CIFS Logfile for Troubleshooting

MaddinK

New Member
May 16, 2018
6
0
1
55
sorry but I cannot help myself.
I don`t have any idea, why and when my successfuly AD joined Napp-IT lets me access his smb shares and when not.

From my windows explorer on my AD joined PC all is working, but on other PCs or applications the same user gets for the same share an access denied.
Yes the time and dns settings are on all machines correct and because I tested always with the same user & share, it cannot be an ACL-issue.

It seems to work only when the PC is a domainmember (windows session has already a kerberos ticket??), but for some services I also need to authenticate via credentials "domain\username or username@domain.local and AD-Pwd".

So where do I find a log for CIFS, failed logins etc..?
/var/adm/messages does not provide me any help on this.

Thanky for any help in advance!!
 

gea

Well-Known Member
Dec 31, 2010
2,649
908
113
DE
Only to understand

- Windows and OmniOS are domain members: everything is ok

- OmniOS is a domain member but Windows is not:
If you connect via username@domain, everything is ok, some services require a re-authenticate.
A connect via username does not work?

This would be as expected as you can only connect with an explicit AD account or a local OmniOS account ex root then.

btw
The SMB server prints basic access messages to root console. For more detailed informations there is no log beside the global /var/adm/messages for a basic logging. For user auditing, you must enable auditing (I have not played with myself), ex Configuring the Audit Service (Tasks) - Oracle Solaris 11.1 Administration: Security Services (OmniOS is basically a fork of an early Solaris 11 so these manuals are quite good) see also Feature #11037: SMB File access audit logging (reserve IDs) - illumos gate - illumos
 

MaddinK

New Member
May 16, 2018
6
0
1
55
Thanks for your reply Gea.

> - Windows and OmniOS are domain members: everything is ok
When I use the normal explorer in my own security context: Yes everything is OK

But when I want to start a script or a service, this script/service/program does not run in my "session or security context" and cannot use my already granted kerberos ticket. It needs to authenticate against the AD with explicite credentials and then it fails to map a share with "access denied".
I have tried both username@domain.local and domain\username syntax, both fail.

> If you connect via username@domain, everything is ok,
NO, that is exactly my problem. I cannot authenticate with username/pwd nor with domain\username and pwd.
I can only map a share without any username/pwd.
The only working method is that I am already authenticated as domainmember (probalbly already have a kerberos ticket) then I can acces all shares without entering any credentials at all.

> For user auditing, you must enable auditing
Yes, but that is not what I need for troubleshooting, because then I get all successfull actions User opens file xy, deletes file xyz logged.
(at least that is, what I understand from your provided links...)

> The SMB server prints basic access messages to root console
Yes I saw it, but could not believe that this is the only info I can get.
I read there only:
idmap[507: ] GSSAPI Error: unspecified gss failure. Minor code may provide more information (unknown code 255)
idmap[507: ] adutils: ldap_lookup_init failed

But these messages come very rarely and not time related to unsuccesfull mount requests, last message was from yesterday and I tried today also many times.

So any help is still welcome!!
 

gea

Well-Known Member
Dec 31, 2010
2,649
908
113
DE
If you login to a share without permissions (user or anonymous), you get a console + log entry in /var/adm/messages like

Mar 30 16:24:47 nas last message repeated 5 times
Mar 30 16:31:06 nas smbd[1643]: [ID 617204 daemon.error] Can't get SID for ID=0 type=1, status=-9977

If there is no message, the login is successful or not logged as not related to a share or a valid user.

To check for valid logins:
- SMB connect a share from Windows as a user that is a member of the local OmniOS SMB group admins ex root
- Open Computer Management in Windows and open menu connect to server (OmniOS ip)
- In computer management you see then conencted users, shares and open files

To check script behaviour, create a simple script on Windows:
- connect a share via net use (Windows cmd: net use ?)
optionally delete a connect shares first then reconnect
- call an app ex robocopy and try to copy some files from or to a share ex robocopy \\server\share\folder\*.* c:\tmp
- pause the script to see return messages


If this works, the problem must be elsewhere