Problems with Samba 4 Beta 1 and a possible bug that was previously reported

[Trever L. Adams]

On 06/07/2012 12:57 AM, Andrew Bartlett wrote:
> On Thu, 2012-06-07 at 00:13 -0600, Trever L. Adams wrote:
>> Bug first:
>> Provision needs to make userPrincipalName = administrator at .... for the
>> administrator user. I do not know if Windows creates this or not, but
>> many programs using AD require it.
> Can you find out exactly what Windows does here, and how we differ?
>
> There is an implicit userPrincpalName of USER at realm for every USER that
> we simply make up in the KDC when handling the lookup.
I am unable. I don't have Windows server products. I just know that many
methods of integrating with many programs use the userPrincipalName in
an ldap lookup (either as the key or what it wants back). I believe, but
am not sure, that samba now creates this on the creation of new users,
but not provisioning and creation of the administrator account. I just
got bit by this (again... I was bit by it when I first messed with Samba
4 alphas about a year ago but forgot and chased it down).
>> Such should also happen for samba-tool user create.
>>
>> Problems:
>> Samba alpha 20 ate my installations (all 3, 2 of which were active). I
>> am moving /usr/local/samba out of the way (1 installation so fare as I
>> am having problems). /home/DOMAIN is home, /home/DOMAIN-appdata is app
>> data, /home/DOMAIN-profiles is profiles, /home/DOMAIN-data is a shared
>> drive. These are the same as before. The GPO is as close to the original
>> as possible (I documented it).
>>
>> Administrator can log in. app data and home seem to be accurate and no
>> complaint about profile. However, any other user cannot log in. I don't
>> have the exact error in front of me but it was gpo causing login to fail
>> (or denying login) on login (about 30 seconds after entering
>> username/password).
>>
>> I have successfully changed owners of all the files. I believe I have
>> removed all old xattr based (ntvfs since it was alpha versions of samba)
>> permissions. I have given the user full control of all their files and
>> directories of all the above. System has access to profile, etc.
>>
>> There is a dos readonly flag that I have tried in Linux and Windows to
>> remove, but it is there immediately after Windows reports successful
>> removal.
> We will need many more details on both issues before we can go further. 
>
> Perhaps we can start by how 'samba 20 ate my installations', and what
> exactly you did after that.
>
> Thanks,
>
> Andrew Bartlett
Samba alpha 20 ate the installation. I installed it because it was a
security release (or was that alpha 19, whichever it was). Things
stopped working (kerberos worked, the part of ldap and kerberos used in
my email worked, Linux accessing the files worked, Windows, particularly
profiles, didn't. It would ALWAYS complain that something was wrong with
the profile and use a temporary profile) and I never could get it all
working again. So, as I said mv /usr/local/samba /usr/local/samba-old
and did a provisioned a new setup. (It is possible that previous bugs or
upgrade provision caused the problem as I was one of the people who ran
some of the bad alphas and bad upgrade provisions.)

I then removed three machines (including the one with the administrative
tools) from the old domain and reinstalled them. I setup the software
install GPO. I believe that is working completely on those three machines.

I then setup various settings (AppData is mapped to
\\server\DOMAIN-AppData with each user creating its own directory,
profiles to \\server\DOMAIN-profiles, users documents mapped to
\\server\DOMAIN and calling it drive M, and a few power management
settings, mapping shared data \\server\DOMAIN-data to N, nothing earth
shattering). Administrator can log in. Thunderbird and Firefox settings
appear to be accurate (nothing much gets used as Administrator so this
is all I can comment on as they are used) and working (maybe not
Firefox, I will have to look again).

Firefox doesn't work. The error is similar to (too long to write down)
"/Could not initialize the application's security component. The most
likely cause is problems with files in your application's profile
directory. Please check that this directory has no read/write
restrictions and your hard disk is not full or close to full. It is
recommended that you exit the application and fix the problem. If you
continue to use this session, you might see incorrect application
behaviour when accessing security features."/ Which I have seen in Linux
when the profile is write protected or symlinks are not creatable (I
tried using S4 as a cifs server early on and would see this because
symlinks couldn't be created). I am assuming this is because, as I have
stated, all these directories are marked as read only in Windows no
matter what I do (as administrator or as root) to remove such conditions.

No other user can login. The error is: "The group policy client service
failed the logon. Access is denied." I have tried to analyze the event
viewer output from the logon attempts, but I don't really see anything.

So to recap, all the domain setup is clean and new. The user directories
(appdata, profiles, home directories, etc.) are the only old part of the
setup. I have attempted to change owner, it appears that is successful,
I have granted full permission to owner on them all. SYSTEM should have
access sufficient for each directory. There is an odd read only dos flag
shown in windows on all files/directories in the user data. I cannot
remove it. I believe it is causing the Firefox and logon errors.

Thanks for any help,
Trever
-- 
"No country upon earth ever had it more in its power to attain these
blessings than United America. Wondrously strange, then, and much to be
regretted indeed would it be, were we to neglect the means and to depart
from the road which Providence has pointed us to so plainly." -- George
Washington
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120607/de2ef434/attachment.pgp>