[Samba] CSC & roaming profiles
L.P.H. van Belle
belle at bazuin.nl
Tue May 25 08:02:35 UTC 2021
Good Morning Anders.
Im commented in between your last reply.
> -----Oorspronkelijk bericht-----
> Van: Anders Östling [mailto:anders.ostling at gmail.com]
> Verzonden: zondag 23 mei 2021 19:09
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] CSC & roaming profiles
>
> Hi Lois
;-) Louis ;-)
>
> Thank your for having patience with us Samba users. I apolgize for
> this long mail, but sometimes it help the mind to write down events,
> and who knows, maybe you have some clever ideas on how to proceed :)
>
> I decided not to spend more time on troubleshooting the strange
> permission and joining issues, but rather spend time to start from
> scratch. So I have used most of Saturday and today to reinstall two
> Samba AD, Windows server 2019 and a Windows 10 client, all with the
> goal to have a working setup to document.
> I started to provision a new domain on Samba AD DC, using the default
> values. I then created a second DC and joined the domain. Checked that
> replication and DNS worked as it should. No problems so far. I had an
> old Samba FS domain member. Stopped the smbd and winbind processes and
> removed the *.ldb/tdb as the documentation states. I then joined the
> new domain, and it worked too without any issues. Tested that I could
> access the existing shares from the DC's using smbclient. No problem.
> I then installed and added the 2 windows systems, and it worked as
> expected. Using the Windows server and RSAT/ADUC, I created a test
> user account and a couple of groups for further tests. Logons and
> file sharing worked fine. Now things started to get interesting.
>
> Let me describe the first problem I noted.
>
> I intend to use the Win10 client as an administrator workstation.
> Therefore I logged in as DOMAIN/Administrator and installed all the
> RSAT apps. I then started to map up the drives, PROGRAMS, DOCUMENTS,
> PROFILES, SYS and USERS so that I could work with permissions easily
> from Windows.
Net logon? GPO ? But read in i seen enough ;-)
> Of these 5 shares, the 4 first were mapped without
> problem. But the USERS map gave me an ACCESS DENIED error. I double
> and triple checked the permissions from Linux/getfacl, but found no
> issues. When I instead opted to map the USERS drive using the test
> user account, it worked! But since that account has no system
> privileges, it can't be used to manage the share. So, even if it has
> LESS rights then Administrator, the mapping works. I repeated this a
> couple of the times for verification, the same result every time.
> Since I cant administer the shared folder from Windows, I can only use
> get/setfacl to view the actual permissions.
On this, windows checks on who's the owner of that folder.
Read this, that shows what i mean.
https://aventistech.com/2019/08/28/gpo-for-users-folder-redirection/
Your solution is in this link.
In GPO, add allow administrators to user folders can help.
>
> root at hp-srv03:/share2# getfacl Users
> # file: Users
> # owner: administrator
> # group: domain\040users
> # flags: -s-
> user::rwx
> user:root:rwx #effective:r-x
> user:administrator:rwx #effective:r-x
> user:domain\040admins:rwx #effective:r-x
> user:domain\040users:r-x
> group::r-x
> group:NT\040Authority\\authenticated\040users:rwx #effective:r-x
> group:10013:r-x
> group:domain\040admins:rwx #effective:r-x
> group:domain\040users:r-x
> mask::r-x
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:administrator:rwx
> default:user:domain\040admins:rwx
> default:group::---
> default:group:NT\040Authority\\authenticated\040users:rwx
> default:group:10013:---
> default:group:domain\040admins:rwx
> default:mask::rwx
> default:other::---
You didnt check the rigths on sysvol i think, because im not seeing "SYSTEM"
Compair yours with mine below. This is what i have.
getfacl /var/lib/samba/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: BUILTIN\\administrators
user::rwx
user:root:rwx
user:BUILTIN\\administrators:rwx
user:BUILTIN\\server\040operators:r-x
user:NT\040AUTHORITY\\system:rwx
user:NT\040AUTHORITY\\authenticated\040users:r-x
group::rwx
group:BUILTIN\\administrators:rwx
group:BUILTIN\\server\040operators:r-x
group:NT\040AUTHORITY\\system:rwx
group:NT\040AUTHORITY\\authenticated\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\\administrators:rwx
default:user:BUILTIN\\server\040operators:r-x
default:user:NT\040AUTHORITY\\system:rwx
default:user:NT\040AUTHORITY\\authenticated\040users:r-x
default:group::---
default:group:BUILTIN\\administrators:rwx
default:group:BUILTIN\\server\040operators:r-x
default:group:NT\040AUTHORITY\\system:rwx
default:group:NT\040AUTHORITY\\authenticated\040users:r-x
default:mask::rwx
default:other::---
Where you see for me BUILTIN\\administrators you can also use DOM\Domain Admins
Winbind idmap and its resolving need be verified.
>
> [Users]
> comment = "User home directories"
> guest ok = No
> path = /share2/Users
> read only = No
>
> This is still unsolved, but just maybe has something to do
> with next issue
>
> I then installed a second identical Win 10 to use for User
> verification. Joined it to the domain and can login as Administrator
> on that one. Logged in as Test user and the U drive was mapped
> correctly. Then I ran the sysvolcheck on teh second DC , for no
> specific reason, and got this
>
> root at HP-SRV11:/home/administrator# samba-tool ntacl sysvolcheck
> ERROR(<class 'TypeError'>): uncaught exception - (2, 'No such file or
> directory')
> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
> 186, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
> 446, in run
> lp)
> File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> line 1877, in checksysvolacl
> direct_db_access)
> File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> line 1827, in check_gpos_acl
> domainsid, direct_db_access)
> File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> line 1766, in check_dir_acl
> fsacl = getntacl(lp, path, session_info,
> direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
> File "/usr/lib/python3/dist-packages/samba/ntacls.py", line
> 115, in getntacl
> xattr.XATTR_NTACL_NAME)
>
> Ran sysvolreset again and that seems to have fixed it, because next
> sysvolcheck was silent.
Why you got above one, i cant tell, but its to me a right again somewhere on sysvol.
(see how my rights are set.
The most easy way to overcome that, you can add this to the sysvol (and netlogon) share
acl_xattr:ignore system acls = yes in smb.conf
Then run 1 time more samba sysvol reset and then set rights from within windows
After that, no sysvolreset anymore
>
> Now to the second problem
>
> But when I tried the Test user account, again on the Win10 client, I
> get a message "The Group Policy client service failed the sign-in.
> Access is denied. (OK)".
Which is so far i can see, correct, if sysvol does not have SYSTEM also in the ACL's.
>
> So, this made me go back to the sysvol and run check the permissions
> etc. On the first DC, sysvolcheck showed errors but sysvolreset
> corrected these. On the second, sysvolreset did not correct the error.
> So maybe there is something wrong with the Policies directory that
> causes both the isses (mapping of U and Login). I am not sure and
> there is a ton of posts on the net regarding sysvol permissions.
> Anyway the permissions looks like this
>
> (FIRST DC)
> root at HP-SRV10:/var/lib/samba# ls -l /var/lib/samba/
> total 1412
> -rw------- 1 root root 421888 maj 20 10:43
> account_policy.tdb
> drwxr-x--- 2 root root 4096 maj 20 11:58 bind-dns
> drwxr-xr-x 4 root root 4096 maj 20 10:43 DriverStore
> -rw------- 1 root root 696 maj 20 10:43
> group_mapping.tdb
> drwxr-x--- 2 root root 4096 maj 22 14:34 ntp_signd
> drwxr-xr-x 12 root root 4096 maj 20 10:43 printers
> drwxr-xr-x 7 root root 4096 maj 22 14:34 private
> -rw------- 1 root root 528384 maj 20 10:43 registry.tdb
> -rw------- 1 root root 421888 maj 23 18:17 share_info.tdb
> drwxrwx---+ 3 root 3000002 4096 maj 23 18:31 sysvol
> drwxrwx--T 2 root sambashare 4096 maj 20 10:43 usershares
> -rw------- 1 root root 32768 maj 22 14:34
> winbindd_cache.tdb
> drwxr-x--- 2 root winbindd_priv 4096 maj 22 14:34
> winbindd_privileged
> root at HP-SRV10:/var/lib/samba# ls -l
> /var/lib/samba/sysvol/hoganas-platslagaren.se/Policies/
> total 72
> drwxrwx---+ 4 3000000 3000000 4096 maj 22 14:17
> {31B2F340-016D-11D2-945F-00C04FB984F9}
> drwxrwx---+ 4 root 3000002 4096 maj 21 18:31
> {6AC1786C-016F-11D2-945F-00C04fB984F9}
> drwxrwx---+ 4 3000000 3000000 4096 maj 22 14:17
> {6AC1786C-016F-11D2-945F-00C04FB984F9}
> drwxrwx---+ 4 root 3000002 4096 maj 21 14:56
> {813AF46F-8D5D-4F8D-A79C-E01DCC1D9A4D}
> drwxrwx---+ 4 root 3000002 4096 maj 21 18:31
> {A71EE201-8245-490C-8583-5231DE44FC96}
> drwxrwx---+ 4 root 3000002 4096 maj 22 11:50
> {C31E5DB1-6D0D-4F10-9AF4-BCBB2DE83960}
> drwxrwx---+ 4 root 3000002 4096 maj 21 18:31
> {C345C1AB-7A67-450E-A863-1C6ED57BE11E}
> drwxrwx---+ 4 root 3000002 4096 maj 21 20:03
> {E2C539EE-9AEE-4064-B177-6DBA12121388}
> drwxrwx---+ 4 root 3000002 4096 maj 21 18:31
> {FE5BEAC4-A519-4F0D-82B3-A240568ABF2B}
>
> (SECOND DC)
> root at HP-SRV11:/home/administrator# ls -l /var/lib/samba/
> total 1412
> -rw------- 1 root root 421888 maj 20 10:43
> account_policy.tdb
> drwxr-x--- 2 root root 4096 maj 20 11:58 bind-dns
> drwxr-xr-x 4 root root 4096 maj 20 10:43 DriverStore
> -rw------- 1 root root 696 maj 20 10:43
> group_mapping.tdb
> drwxr-x--- 2 root root 4096 maj 23 10:49 ntp_signd
> drwxr-xr-x 12 root root 4096 maj 20 10:43 printers
> drwxr-xr-x 7 root root 4096 maj 23 10:49 private
> -rw------- 1 root root 528384 maj 20 10:43 registry.tdb
> -rw------- 1 root root 421888 maj 23 18:18 share_info.tdb
> drwxrwx---+ 3 root 3000000 4096 maj 23 18:33 sysvol
> drwxrwx--T 2 root sambashare 4096 maj 20 10:43 usershares
> -rw------- 1 root root 32768 maj 23 10:49
> winbindd_cache.tdb
> drwxr-x--- 2 root winbindd_priv 4096 maj 23 10:49
> winbindd_privileged
This also shows the rights are not correct, or you the idmap sync didnt go correctly.
DC1: > drwxrwx---+ 3 root 3000002 4096 maj 23 18:31 sysvol
DC2: > drwxrwx---+ 3 root 3000000 4096 maj 23 18:33 sysvol
Both these UID there should be the same.
> root at HP-SRV11:/home/administrator# ls -l
> /var/lib/samba/sysvol/hoganas-platslagaren.se/Policies/
> total 64
> drwxrwx---+ 4 root 3000000 4096 maj 21 18:31
> {31B2F340-016D-11D2-945F-00C04FB984F9}
> drwxrwx---+ 4 root 3000000 4096 maj 21 18:31
> {6AC1786C-016F-11D2-945F-00C04fB984F9}
> drwxrwx---+ 4 root 3000000 4096 maj 21 14:56
> {813AF46F-8D5D-4F8D-A79C-E01DCC1D9A4D}
> drwxrwx---+ 4 root 3000000 4096 maj 21 18:31
> {A71EE201-8245-490C-8583-5231DE44FC96}
> drwxrwx---+ 4 root 3000000 4096 maj 22 12:00
> {C31E5DB1-6D0D-4F10-9AF4-BCBB2DE83960}
> drwxrwx---+ 4 root 3000000 4096 maj 21 18:31
> {C345C1AB-7A67-450E-A863-1C6ED57BE11E}
> drwxrwx---+ 4 root 3000000 4096 maj 21 20:03
> {E2C539EE-9AEE-4064-B177-6DBA12121388}
> drwxrwx---+ 4 root 3000000 4096 maj 21 18:31
> {FE5BEAC4-A519-4F0D-82B3-A240568ABF2B}
>
> Some thought that I have is that adding in the existing Samba file
> server (even if the TDB/LDB was deleted) causes some issues. The
> second thought is that, due to all posts on the net, SYSVOL is still a
> gamble and too fragile to stable production. Maybe I am wrong, I sure
> hope so...
>
> Again, sorry for the long mail but I really want to solve this, and I
> am no quitter, nor afraid of looking to solutions either by
> trial-and-error or reading up on other samba users problems/solutions.
> This is what make this community so great, dont u agree?
Set the rights as i told you and it will work.
In order DC1.
Stop samba, create copy of idmap
Start samba-ad-dc.
Setup the rights as shown above from within windows.
On DC2, stop samba,
Sync sysvol (and netlogon) to DC2 and make sure the rights are the same.
Copy idmap to DC2.
Start samba, check again.
You also seen this :
https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)
You have start now fix things, what i see is all fixable.
Greetz,
Louis
>
> /Anders
>
> On Thu, May 20, 2021 at 12:32 PM L.P.H. van Belle
> <belle at bazuin.nl> wrote:
> >
> > it looks good, but i dont know about these error.
> >
> > post this to the samba list, maybe Rowland seen it before,
> i did a quick check in bugzilla bug i didnt see any bugs on
> these messages.
> >
> > It's mainly this part.
> > dsdb_replicated_objects_convert: Ignoring object outside
> partition c45055a1-bf66-42f3-9acf-1e3ed0d187d8
> CN=Schema,CN=Configuration,DC=hoganas-platslagaren,DC=se:
> WERR_DS_ADD_REPLICA_INHIBITED
> > Replicating critical objects from the base DN of the domain
> > Partition[DC=hoganas-platslagaren,DC=se] objects[114/115]
> linked_values[24/72]
> > Partition[DC=hoganas-platslagaren,DC=se] objects[321/2729]
> linked_values[67/72]
> > Failed to commit objects: DOS code 0x000021bf
> > Missing target object - retrying with DRS_GET_TGT
> >
> > Also, dont forget to sync sysvol to samba. ;-)
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> > ________________________________
> > Van: Anders Östling [mailto:anders.ostling at gmail.com]
> > Verzonden: donderdag 20 mei 2021 12:02
> > Aan: L.P.H. van Belle
> > Onderwerp: Re: [Samba] CSC & roaming profiles
> >
> > Hi
> >
> > Domain join failed due to "configuration error", I assume
> that this was the too-high domain/forest level
> >
> > I managed to downgrade domain and forest to 2008, and it
> seemed to work fine after that. There is one error that I
> dont know if it is relevant or not
> >
> > root at HP-SRV10:/etc# rm /etc/samba/smb.conf
> > root at HP-SRV10:/etc# samba-tool domain join
> hoganas-platslagaren.se DC -U "HPTLS\administrator"
> > INFO 2021-05-20 11:58:45,853 pid:5543
> /usr/lib/python3/dist-packages/samba/join.py #106: Finding a
> writeable DC for domain 'hoganas-platslagaren.se'
> > INFO 2021-05-20 11:58:45,859 pid:5543
> /usr/lib/python3/dist-packages/samba/join.py #108: Found DC
> HP-SRV02.hoganas-platslagaren.se
> > Password for [HPTLS\administrator]:
> > INFO 2021-05-20 11:58:50,793 pid:5543
> /usr/lib/python3/dist-packages/samba/join.py #1541: workgroup is HPLTS
> > INFO 2021-05-20 11:58:50,794 pid:5543
> /usr/lib/python3/dist-packages/samba/join.py #1544: realm is
> hoganas-platslagaren.se
> > Adding CN=HP-SRV10,OU=Domain
> Controllers,DC=hoganas-platslagaren,DC=se
> > Adding
> CN=HP-SRV10,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=
> Configuration,DC=hoganas-platslagaren,DC=se
> > Adding CN=NTDS
> Settings,CN=HP-SRV10,CN=Servers,CN=Default-First-Site-Name,CN=
> Sites,CN=Configuration,DC=hoganas-platslagaren,DC=se
> > Adding SPNs to CN=HP-SRV10,OU=Domain
> Controllers,DC=hoganas-platslagaren,DC=se
> > Setting account password for HP-SRV10$
> > Enabling account
> > Calling bare provision
> > INFO 2021-05-20 11:58:51,081 pid:5543
> /usr/lib/python3/dist-packages/samba/provision/__init__.py
> #2105: Looking up IPv4 addresses
> > INFO 2021-05-20 11:58:51,081 pid:5543
> /usr/lib/python3/dist-packages/samba/provision/__init__.py
> #2122: Looking up IPv6 addresses
> > WARNING 2021-05-20 11:58:51,082 pid:5543
> /usr/lib/python3/dist-packages/samba/provision/__init__.py
> #2129: No IPv6 address will be assigned
> > INFO 2021-05-20 11:58:51,261 pid:5543
> /usr/lib/python3/dist-packages/samba/provision/__init__.py
> #2273: Setting up share.ldb
> > INFO 2021-05-20 11:58:51,292 pid:5543
> /usr/lib/python3/dist-packages/samba/provision/__init__.py
> #2277: Setting up secrets.ldb
> > INFO 2021-05-20 11:58:51,317 pid:5543
> /usr/lib/python3/dist-packages/samba/provision/__init__.py
> #2282: Setting up the registry
> > INFO 2021-05-20 11:58:51,401 pid:5543
> /usr/lib/python3/dist-packages/samba/provision/__init__.py
> #2285: Setting up the privileges database
> > INFO 2021-05-20 11:58:51,444 pid:5543
> /usr/lib/python3/dist-packages/samba/provision/__init__.py
> #2288: Setting up idmap db
> > INFO 2021-05-20 11:58:51,474 pid:5543
> /usr/lib/python3/dist-packages/samba/provision/__init__.py
> #2295: Setting up SAM db
> > INFO 2021-05-20 11:58:51,481 pid:5543
> /usr/lib/python3/dist-packages/samba/provision/__init__.py
> #880: Setting up sam.ldb partitions and settings
> > INFO 2021-05-20 11:58:51,483 pid:5543
> /usr/lib/python3/dist-packages/samba/provision/__init__.py
> #892: Setting up sam.ldb rootDSE
> > INFO 2021-05-20 11:58:51,489 pid:5543
> /usr/lib/python3/dist-packages/samba/provision/__init__.py
> #1305: Pre-loading the Samba 4 and AD schema
> > Unable to determine the DomainSID, can not enforce
> uniqueness constraint on local domainSIDs
> >
> > INFO 2021-05-20 11:58:51,528 pid:5543
> /usr/lib/python3/dist-packages/samba/provision/__init__.py
> #2348: A Kerberos configuration suitable for Samba AD has
> been generated at /var/lib/samba/private/krb5.conf
> > INFO 2021-05-20 11:58:51,528 pid:5543
> /usr/lib/python3/dist-packages/samba/provision/__init__.py
> #2349: Merge the contents of this file with your system
> krb5.conf or replace it with this one. Do not create a symlink!
> > Provision OK for domain DN DC=hoganas-platslagaren,DC=se
> > Starting replication
> >
> Schema-DN[CN=Schema,CN=Configuration,DC=hoganas-platslagaren,D
> C=se] objects[402/1500] linked_values[0/0]
> >
> Schema-DN[CN=Schema,CN=Configuration,DC=hoganas-platslagaren,D
> C=se] objects[804/1500] linked_values[0/0]
> >
> Schema-DN[CN=Schema,CN=Configuration,DC=hoganas-platslagaren,D
> C=se] objects[1206/1500] linked_values[0/0]
> >
> Schema-DN[CN=Schema,CN=Configuration,DC=hoganas-platslagaren,D
> C=se] objects[1599/1500] linked_values[0/0]
> >
> Schema-DN[CN=Schema,CN=Configuration,DC=hoganas-platslagaren,D
> C=se] objects[1774/1500] linked_values[0/0]
> > Analyze and apply schema objects
> > Partition[CN=Configuration,DC=hoganas-platslagaren,DC=se]
> objects[402/3381] linked_values[0/35]
> > Partition[CN=Configuration,DC=hoganas-platslagaren,DC=se]
> objects[804/3381] linked_values[0/35]
> > Partition[CN=Configuration,DC=hoganas-platslagaren,DC=se]
> objects[1206/3381] linked_values[0/35]
> > Partition[CN=Configuration,DC=hoganas-platslagaren,DC=se]
> objects[1608/3381] linked_values[0/35]
> > Partition[CN=Configuration,DC=hoganas-platslagaren,DC=se]
> objects[1806/3381] linked_values[35/35]
> > dsdb_replicated_objects_convert: Ignoring object outside
> partition c45055a1-bf66-42f3-9acf-1e3ed0d187d8
> CN=Schema,CN=Configuration,DC=hoganas-platslagaren,DC=se:
> WERR_DS_ADD_REPLICA_INHIBITED
> > Replicating critical objects from the base DN of the domain
> > Partition[DC=hoganas-platslagaren,DC=se] objects[114/115]
> linked_values[24/72]
> > Partition[DC=hoganas-platslagaren,DC=se] objects[321/2729]
> linked_values[67/72]
> > Failed to commit objects: DOS code 0x000021bf
> > Missing target object - retrying with DRS_GET_TGT
> > Partition[DC=hoganas-platslagaren,DC=se] objects[636/2729]
> linked_values[134/72]
> > Partition[DC=hoganas-platslagaren,DC=se] objects[715/2729]
> linked_values[139/72]
> > dsdb_replicated_objects_convert: Ignoring object outside
> partition a45c5820-5828-449e-a83c-4edbe88bc727
> CN=Configuration,DC=hoganas-platslagaren,DC=se:
> WERR_DS_ADD_REPLICA_INHIBITED
> > dsdb_replicated_objects_convert: Ignoring object outside
> partition ce610c6f-2c84-437d-8229-6245fe2c3b71
> DC=DomainDnsZones,DC=hoganas-platslagaren,DC=se:
> WERR_DS_ADD_REPLICA_INHIBITED
> > dsdb_replicated_objects_convert: Ignoring object outside
> partition 1a852b62-0fc3-4d63-ad78-52384d9178fd
> DC=ForestDnsZones,DC=hoganas-platslagaren,DC=se:
> WERR_DS_ADD_REPLICA_INHIBITED
> > Done with always replicated NC (base, config, schema)
> > Replicating DC=DomainDnsZones,DC=hoganas-platslagaren,DC=se
> > Partition[DC=DomainDnsZones,DC=hoganas-platslagaren,DC=se]
> objects[101/101] linked_values[0/0]
> > Replicating DC=ForestDnsZones,DC=hoganas-platslagaren,DC=se
> > Partition[DC=ForestDnsZones,DC=hoganas-platslagaren,DC=se]
> objects[21/21] linked_values[0/0]
> > Exop on[CN=RID
> Manager$,CN=System,DC=hoganas-platslagaren,DC=se] objects[3]
> linked_values[0]
> > Committing SAM database
> > Repacking database from v1 to v2 format (first record
> CN=ms-DS-Repl-Attribute-Meta-Data,CN=Schema,CN=Configuration,D
> C=hoganas-platslagaren,DC=se)
> > Repack: re-packed 10000 records so far
> > Repacking database from v1 to v2 format (first record
> CN=default-Display,CN=406,CN=DisplaySpecifiers,CN=Configuratio
> n,DC=hoganas-platslagaren,DC=se)
> > Repacking database from v1 to v2 format (first record
> DC=20,DC=2.0.10.in-addr.arpa,CN=MicrosoftDNS,DC=DomainDnsZones
> ,DC=hoganas-platslagaren,DC=se)
> > Repacking database from v1 to v2 format (first record
> DC=_ldap._tcp.Default-First-Site-Name._sites.dc,DC=_msdcs.hoga
> nas-platslagaren.se,CN=MicrosoftDNS,DC=ForestDnsZones,DC=hogan
> as-platslagaren,DC=se)
> > Repacking database from v1 to v2 format (first record
> CN=Group Policy Creator Owners,CN=Users,DC=hoganas-platslagaren,DC=se)
> > INFO 2021-05-20 11:59:07,867 pid:5543
> /usr/lib/python3/dist-packages/samba/join.py #1115: Adding 1
> remote DNS records for HP-SRV10.hoganas-platslagaren.se
> > INFO 2021-05-20 11:59:07,890 pid:5543
> /usr/lib/python3/dist-packages/samba/join.py #1178: Adding
> DNS A record HP-SRV10.hoganas-platslagaren.se for IPv4 IP: 10.0.2.3
> > INFO 2021-05-20 11:59:08,012 pid:5543
> /usr/lib/python3/dist-packages/samba/join.py #1206: Adding
> DNS CNAME record
> 01074a83-48cc-4605-98e5-97c23ef6df06._msdcs.hoganas-platslagar
> en.se for HP-SRV10.hoganas-platslagaren.se
> > INFO 2021-05-20 11:59:08,137 pid:5543
> /usr/lib/python3/dist-packages/samba/join.py #1230: All other
> DNS records (like _ldap SRV records) will be created
> samba_dnsupdate on first startup
> > INFO 2021-05-20 11:59:08,138 pid:5543
> /usr/lib/python3/dist-packages/samba/join.py #1236:
> Replicating new DNS records in
> DC=DomainDnsZones,DC=hoganas-platslagaren,DC=se
> > Partition[DC=DomainDnsZones,DC=hoganas-platslagaren,DC=se]
> objects[1/101] linked_values[0/0]
> > INFO 2021-05-20 11:59:08,168 pid:5543
> /usr/lib/python3/dist-packages/samba/join.py #1236:
> Replicating new DNS records in
> DC=ForestDnsZones,DC=hoganas-platslagaren,DC=se
> > Partition[DC=ForestDnsZones,DC=hoganas-platslagaren,DC=se]
> objects[1/21] linked_values[0/0]
> > INFO 2021-05-20 11:59:08,192 pid:5543
> /usr/lib/python3/dist-packages/samba/join.py #1251: Sending
> DsReplicaUpdateRefs for all the replicated partitions
> > INFO 2021-05-20 11:59:08,202 pid:5543
> /usr/lib/python3/dist-packages/samba/join.py #1281: Setting
> isSynchronized and dsServiceName
> > INFO 2021-05-20 11:59:08,216 pid:5543
> /usr/lib/python3/dist-packages/samba/join.py #1296: Setting
> up secrets database
> > INFO 2021-05-20 11:59:08,258 pid:5543
> /usr/lib/python3/dist-packages/samba/join.py #1558: Joined
> domain HPLTS (SID S-1-5-21-687474044-2168480911-1327640110) as a DC
> > root at HP-SRV10:/etc#
> >
> > On 2021-05-20 09:49, L.P.H. van Belle wrote:
> >
> > Good Morning Anders,
> >
> > Well, the idea is fine offcourse, but it does have a few
> point to research and test first.
> > You can join all windows server "as member server" to Samba
> AD-DC's, you still cant join (as far i know) a 2012R2 AD if
> Schema is also 2012.
> >
> > Depending on what SQL you use, you might need to extend the
> samba schema's to support it, if its MS Sql.
> > there are more that use that, only i cant tell that, thats
> more a list question and i see few on the list passing by on this.
> > Also, lots use Azure these days, thats also thing to research first.
> >
> > I use my W10 pc to manage some things with delegated
> rights, and as you, i have a other pc(VM guest) only for management.
> > Since i use AD backends, I still use a W7 pc for
> management, i like/need the Unix-Tab in RSAT tools, and thats
> the only reason.
> >
> > File/Folder permissions if you can join a samba in current
> AD, well, that wont change then, you can do same as before
> and no rights wil change.
> >
> > Keep eye on this 2 bugreports.
> > https://bugzilla.samba.org/show_bug.cgi?id=13618
> > https://bugzilla.samba.org/show_bug.cgi?id=13619
> >
> > So if your W2012 server now run the 2008R2 Schema, only
> then your samba AD-DC servers can join.
> >
> > I hope this helps you a bit.
> >
> >
> > Greetz,
> >
> > Louis
> >
> > ________________________________
> > Van: Anders Östling [ MailScanner heeft een e-mail met
> mogelijk een poging tot fraude gevonden van "gmail.com"
> MailScanner heeft een e-mail met mogelijk een poging tot
> fraude gevonden van "gmail.com" mailto:anders.ostling at gmail.com]
> > Verzonden: woensdag 19 mei 2021 22:27
> > Aan: L.P.H. van Belle
> > Onderwerp: Re: [Samba] CSC & roaming profiles
> >
> > Lois, may I ask you for advice and/or opinion?
> >
> > We have a Windows 2019 that hosts a database ERP
> application that only runs on Windows. For historical
> reasons, that server is also a DC. There is also a second Win
> 2012 server whos only role nowadays is to be a partner DC. No
> apps or services are running on that one. We have kept it
> just in case we need a failover windows server in case the
> 2019 breaks down. The 2019 is a VM while the 2012 is a
> physical server.
> >
> > Our Samba server holds all other files and data, including
> a number of server based legacy apps (running under vDOS just fine).
> >
> > Now, we decide to demote the Windows server from the DC
> role and deploy a Samba AD DC instead, what would that mean
> in terms of user and permission management? Today, I am using
> the 2019 for such tasks, but I guess it would be possible to
> do the same from a Windows 10 client using the RSAT tools,
> right? It is a path that I would like to go, but on the other
> hand I dont want to break anything too bad.
> >
> > 1- Install a new Samba AD DC and join the domain
> > 2- Transfer the FSMO roles to the samba DC
> > 3- Demote the Windows AD to a normal server
> > 4- Setup a new virtual Windows 10 client for administrative purposes
> >
> > How does this sound? I wont hold you accountable, just
> asking for an opinion :)
> >
> > /Anders
> >
> > On Wed, May 19, 2021 at 12:03 PM L.P.H. van Belle
> <belle at bazuin.nl> wrote:
> >>
> >> If you go for that, just copy them and run the fix-scripts.
> >> Thats how i moved all my data from server last time, thats
> why i also created the scripts. :-)
> >>
> >> on 1) yeah, i have a dedicated server for my data only
> member servers in my case.
> >> on 2) after you did run that script, look also at the
> rights from within windows, also look at the advanced rights
> there, that might help finding rights that are off.
> >> i focus in my setup on "everything" is group based. you
> see what i mean when you lookup the rights.
> >>
> >> on 3) does not really matter how you copy. if its only
> usershome and profiles the shown scripts are sufficent.
> >> If you also moving "companydata" thats an other script i use.
> >>
> >> Thats bit more work and preparation, in onder what that
> script does is:
> >> it finds all subfolders in "SAMBA_BASE" (
> /srv/samba/companydata/ ) in this folder, the i do ls -d and
> every subfolder in there has a same group name in ad.
> >>
> >>
> >> for FindFoldersDepartments in $(ls -d "${SAMBA_BASE}/*" ; do
> >>
> >> # Remove old ACL's.
> >> echo "Removing old ACL's for: ${FindFoldersDepartments}"
> >> setfacl --recursive --remove-all
> "${SAMBA_BASE}/${FindFoldersDepartments}"
> >>
> >> # Make sure we removed Other (everyone) from all files
> and folders.
> >> echo "Recursively removing access for other (everyone)
> for: ${FindFoldersDepartments}"
> >> chmod -R o-rwx "${SAMBA_BASE}/${FindFoldersDepartments}/"
> >>
> >> # Set basic POSIX Rights
> >> # set all owner rights to root:root (=
> Administrator:Domain Admins )
> >> # without it, migrated files might still have there
> old UID/GIDs on them.
> >> echo "Re-apply (recursive) root:root on the
> Departments folder for: ${FindFoldersDepartments}"
> >> chown -R root:root "${SAMBA_BASE}/${FindFoldersDepartments}"
> >> # Set Creator Group.
> >> chmod -R 2770 "${SAMBA_BASE}/${FindFoldersDepartments}/"
> >>
> >> ...
> >> This is a part i use to get he needed SID/GID.
> >>
> >> function _apply_rights(){
> >> # Find the SID of the group/folder
> >> SID_DEPARTMENT="$(wbinfo -n
> ${FindFoldersDepartments}|awk '{ print $1 }')"
> >> if [ -z "$SID_DEPARTMENT" ]
> >> then
> >> echo "#4# Error unable to get SID for group :
> ${FindFoldersDepartments}"
> >> else
> >> echo "#5# Found group ${FindFoldersDepartments}:
> $SID_DEPARTMENT"
> >> fi
> >>
> >> from here i get the old rights, with getfacl put that in
> files, correct it and re-apply it.
> >> this part does need work, because this is different per
> setup/company.
> >>
> >> On 4) looks fine, but i suggest, just add my part, in new
> share, get 1 users and there profiles
> >> copy in to the new location and adjust the user in AD.
> >> less work and faster checkup.
> >>
> >> 5) netlogon? uh.. i dont use netlogon at all, only GPO
> here. only tip i can give here is. use FQDN everywhere.
> >>
> >> 6) you might need to reboot, login and reboot again before
> everything is set in windows.
> >> but that depends on what you use..
> >>
> >> I hope this helps a bit more ;-)
> >>
> >> Greetz ,
> >>
> >> Louis
> >>
> >>
> >> ________________________________
> >> Van: Anders Östling [mailto:anders.ostling at gmail.com]
> >> Verzonden: woensdag 19 mei 2021 11:24
> >> Aan: L.P.H. van Belle; Rowland penny
> >> Onderwerp: Re: [Samba] CSC & roaming profiles
> >>
> >> Since the permissions may have come into a inconsistent
> state, I think that a better way could be to start from
> scratch by doing this
> >>
> >> 1- Create a new virtual disk (the server is a VM under
> KVM/QEMU) for just profiles and home directories.
> >> 2- Use your (lois) script to create folders and set
> permissions for all users
> >> 3- Copy existing files from the production disk to
> Profiles and Users to ensure that they inherit correct
> permissions. What would be the best way to do this? XCOPY, cp
> -R or something else?
> >> 4- Add new share definitions to the smb.conf to point the
> shares to the new disk
> >> 5- Update the netlogon script
> >> 6- Reboot the clients
> >>
> >> /Anders
> >>
> >> Anders Östling
> >>
> >> Dämmegatan 11
> >> SE-25442 Helsingborg
> >> Sweden
> >> Phone: +46 768 716 165
> >> Skype: anders.ostling at outlook.com
> >>
> >> On 19 May 2021, 11:04 +0200, L.P.H. van Belle via samba
> <samba at lists.samba.org>, wrote:
> >>
> >>
> https://docs.microsoft.com/en-us/windows-server/storage/folder
> -redirection/folder-redirection-rup-overview
> >>
> >> The link again, if it gives 404 link got broken then but
> in that 404 page you do see the correct one.
> >>
> >>
> >> Can you show and output of getfacl on the userhomedir and
> profilefolder? of an user.
> >>
> >>
> >> Greetz,
> >>
> >> Louis
> >>
> >>
> >> Van: Anders Östling [mailto:anders.ostling at gmail.com]
> >> Verzonden: woensdag 19 mei 2021 10:59
> >> Aan: L.P.H. van Belle
> >> Onderwerp: Re: [Samba] CSC & roaming profiles
> >>
> >>
> >>
> >>
> >> Anders Östling
> >> Dämmegatan 11
> >> SE-25442 Helsingborg
> >> Sweden
> >> Phone: +46 768 716 165
> >> Skype: anders.ostling at outlook.com
> >>
> >>
> >>
> >>
> >> On 19 May 2021, 10:42 +0200, L.P.H. van Belle via samba
> <samba at lists.samba.org>, wrote:
> >> Anders,
> >>
> >> I suggest have a look that this script i made.
> >>
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-s
> etup-share-folders.sh
> >> It setups up a base structure with needed rights. Compair
> them with yours.
> >> Note, i use AD-backend on the member servers.
> >>
> >> I am using the RID backend, don t ask why. I guess I
> picked it from some template. So I guess that the script is
> not applicable to me. But I have will a close look at your
> script and the specific settings.
> >>
> >> To reduce problems, ( you never can fully, simply because
> of windows.. )
> >> 1) Setup the profiles with the rights as shown in the script.
> >> 2) read this..
> https://docs.microsoft.com/en-us/windows-server/storage/flder-
> redirection/folder-redirection-rup-overview
> >> 404 on that one
> >>
> >>
> >>
> >> And the sections below it.
> >>
> >> U:/AppData/Roaming..On this, windows expect the user to be
> the owner on the userhome dirs.
> >>
> >> They are
> >>
> >> Get a message ?We could not log you on using a profile, a
> >> temporary profile has been created? (or quite similar to this)
> >> Same for profiles, but there you can set also in GPO.
> >> GPO: Add the adminstrators security group to roaming user profiles.
> >> That helps for the profiles itself.
> >>
> >> I will check that too
> >>
> >> Check this script to fix the rights on the userhomedir
> >>
> https://github.com/thctlo/samba4/blob/master/samba-fix-userhom
> e-recursive.sh
> >> I seen same as you, i must follow an oder on how i create
> a new user for example.
> >>
> >> I create the user, fist thing then i set the UID/GID for the users.
> >> Then i can make the homefolder and profiles folder
> >>
> >> If the user homedir is created, directly when you added the user,
> >> like when you make a copy of a other user and
> \server.fqdn\users\%username% is used in RSAT
> >> Then the rights are wrong, in these cases i or run above
> script or change it manual.
> >>
> >>
> >> I hope that this will help you.
> >>
> >> We will know in a couple of day. Thank you for your advise Lois!
> >>
> >> Greetz,
> >>
> >> Louis
> >>
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Anders Östling via samba
> >> Verzonden: woensdag 19 mei 2021 10:07
> >> Aan: Patrik via samba
> >> Onderwerp: [Samba] CSC & roaming profiles
> >>
> >> Hi
> >> I have had roaming profiles enabled on user accounts since
> >> November last year. This is a small business with approx 10
> >> users, but a few of them are actually taking benefit of the
> >> roaming profile feature.
> >> Recently, they have had all sorts of problems with their
> >> profiles, usually Access Denied when trying to load the
> >> profiles (only those that actually roams between different
> >> computers). I have spent hours trying to find a pattern and
> >> pinpoint the exact source of the problem. During this
> >> digging, I have learned to hate Windows even more, since the
> >> profiles management is like an octopus, reaching into almost
> >> every part of the system...
> >>
> >> Anyway, I managed to get it back on track by loosing up
> >> permissions on the /share/profiles folder (temporary) but I
> >> need to find a permanent solution. During the attempts to
> >> restore the clients, I also found out that the C:/Windows/CSC
> >> directory has a function too. Another cache besides what is
> >> under C:/Users/<username>/Desktop/? At the same time, the few
> >> roaming users also got problems accessing their
> >> U:/AppData/Roaming folders. The permissions looked good, but
> >> MS apps (Excel and Word had a different opinion and refused
> >> to load documents). The temporary fix for this was also to
> >> loose up permissions on the AppData folder until I had a
> >> better understanding of what?s going on.
> >>
> >> So, while re-reading the Samba wiki page, I saw that there is
> >> a parameter, csc policy = disable, that I have not seen
> >> before. Is the wiki for profiles updated recently with that
> >> one? I found some internet posts that describes the different
> >> values, enable/manual/disable and their functions. Could this
> >> have been a reason for my client?s problem (several users on
> >> one computer, and a CSC that got confused)? If so, then I
> >> hope that disabling the function will make the clients work
> >> better once I have restored them from scratch.
> >>
> >> While I am typing, let me describe another specific user?s
> >> situation. Initially she got the same permissions error when
> >> logging on another computer. But suddenly, her normal
> >> workstation started to behave like this (maybe after a
> >> loosened up the permissions on the /share/profiles, hard to tell).
> >>
> >> She logs on the domain
> >> Get a message ?We could not log you on using a profile, a
> >> temporary profile has been created? (or quite similar to this)
> >> A blank desktop with Trashcan
> >> The netlogon script has mapped up her drives correctly
> >>
> >> The C:/Users folder now contains these folders
> >> /katarina (hers)
> >> /temp.hlts (domain name)
> >> /temp.hplts.1
> >> /temp.hplts.2
> >> /temp.hplts.3
> >>
> >> She can navigate to /Users/katarina/Desktop where all her
> >> saved shortcuts are, and CTRL-A, CTRL-C. Then close explorer
> >> and CTRL-V on desktop. Everything works as before, including
> >> mapped drives and app and document shortcuts. If she logs
> >> out, then all steps need to be repeated. So for the moment,
> >> she just WIN+L at the end of the day until her computer is
> >> re-installed, and hopefully things are working again.
> >>
> >> She CAN map drive profile folder on the server manually
> >> without getting any permission error. This makes me believe
> >> that the problem is on the client side, not the server.
> >>
> >> Windows 10 2020H2 on the clients.
> >> Samba 4.13.8 on the server
> >> Windows 2019 Standard as DC
> >>
> >> End of rant. I hope that someone can give some insight and
> >> maybe advise on how to fix this mess. If not, it?s a
> >> re-install of the affected clients and praying that the CSC
> >> disable will help.
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >
> >
> >
> > --
> > ------ -------------------- 8 ------------------ ------
> > "A wise man once told me - Any idiot can do backups, but it
> takes a genius to successfully restore"
> >
> > Anders Östling
> > +46 768 716 165 (Mobil)
> > +46 431 45 56 01 (Hem)
> >
>
>
> --
> ------ -------------------- 8 ------------------ ------
> "A wise man once told me - Any idiot can do backups, but it takes a
> genius to successfully restore"
>
> Anders Östling
> +46 768 716 165 (Mobil)
> +46 431 45 56 01 (Hem)
>
>
More information about the samba
mailing list