Moin!
So. Das Thema mit "Samba verliert Berechtigung nach 10 Minuten ist vom Tisch". Ich hab das alles nochmal neu aufgesetzt. Jetzt komm ich allerdings gar nicht mehr drauf
Das CMD sagt mir wenn ich per net use mounten will dieses:
Spoiler anzeigen
net use P: \\LUKAS-NAS\Daten /user:BROGLE\Lukas <pw>
Systemfehler 5 aufgetreten.
Zugriff verweigert
Hat das schonmal jemand gesehen? Die SMB Config und die Kerberos Config häng ich natürlich wieder an. Die FS-Berechtigungen passen.
Samba:
Spoiler anzeigen
[global]
server role = MEMBER SERVER
security = ADS
realm = BROGLE.LOCAL
workgroup = BROGLE
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = SAMBA-Server
log file = /var/log/samba/%m.log
log level = 5
idmap config * : backend = tdb
idmap config * : range = 10000-20000
idmap config BROGLE : backend = rid
idmap config BROGLE : range = 30000-40000
password server = LUKAS-WINSERVER.brogle.local
encrypt passwords = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind expand groups = 2
winbind use default domain = yes
os level = 20
domain master = no
local master = no
preferred master = no
map to guest = bad user
host msdfs = no
netbios name = LUKAS-NAS
client min protocol = NT1
client max protocol = SMB3_11
hosts allow = 192.168.1.0/24
unix extensions = no
veto files = /.bash_logout/.bash_profiles/.bash_history/.bashrc/
hide unreadable = yes
acl group control = yes
acl map full control = true
ea support = yes
vfs objects = acl_xattr
store dos attributes = yes
dos filemode = yes
dos filetimes = yes
enable privileges = yes
restrict anonymous = 2
guest ok = no
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
username map = /etc/samba/user.map
[Daten]
comment = "User-Data"
path = /media/raid/Daten
create mask = 0770
browseable = yes
valid users = @"BROGLE+samba"
write list = @"BROGLE+samba"
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
Und Kerberos:
Spoiler anzeigen
[libdefaults]
default_realm = BROGLE.LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
ticket_lifetime = 24h
renew_lifetime = 7d
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
BROGLE.LOCAL = {
kdc = LUKAS-WINSERVER.brogle.local
}
[domain_realm]
.brogle.local = BROGLE.LOCAL
brogle-local = BROGLE.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 360000
renew_lifetime = 360000
forwardable = true
}
Sollten irgendwelche Logs gebraucht werden o.Ä. liefer ich die natürlich gerne nach.
Ich danke im Vorraus!
LG
Lukas
OLD:
Spoiler anzeigen
Folgendes Problem: Ich habe auf meinem NAS ein Debian installiert. Auf diesem läuft ein Samba Server. Der Samba-Server authetifiziert sich via Kerberos an einem Active Directory Domain Controller auf nem Server 2016. Das funktioniert auch einwandfrei. Wenn ich mich nun verbinde, kann ich lesen und schreiben wie ich möchte in meinen Shares. Nach einer Zeit, meist zwischen 3-4 Stunden die der Samba Server online ist, sagt mit Windows wenn ich schreiben möchte "Zugriff auf den Zielordner vergweigert: Sie benötigen Berechtigungen zum durchführen des Vorgangs.". Wenn ich die Kiste reboote, funktioniert alles wie gehabt, für 3-4 Stunden. Hat jemand eine Idee? Ich bin ein bisschen ratlos dabei.
Meine Samba Config sieht so aus:
[global]
netbios name = LUKAS-NAS
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
idmap uid = 10000-20000
winbind enum users = yes
winbind gid = 10000-20000
workgroup = brogle
os level = 20
winbind enum groups = yes
socket address = 192.168.1.142
password server = *
preferred master = no
winbind separator = +
max log size = 50
log file = /var/log/samba3/log.%m
encrypt passwords = yes
dns proxy = no
realm = BROGLE.LOCAL
security = ADS
wins server = 192.168.1.142
wins proxy = no
[Daten]
comment = DATA-Share
path = /media/raid/Daten
browseable = yes
read only = no
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = @"brogle.local+samba" <-- define your ADS groups
admin users = @"brogle.local+samba" <-- define your ads groups with admin rights
[Backup]
copy = Daten
comment = Backup
path = /media/raid/Backup
[tftp]
copy = Daten
comment = TFTP-Share
path = /media/raid/tftp
Meine krb5.conf ist jene:
[libdefaults]
default_realm = BROGLE.LOCAL
ticket_lifetime = 600
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
allow_weak_crypto = true
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
BROGLE.LOCAL = {
kdc = lukas-winserver.brogle.local
default_domain = BROGLE.LOCAL
}
[domain_realms]
.local = BROGLE.LOCAL
local = BROGLE.LOCAL
[kdc]
profile = /etc/krb5kdc/kdc.conf
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.logog