[Samba] samba 4.2 RDP problem (extra debug info)

Achim Gottinger achim at ag-web.biz
Thu Apr 30 09:23:19 MDT 2015 

Hello Louis
Am 30.04.2015 um 16:33 schrieb L.P.H. van Belle:
> Hai Achim,
>
> i have tested the following :
>
> auth methods = winbind
>
> result RDP login works,
> ADUC does not work.
>
> test with :
> auth methods = winbind, sam
>
> RDP and ADUC works, DNS tools also works.
>
> logged in as DOMAIN\administrator
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: achim at ag-web.biz [mailto:samba-bounces at lists.samba.org]
>> Namens Achim Gottinger
>> Verzonden: donderdag 30 april 2015 15:52
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] samba 4.2 RDP problem (extra debug info)
>>
>> Hi Louis,
>>
>> Am 30.04.2015 um 15:31 schrieb L.P.H. van Belle:
>>> Hai..
>>>
>>> After a new setup i was confronted again with the unable to
>> login with RDP.
>>> so here is some extra info for the debugging this.
>>>
>>> I used RDP to connect a Windows 7 64 bit, connected in rdp
>> with ipadres of the pc.
>>> and again unable to login.
>>>
>>> since im trying to setup a smb.conf with minimal changes, i
>> only added :
>>> auth methods = sam, winbind
>>>
>>> restarted samba on both DC's
>>>
>>> and yes.. im able to login again, ADUC works, i can add
>> users .. and DNS tool did also work fine.
>>> So i hope this info helps in debugging ..
>>>
>>> config file used,
>>> # Global parameters
>>> [global]
>>>           workgroup = DOMAIN
>>>           realm = DOMAIN.TESTING
>>>           netbios name = DC1
>>>           server role = active directory domain controller
>>>           server services = -dns
>>>           auth methods = sam, winbind
>>>           idmap_ldb:use rfc2307 = yes
>>>
>>>           interfaces = 127.0.0.1 192.168.0.1
>>>           bind interfaces only = yes
>>>           time server = yes
>>>           wins support = yes
>>>
>>>           idmap config * : backend = tdb
>>>           idmap config * : range = 2000-9999
>>>           idmap config DOMAIN : backend = ad
>>>           idmap config DOMAIN : schema_mode = rfc2307
>>>           idmap config DOMAIN : range = 10000-3999999
>>>
>>>           # Use home directory and shell information from AD
>>>           winbind nss info = rfc2307
>>>
>>>           winbind trusted domains only = no
>>>           winbind use default domain = yes
>>>           winbind expand groups = 3
>>>
>>>
>>> Greetings,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: Andrew Bartlett [mailto:abartlet at samba.org]
>>>> Verzonden: maandag 27 april 2015 8:37
>>>> Aan: L.P.H. van Belle
>>>> CC: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] samba 4.2 RDP problem (solved)
>>>>
>>>> On Wed, 2015-04-22 at 17:12 +0200, L.P.H. van Belle wrote:
>>>>> sorry for the noise..
>>>>>
>>>>> I missed the solution in my mail. just saw it online..
>>>>>
>>>>> The working version for rdp login..
>>>>> I can confirm also that after adding these to the smb.conf
>>>>>
>>>>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>>>> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo,
>>>> browser, eventlog6, backupkey, dnsserver, remote, winreg, srvsvc
>>>>> auth methods = sam, winbind, ntdomain, ntdomain:winbind
>>>>>
>>>>> I was able to login with RDP also.
>>>>> sernet samba 4.2.1 - Windows 7 64bit.
>>>>>
>>>> To be VERY clear, neither of these things are solutions.  They are
>>>> debugging aids, but running in either of these configurations in the
>>>> long term (I say this because in Samba, suggestions like this
>>>> turn up in
>>>> google for years) will just result in pain.
>>>>
>>>> 'smb' means the NTVFS file server, and while quite capable,
>> and still
>>>> tested, it hasn't been worked on in years, and has no support
>>>> for things
>>>> like POSIX ACLS, SMB3, VFS modules and unix extensions.
>>>>
>>>> the changes to 'auth methods' makes the server behave in a weird
>>>> combination of an NT4 DC and an AD DC.
>>>>
>>>> That said, I find it most intriguing that these help, and that
>>>> information has been recorded on the bug, and will assist
>>>> those who made
>>>> the change between 4.1 and 4.2.
>>>>
>>>> Andrew Bartlett
>>>>
>>>> -- 
>>>> Andrew Bartlett                       http://samba.org/~abartlet/
>>>> Authentication Developer, Samba Team  http://samba.org
>>>> Samba Developer, Catalyst IT
>>>> http://catalyst.net.nz/services/samba
>>>>
>>>>
>>>>
>> Looking at the smb.conf manpage the winbind method is prefered in most
>> cases. Also I read the manual as the entries are tried in the
>> order used
>> in smb.conf. Can you test if it also works with "auth methods
>> = winbind
>> sam", seems to me to be an even less intrusive modification. :-)
>>
>> achim~
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
Thank you for testing. The result leaves me confused. Seems like "auth 
method=sam" is the default (on AD DC's) and the man page talks about an 
member server case where winbind is the prefered method. Too much 
guessing right now. :-)

Achim~

More information about the samba mailing list