[Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
Mario Pio Russo
mariopiorusso at ie.ibm.com
Thu Jun 4 07:57:56 MDT 2015
guys sorry to take this thread onboard once more, but I still can't get
this sorted.
I have compiled the latest tarball from samba, 4.2.2 . compilation works
fine and after that I am able to upgrade from samba 3 with the following
command:
samba-tool domain classicupgrade --dbdir=/var/lib/samba-ccdc1/dbdir/
--use-xattrs=yes --realm=ccdc.lan /etc/samba/smb-ccdc1.conf 2>&1 | tee
upgrade.log
the upgrade works fine as far as I can see, samba starts and I am able to
RDP using my domain admin rights. however I am not able to RDP using any
other user.
the error i get is:
"The connection is denied because the user account is not authorized for
remote login"
however the user I am testing is member of the BUILTIN/REMOTE DESKTOP USERS
dn: CN=mariopio,CN=Users,DC=ccdc,DC=lan
cn: mariopio
instanceType: 4
whenCreated: 20150604120049.0Z
whenChanged: 20150604120049.0Z
uSNCreated: 6165
name: mariopio
objectGUID:: cBOr+Abs90yYT6r612524Q==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAANxKzmMQKGuPHWLf6VCAAAA==
logonCount: 0
sAMAccountName: mariopio
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ccdc,DC=lan
pwdLastSet: 130746879650000000
displayName: Mario Pio Russo/Ireland/IBM
scriptPath: logon.bat
accountExpires: 137919572470000000
lastLogoff: 137919572470000000
logonHours:: ////////////////////////////
userAccountControl: 512
description: mariopiorusso at ie.ibm.com
uidNumber: 3638
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
unixHomeDirectory: /home/mariopio
loginShell: /bin/bash
gidNumber: 513
msSFU30NisDomain: ccdc
uSNChanged: 6169
memberOf: CN=DomainUsers,CN=Users,DC=ccdc,DC=lan
memberOf: CN=Remote Desktop Users,CN=Builtin,DC=ccdc,DC=lan
distinguishedName: CN=mariopio,CN=Users,DC=ccdc,DC=lan
This is my smb.conf
cat /etc/samba/smb.conf
# Global parameters
[global]
workgroup = CCDC
realm = ccdc.lan
netbios name = CCDC-SAMBA4
server role = active directory domain controller
server services = -winbindd +winbind
auth methods = winbind, sam
idmap_ldb:use rfc2307 = yes
dns forwarder = 9.0.138.50
idmap config CCDC:backend = ad
idmap config CCDC:schema_mode = rfc2307
idmap config CCDC:range = 10000-40000
# Store UIDs/GIDs for all other domains (including local
# accounts/groups of this server) in a tdb file
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# Use home directory and shell information from AD
winbind nss info = rfc2307
[netlogon]
path = /var/lib/samba/sysvol/ccdc.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
any suggestion?
___________________________________________________________________________________________
Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
(Embedded image moved to file: pic18258.gif)
From: "L.P.H. van Belle" <belle at bazuin.nl>
To: Mario Pio Russo/Ireland/IBM at IBMIE
Date: 01/05/2015 16:00
Subject: RE: [Samba] After the classicupgrade from samba3 to
sernet-samba-4.2.1 , users are not able to remote desktop
anymore ( bug11061 )
yes, you did hit that bug, like lots of us..
4.1.x was ok yes.
you can also try this one. ( remove the others ) for the 4.2.1 samba
server services = -winbindd +winbind
and use the old winbind behavoir.
and you should get my scripts, change it for ubuntu. ( mail me the
changes ;-) )
and you have a clean and quick setup.
look here.
https://secure.bazuin.nl/scripts/
read the 0-README-FIRST.TXT file
I think most wil work for ubuntu.
Get this one for the ad install 4-sernet-samba-addc-debian-wheezy.sh
Have a nice weekend..
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>Verzonden: vrijdag 1 mei 2015 16:49
>Aan: L.P.H. van Belle
>CC: samba at lists.samba.org
>Onderwerp: RE: [Samba] After the classicupgrade from samba3 to
>sernet-samba-4.2.1 , users are not able to remote desktop
>anymore ( bug11061 )
>
>yeah I'm confused too. I think AD is the backend to be honest. that
>parameter was automatically added to the smb.conf when running the
>classigupgrade. nothig else has been populated.
>
>I can def try to give it a go with the parameters set on the
>link you sent
>me.
>
>It's a strange behaviour tho, I am still unsure if I have run in bug
>https://bugzilla.samba.org/show_bug.cgi?id=11061
>
>or I am still a step behind that bug. neverthless, with the
>native 4.1.6
>all was working fine
>_______________________________________________________________
>____________________________
>
>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>FAX: +353 1
>815 2236, eMail: mariopiorusso at ie.ibm.com
>IBM Ireland Product Distribution Limited registered in Ireland
>with number
>92815. Registered Office: IBM House, Shelbourne Road,
>Ballsbridge, Dublin 4
>
>(Embedded image moved to file: pic57978.gif)
>
>
>
>From: "L.P.H. van Belle" <belle at bazuin.nl>
>To: Mario Pio Russo/Ireland/IBM at IBMIE
>Cc: "samba at lists.samba.org" <samba at lists.samba.org>
>Date: 01/05/2015 14:50
>Subject: RE: [Samba] After the classicupgrade from samba3 to
> sernet-samba-4.2.1 , users are not able to remote desktop
> anymore ( bug11061 )
>
>
>
>while im reading..
>
>im seeing :
>getfacl: Removing leading '/' from absolute path names
># file: var/lib/samba/sysvol
># owner: root
># group: 544
>
>
>your using :
>idmap_ldb:use rfc2307 = yes
>but i dont see a complete smb.conf for a rfc2307 setup.
>
>please also read : https://wiki.samba.org/index.php/RFC2307_backend
>
>so im puzzel what your backend is set to (AD or RID) and what
>the ranges
>are.
>
>
>
>Greetz,
>
>louis
>
>>-----Oorspronkelijk bericht-----
>>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>>Verzonden: vrijdag 1 mei 2015 15:35
>>Aan: L.P.H. van Belle
>>CC: samba at lists.samba.org; samba-bounces at lists.samba.org
>>Onderwerp: Re: [Samba] After the classicupgrade from samba3
>>tosernet-samba-4.2.1 , users are not able to remote desktop
>>anymore ( bug11061 )
>>
>>ok this is my smb.conf file now
>>
>>
>># Global parameters
>>[global]
>> workgroup = CCDC
>> realm = CCDC.LAN
>> netbios name = CCDC-SAMBA4
>> server role = active directory domain controller
>> idmap_ldb:use rfc2307 = yes
>> dns forwarder = 9.0.138.50
>> ##For debugging
>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>>netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo,
>>browser, eventlog6,
>>backupkey, dnsserver, remote, winreg, srvsvc
>> auth methods = sam, winbind, ntdomain, ntdomain:winbind
>>
>>[netlogon]
>> path = /var/lib/samba/sysvol/ccdc.lan/scripts
>> read only = No
>>
>>[sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>>
>>still same error on the windows machine
>>
>>It looks like that the GPO are now applied when we do not define the
>>directive
>>
>>"auth methods = sam, winbind, ntdomain, ntdomain:winbind"
>>
>>let me know if you need any other debugging info, I'm happy to
>>hel (and get
>>this sorted :D)
>>
>>thanks
>>
>>_______________________________________________________________
>>____________________________
>>
>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>FAX: +353 1
>>815 2236, eMail: mariopiorusso at ie.ibm.com
>>IBM Ireland Product Distribution Limited registered in Ireland
>>with number
>>92815. Registered Office: IBM House, Shelbourne Road,
>>Ballsbridge, Dublin 4
>>
>>(Embedded image moved to file: pic03533.gif)
>>
>>
>>
>>From: "L.P.H. van Belle" <belle at bazuin.nl>
>>To: "samba at lists.samba.org" <samba at lists.samba.org>
>>Cc: Mario Pio Russo/Ireland/IBM at IBMIE
>>Date: 01/05/2015 14:24
>>Subject: Re: [Samba] After the classicupgrade
>from samba3
>> tosernet-samba-4.2.1 , users are not
able to
>>remote desktop
>> anymore ( bug11061 )
>>Sent by: samba-bounces at lists.samba.org
>>
>>
>>
>>Hello Mario ,
>>
>>what if you try these :
>>
>>dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
>>lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
>>eventlog6, backupkey,
>>dnsserver, remote, winreg, srvsvc
>>auth methods = sam, winbind, ntdomain, ntdomain:winbind
>>
>>!! these are only for helping in debugging and should not be used in
>>production.
>>!! see all the e-mails with subject : Re: [Samba] samba 4.2
>RDP problem
>>(solved)
>>!! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett
>>
>>so if you want to help debuggen, that would be nice. see
>>bug-id in subject.
>>
>>In my case ( debian wheezy, sernet samba 4.2.1, only default GPO )
>>auth methods = sam, winbind is sufficient to login with rdp.
>>so if we can find what we need to get GPO workin also, that
>>might help the
>>developers.
>>
>>I'll set some GPOs in my test and try again also.
>>
>>
>>Greetz,
>>
>>Louis
>>
>>
>>>-----Oorspronkelijk bericht-----
>>>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>>>Verzonden: vrijdag 1 mei 2015 15:08
>>>Aan: L.P.H. van Belle
>>>CC: samba at lists.samba.org
>>>Onderwerp: RE: [Samba] After the classicupgrade from samba3 to
>>>sernet-samba-4.2.1 , users are not able to remote desktop anymore
>>>
>>>Thanks Luis
>>>
>>>I've changed the smb.conf as you said, now it looks like this:
>>>
>>>
>>>root at ccdc-samba4:~# cat /etc/samba/smb.conf
>>># Global parameters
>>>[global]
>>> workgroup = CCDC
>>> realm = CCDC.LAN
>>> netbios name = CCDC-SAMBA4
>>> server role = active directory domain controller
>>> idmap_ldb:use rfc2307 = yes
>>> dns forwarder = 9.0.138.50
>>> auth methods = sam, winbind
>>>
>>>[netlogon]
>>> path = /var/lib/samba/sysvol/ccdc.lan/scripts
>>> read only = No
>>>
>>>[sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>>root at ccdc-samba4:~#
>>>
>>>
>>>however from the windows machine when i try to update the
>>>group policies, I
>>>am now getting this errors:
>>>
>>>
>>>
>>>Microsoft Windows [Version 6.1.7601]
>>>Copyright (c) 2009 Microsoft Corporation. All rights reserved.
>>>
>>>C:\Users\Administrator.CCDC>gpupdate /force
>>>Updating Policy...
>>>
>>>User policy could not be updated successfully. The following
>>>errors were
>>>encount
>>>ered:
>>>
>>>The processing of Group Policy failed. Windows attempted to
>>>read the file
>>>\\ccdc
>>>.lan\sysvol\ccdc.lan\Policies
>>>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>>>m a domain controller and was not successful. Group Policy
>>>settings may not
>>>be a
>>>pplied until this event is resolved. This issue may be
>>>transient and could
>>>be ca
>>>used by one or more of the following:
>>>a) Name Resolution/Network Connectivity to the current domain
>>>controller.
>>>b) File Replication Service Latency (a file created on another domain
>>>controller
>>> has not replicated to the current domain controller).
>>>c) The Distributed File System (DFS) client has been disabled.
>>>Computer policy could not be updated successfully. The
>>following errors
>>>were enc
>>>ountered:
>>>
>>>The processing of Group Policy failed. Windows attempted to
>>>read the file
>>>\\ccdc
>>>.lan\sysvol\ccdc.lan\Policies
>>>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>>>m a domain controller and was not successful. Group Policy
>>>settings may not
>>>be a
>>>pplied until this event is resolved. This issue may be
>>>transient and could
>>>be ca
>>>used by one or more of the following:
>>>a) Name Resolution/Network Connectivity to the current domain
>>>controller.
>>>b) File Replication Service Latency (a file created on another domain
>>>controller
>>> has not replicated to the current domain controller).
>>>c) The Distributed File System (DFS) client has been disabled.
>>>
>>>To diagnose the failure, review the event log or run GPRESULT /H
>>>GPReport.html f
>>>rom the command line to access information about Group
>Policy results.
>>>
>>>C:\Users\Administrator.CCDC>
>>>
>>>
>>>
>>>
>>>
>>>I'm still unable to login with normal users via RDP
>>>
>>>
>>>_______________________________________________________________
>>>____________________________
>>>
>>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>>FAX: +353 1
>>>815 2236, eMail: mariopiorusso at ie.ibm.com
>>>IBM Ireland Product Distribution Limited registered in Ireland
>>>with number
>>>92815. Registered Office: IBM House, Shelbourne Road,
>>>Ballsbridge, Dublin 4
>>>
>>>(Embedded image moved to file: pic60454.gif)
>>>
>>>
>>>
>>>From: "L.P.H. van Belle"
><belle at bazuin.nl>
>>>To:
"samba at lists.samba.org"
><samba at lists.samba.org>
>>>Cc: Mario Pio
Russo/Ireland/IBM at IBMIE
>>>Date: 01/05/2015 13:55
>>>Subject: RE: [Samba] After
the
>classicupgrade
>>from samba3 to
>>> sernet-samba-4.2.1 , users are not able to remote desktop
>>> anymore
>>>
>>>
>>>
>>>correct.
>>>
>>>bug still exists, just tested also on latest git master.
>>>see : https://bugzilla.samba.org/show_bug.cgi?id=11061
>>>
>>>
>>>temp solution.
>>>
>>>try adding :
>>>auth methods = sam, winbind
>>>to smb.conf on the dc and restart the DC.
>>>
>>>
>>>Greetz,
>>>
>>>Louis
>>>
>>>
>>>>-----Oorspronkelijk bericht-----
>>>>Van: mariopiorusso at ie.ibm.com
>>>>[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo
>>>>Verzonden: vrijdag 1 mei 2015 14:51
>>>>Aan: samba at lists.samba.org
>>>>Onderwerp: [Samba] After the classicupgrade from samba3 to
>>>>sernet-samba-4.2.1 , users are not able to remote desktop anymore
>>>>
>>>>
>>>>Good Day All
>>>>
>>>>I have a current working configuration of sernet-samba-4.2.1,
>>>>created by
>>>>upgrading from a samba3 PDC using the classic upgrade.
>>>>
>>>>Now, I have added a windows 2008 machine to the domain and I'm
>>>>using the AD
>>>>snap in tools in order to browse the domain.
>>>>
>>>>I can see all the users and groups and they have been imported
>>>>correctly.
>>>>However I am able to remote desktop to the domain machines
>>>>only with the
>>>>user "Administrator at ccdc.lan"; no other user is able to RDP.
>>>>Furthermore I am able to add machines to the domain only form
>>>the users
>>>>Administrator, and not from any other user. I have been using
>>>the Group
>>>>Policy Manager from the window administrative tool in order
>>>>to grant logon
>>>>rights to all the users belonging to the Domain User group;
>>>>furthermore I
>>>>have added the users to the group Remote Desktop users, but
>>>>still I have no
>>>>success at all. at the moment the group policies looks like this:
>>>>
>>>>root at ccdc-samba4:/# samba-tool gpo listall
>>>>GPO : {31B2F340-016D-11D2-945F-00C04FB984F9}
>>>>display name : Default Domain Policy
>>>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>>>\{31B2F340-016D-11D2-945F-00C04FB984F9}
>>>>dn : CN=
>>>>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>>>=ccdc,DC=lan
>>>>version : 3
>>>>flags : NONE
>>>>
>>>>GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>>display name : Default Domain Controllers Policy
>>>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>>>\{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>>dn : CN=
>>>>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>>>=ccdc,DC=lan
>>>>version : 7
>>>>flags : NONE
>>>>
>>>>
>>>>while from the GPM looks like this:
>>>>
>>>>(Embedded image moved to file: pic08924.gif)
>>>>
>>>>
>>>>
>>>>I have also run gpupdate /force from he windows machine and If I do
>>>>samba-tool gpo fetch <Domain Policy> I am able to see the
>>>>changes I have
>>>>done from the windows snap in
>>>>
>>>>
>>>>I am unsure now where the problem lies, are the GPO I have
>>>>modified being
>>>>applied correctly on samba 4 OR is the GPO itself that is not
>>>>configured
>>>>correctly in order to allow RDP (and add machine to domain)?
>>>>Or any other
>>>>issue?
>>>>
>>>>Note that all this was working correctly when I did the same
>>>>test upgrade
>>>>from samba 3 to samba 4.1.6
>>>>
>>>>also I am able to login to every machine in the domain using
>>>>my domain user
>>>>when logging in locally.
>>>>
>>>>Any idea / suggestion?
>>>>
>>>>
>>>>thanks!
>>>>
>>>>_______________________________________________________________
>>>>____________________________
>>>>
>>>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>>>FAX: +353 1
>>>>815 2236, eMail: mariopiorusso at ie.ibm.com
>>>>IBM Ireland Product Distribution Limited registered in Ireland
>>>>with number
>>>>92815. Registered Office: IBM House, Shelbourne Road,
>>>>Ballsbridge, Dublin 4
>>>>
>>>>(Embedded image moved to file: pic19418.gif)--
>>>>To unsubscribe from this list go to the following URL and read the
>>>>instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>>
>>>
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>
>
>
More information about the samba
mailing list