[Samba] CIFS proxy
Maximiliano Bertacchini
I need to run a Samba CIFS proxy (not DFS) in an AD environment. What we
tried so far is mounting the remote share with mount.cifs and "-o
sec=krb5i,multiuser" and share it through samba. But mount.cifs's
multiuser option requires local access to the domain user's kerberos
tickets, i.e, if I login as a domain user and run kinit to get a ticket,
everything works. If the multiuser option is not used the permission
checks done by the server will always correspond to the credentials used
to mount the share, and not necessarily to the user who is accessing the
share (quoted from man mount.cifs). The question is how to make this
work automatically as to not require each domain user to login into the
samba server and kinit manually.
Winbind is configured and running correctly (wbinfo -u/-g lists domain
users/groups). I can su - into a domain user and login as a domain user
(locally and ssh).
I've checked samba4's ntvfs cifs module but it won't even compile and I
guess it's not ready for production.
Here's smb.conf:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
log level = 2
max log size = 1000
syslog = 0
security = ADS
password server = server01.mydomain.com
encrypt passwords = yes
passdb backend = tdbsam
load printers = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum groups = yes
winbind enum users = yes
winbind separator = .
winbind use default domain = yes
winbind refresh tickets = true
template shell = /bin/bash
[cifs]
comment = cifs mountpoint
path = /mnt/cifs
public = yes
writable = yes
browseable = yes
Thanks,
Max
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
> Hi,
>
> I need to run a Samba CIFS proxy (not DFS) in an AD environment.
>
> guess it's not ready for production.
Samba4's CIFS proxy is what you want. If you have issues compiling
Samba4, then let's deal with those. The CIFS proxy is quite well tested
as part of our automated test suite, and I would be far happier using it
in production than going via the linux kernel CIFS client.
The Samba4 CIFS proxy supports both accepting forward-able Kerberos
tickets, and newly developed by metze) using S2U4Proxy to get the
tickets itself.
Andrew Bartlett
--
Andrew Bartlett <abar...@samba.org>
Maximiliano Bertacchini
an AD environment. The problem is it won't let clients neither write
files larger than 16441 bytes nor read files larger than 65536 bytes.
For example, writing a 16641 byte file works ok, but writing a 16642
byte (or larger) file fails:
# ls -l 16641.txt 16642.txt
-rw-r--r-- 1 root root 16641 Jul 21 11:30 16641.txt
-rw-r--r-- 1 root root 16642 Jul 21 11:30 16642.txt
# smbclient //samba4/cifs4test -k -c "put 16641.txt"
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.0.0alpha16]
putting file 16641.txt as \16641.txt (8125.1 kb/s) (average 8125.5 kb/s)
# smbclient //samba4/cifs4test -k -c "put 16642.txt"
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.0.0alpha16]
cli_push returned NT_STATUS_ACCESS_DENIED
NT_STATUS_IO_TIMEOUT closing remote file \16642.txt
Reading files up to 65536 bytes works fine, but reading larger files
produces a 0 byte file with no error messages:
# smbclient //samba4/cifs4test -k -c "get 65535.txt"
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.0.0alpha16]
getting file \65535.txt of size 65535 as 65535.txt (12799.6
KiloBytes/sec) (average 12799.8 KiloBytes/sec)
# smbclient //samba4/cifs4test -k -c "get 65536.txt"
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 4.0.0alpha16]
getting file \65536.txt of size 65536 as 65536.txt (0.0 KiloBytes/sec)
(average 0.0 KiloBytes/sec)
# ls -ll 65535.txt 65536.txt
-rw-r--r-- 1 root root 65535 Jul 22 12:09 65535.txt
-rw-r--r-- 1 root root 0 Jul 22 12:10 65536.txt
If clients connect directly to the server (windows 2003 SP2) everything
works fine.
We tested this on windows xp and smbclient 3.5.8 as clients and Samba 4
alpha16 as cifs proxy with increasing debug levels, but haven't found
any suspicious message so far. The samba 4 server is "Trusted for
delegation" in AD. We also tried using cifs:user/cifs:password or
cifs:use-s4u2proxy options to no avail.
[global]
server role = member server
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
netbios name = SAMBA4
[cifs4test]
ntvfs handler = cifs
cifs:server = SERVER01
cifs:share = enc
Any suggestions on how to further debug this?
Thanks!
Max
On 06/07/11 18:22, Andrew Bartlett wrote:
> On Wed, 2011-07-06 at 17:25 -0300, Maximiliano Bertacchini wrote:
>> Hi,
>>
>> I need to run a Samba CIFS proxy (not DFS) in an AD environment.
>>
>> I've checked samba4's ntvfs cifs module but it won't even compile and I
>> guess it's not ready for production.
> Samba4's CIFS proxy is what you want. If you have issues compiling
> Samba4, then let's deal with those. The CIFS proxy is quite well tested
> as part of our automated test suite, and I would be far happier using it
> in production than going via the linux kernel CIFS client.
>
> The Samba4 CIFS proxy supports both accepting forward-able Kerberos
> tickets, and newly developed by metze) using S2U4Proxy to get the
> tickets itself.
>
> Andrew Bartlett
>
--
Marco Pizzoli
please could you point me to a doc related to CIFS proxy setup?
Is it sufficient to install this component or I have to setup an entire
samba4 instance?
Any hint welcome! :-)
Thanks
Marco
--
_________________________________________
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
Jim Morrison