would modify the schema and add the Samba stuff, but as the OD is on an Apple server there lies the issue as apple would rather we let the OD/LDAP alone (and actually i am wary of messing with it in case the apple OD falls over).

Adding the samba schema to Apple's OD isn't any more difficult than any other OpenLDAP based server. It took me only a few minutes, honestly. Just make sure to make a backup first ;-)

I am pretty lost now because we have had to move our file stores off the old Xserves and i jumped onto the FreeNAS because it seemed to fit what we need.

Is there a way to make the FreeNAS an AD master and get its kerb and ldap from the OD master?

If you can tell me what you are trying to accomplish, I can tell you what I think is your best court of action. Though given the information you've provided, I think the easiest and fastest solution is just to keep your existing solution and add the Samba schema and run the smbldap-* tools to populate it. Again, make sure you make a backup of everything before doing so. Lots of documentation exists for this already.

I'm unclear on how you were doing SMB auth via LDAP previously, since this is the only way you can do so with Samba. If you have an answer for that, I am interested.

Anyway, feel free to shoot me an email if you'd like help figuring this out: john at ixsystems dot com (reference this ticket or LDAP help or some such ;-))

#29 Updated by John Hixson about 2 years ago

  • Copied to Bug #40680: Kerberos authentication fixes for LDAP servers added

Also available in: Atom PDF