Centrifydc (adbindproxy 5.5) + stock samba 4.8 can't access share

Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Participant II
Posts: 4
Registered: 3 weeks ago
#1 of 4 239
Accepted Solution

Centrifydc (adbindproxy 5.5) + stock samba 4.8 can't access share

Hi!

I have OLE 7.6 with Centrifydc (adbindproxy 5.5) + stock samba 4.8 in domain.

Domain logon works perfect.

In windows clients i can see the shares (samba-test and home directory)? but i can't enter them.

 

adbindproxy.pl --info

The Samba base path is : /usr

CentrifyDC Version           = 5.5.1-400
CentrifyDC Architecture      = 64-bit
CentrifyDC Realm             = domain.by
CentrifyDC NTLM Domain       = domain
CentrifyDC Host              = serv.domain.by
CentrifyDC Short Host        = servt

Samba Version                = 4.8.3
Samba Architecture           = 64-bit
Samba Realm                  = domain.BY
Samba NetBIOS Name           = SERV

Samba Version Supported      = yes
Samba and CDC in same Realm  = yes
Samba and CDC share machine account = yes
Password sync using libtdb   = <not specified>
adcheck -t net domain.by
NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass
DNSPROBE : Probe DNS server 10.XX.XXX.XX                                : Pass
DNSPROBE : Probe DNS server 10.XX.XXX.XX                               : Pass
DNSCHECK : Analyze basic health of DNS servers                         : Pass
WHATSSH  : Is this an SSH that Centrify DirectControl Agent works well with: Pass
SSH      : SSHD version and configuration                              : Warning
         : You are running OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017.
         : Cannot read /etc/ssh/sshd_config, you should run adcheck as root.

1 warning was encountered during check. We recommend checking this before proceeding
smb.conf

[global]
    security = ADS
    realm = domain.BY
    workgroup = domain
    netbios name = serv

    machine password timeout = 0
    passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb

    #
    # Samba versions 3.4.0 and newer have replaced "use kerberos keytab"
    # with "kerberos method".  The directive "kerberos method = secrets and keytab"
    # enables Samba to honor service tickets that are still valid but were
    # created before the Samba server's password was changed.
    #
    kerberos method = secrets and keytab

    #
    # Setting "client use spnego principal" to true instructs SMB client to
    # trust the service principal name returned by the SMB server. Otherwise,
    # client cannot be authenticated via Kerberos by the server in a different
    # domain even though the two domains are mutually trusted.
    #
    #client use spnego principal = true

    #
    # Setting send spnego principal to yes .
    # Otherwise, it will not send this principal between Samba and Windows 2008
    #
    #send spnego principal = Yes

    # If your Samba server only serves to Windows systems, try server signing = mandatory.
    server signing = auto

    client ntlmv2 auth = yes
    client use spnego = yes

    bind interfaces only = yes
    interfaces = 10.XX.XXX.XXX

    template shell = /bin/bash

    winbind use default domain = Yes

    winbind enum users = No
    winbind enum groups = No
    winbind nested groups = Yes

    idmap cache time = 0

    #ignore syssetgroups error = No
    idmap config * : backend  = tdb
    idmap config * : range = 1000 - 200000000
    idmap config * : base_tdb = 0
    enable core files = false

    # Disable Logging to syslog, and only write log to Samba standard log files.
    # syslog = 0

log file = /var/log/samba/samba_log.%m
log level = 3

[samba-test]
    path = /samba-test
    public = yes

    #  if set  public = No, we should  set parameter valid users .
    #  and when the user or group is in AD , the setting syntaxes is:
    #  valid users = domain\username +domain\group

    writable = yes


[homes]
    comment = Home directories
    read only = No
    browseable = No
smbclient -k -L localhost
Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)
sudo systemctl status -l centrifydc-samba
● centrifydc-samba.service - SYSV: Centrify AD Bind Daemon
   Loaded: loaded (/etc/rc.d/init.d/centrifydc-samba; bad; vendor preset: disabled)
   Active: active (running) since Wed 2018-11-28 13:02:22 +03; 2h 2min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 18785 ExecStop=/etc/rc.d/init.d/centrifydc-samba stop (code=exited, status=0/SUCCESS)
  Process: 18825 ExecStart=/etc/rc.d/init.d/centrifydc-samba start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/centrifydc-samba.service
           ├─18838 /usr/sbin/nmbd
           ├─18847 /usr/sbin/winbindd -s /etc/centrifydc/smb2.conf
           ├─18853 /usr/sbin/winbindd -s /etc/centrifydc/smb2.conf
           ├─18856 /usr/share/centrifydc/sbin/adbindd
           ├─18870 /usr/sbin/smbd
           ├─18872 /usr/sbin/smbd
           ├─18873 /usr/sbin/smbd
           ├─18874 /usr/sbin/smbd
           └─18916 /usr/sbin/smbd

Nov 28 14:48:34 Serv.domain.by nmbd[18838]:   This response was from IP 10.XX.XXX.002, reporting an IP address of 10.XX.XXX.002.
Nov 28 14:53:43 Serv.domain.by nmbd[18838]: [2018/11/28 14:53:43.985471,  0] ../source3/nmbd/nmbd_namequery.c:109(query_name_response)
Nov 28 14:53:43 Serv.domain.by nmbd[18838]:   query_name_response: Multiple (2) responses received for a query on subnet 10.XX.XXX.001 for name DOMAIN<1d>.
Nov 28 14:53:43 Serv.domain.by nmbd[18838]:   This response was from IP 10.XX.XXX.002, reporting an IP address of 10.XX.XXX.002.

 

I really hope for your help.

Participant II
Posts: 4
Registered: 3 weeks ago
#2 of 4 230

Re: Centrifydc (adbindproxy 5.5) + stock samba 4.8 can't access share

smbclient -k -L serv

        Sharename       Type      Comment
        ---------       ----      -------
        samba-test      Disk
        IPC$            IPC       IPC Service (Samba 4.8.3)
        username        Disk      Home directories
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        MMBANK               SERV-2

SERV-2 is a similar server on the same subnet.

Participant II
Posts: 4
Registered: 3 weeks ago
#3 of 4 220

Re: Centrifydc (adbindproxy 5.5) + stock samba 4.8 can't access share

I can see the shares (samba-test and home directory), but i can't enter them.

What am I doing wrong?

Participant II
Posts: 4
Registered: 3 weeks ago
#4 of 4 210

[SOLVED]: Centrifydc (adbindproxy 5.5) + stock samba 4.8 can't access share

Learned the power of selinux.

 

Moved to the dark side of the force.