[Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
L.P.H. van Belle
belle at bazuin.nl
Thu Jun 4 08:42:33 MDT 2015
Hello Mario..
first.. sernet has samba 4.2.2 release.
i suspect these settings are for the RDP..
> server services = -winbindd +winbind
> auth methods = winbind, sam
but if u use it like about, remove the auth mehods line.
samba 4.2 with 4.1 winbind beheavor, and a working rdp. :
+ server services = -winbindd +winbind ( and the defaults, see below )
samba 4.2 winbindd with winbind like member server behaivor, and a working rdp :
server services = -dns ( and the defaults, see below )
+ auth methods = winbind, sam
this is against the defaults of samba.
samba-tool testparm -vv | grep "server services"
( the default of my samba 4.2 installation, with bind9 )
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: mariopiorusso at ie.ibm.com
>[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo
>Verzonden: donderdag 4 juni 2015 15:58
>Aan: samba
>Onderwerp: Re: [Samba] After the classicupgrade from samba3 to
>sernet-samba-4.2.1 , users are not able to remote desktop
>anymore ( bug11061 )
>
>guys sorry to take this thread onboard once more, but I still can't get
>this sorted.
>
>I have compiled the latest tarball from samba, 4.2.2 .
>compilation works
>fine and after that I am able to upgrade from samba 3 with the
>following
>command:
>
>samba-tool domain classicupgrade --dbdir=/var/lib/samba-ccdc1/dbdir/
>--use-xattrs=yes --realm=ccdc.lan /etc/samba/smb-ccdc1.conf 2>&1 | tee
>upgrade.log
>
>the upgrade works fine as far as I can see, samba starts and I
>am able to
>RDP using my domain admin rights. however I am not able to RDP
>using any
>other user.
>
>the error i get is:
>
>"The connection is denied because the user account is not
>authorized for
>remote login"
>
>however the user I am testing is member of the BUILTIN/REMOTE
>DESKTOP USERS
>
>dn: CN=mariopio,CN=Users,DC=ccdc,DC=lan
>cn: mariopio
>instanceType: 4
>whenCreated: 20150604120049.0Z
>whenChanged: 20150604120049.0Z
>uSNCreated: 6165
>name: mariopio
>objectGUID:: cBOr+Abs90yYT6r612524Q==
>badPwdCount: 0
>codePage: 0
>countryCode: 0
>badPasswordTime: 0
>lastLogon: 0
>primaryGroupID: 513
>objectSid:: AQUAAAAAAAUVAAAANxKzmMQKGuPHWLf6VCAAAA==
>logonCount: 0
>sAMAccountName: mariopio
>sAMAccountType: 805306368
>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ccdc,DC=lan
>pwdLastSet: 130746879650000000
>displayName: Mario Pio Russo/Ireland/IBM
>scriptPath: logon.bat
>accountExpires: 137919572470000000
>lastLogoff: 137919572470000000
>logonHours:: ////////////////////////////
>userAccountControl: 512
>description: mariopiorusso at ie.ibm.com
>uidNumber: 3638
>objectClass: top
>objectClass: posixAccount
>objectClass: person
>objectClass: organizationalPerson
>objectClass: user
>unixHomeDirectory: /home/mariopio
>loginShell: /bin/bash
>gidNumber: 513
>msSFU30NisDomain: ccdc
>uSNChanged: 6169
>memberOf: CN=DomainUsers,CN=Users,DC=ccdc,DC=lan
>memberOf: CN=Remote Desktop Users,CN=Builtin,DC=ccdc,DC=lan
>distinguishedName: CN=mariopio,CN=Users,DC=ccdc,DC=lan
>
>This is my smb.conf
>
> cat /etc/samba/smb.conf
># Global parameters
>[global]
> workgroup = CCDC
> realm = ccdc.lan
> netbios name = CCDC-SAMBA4
> server role = active directory domain controller
> server services = -winbindd +winbind
> auth methods = winbind, sam
> idmap_ldb:use rfc2307 = yes
> dns forwarder = 9.0.138.50
> idmap config CCDC:backend = ad
> idmap config CCDC:schema_mode = rfc2307
> idmap config CCDC:range = 10000-40000
>
> # Store UIDs/GIDs for all other domains (including local
> # accounts/groups of this server) in a tdb file
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # Use home directory and shell information from AD
> winbind nss info = rfc2307
>
>[netlogon]
> path = /var/lib/samba/sysvol/ccdc.lan/scripts
> read only = No
>
>[sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
>
>any suggestion?
>
>_______________________________________________________________
>____________________________
>
>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>FAX: +353 1
>815 2236, eMail: mariopiorusso at ie.ibm.com
>IBM Ireland Product Distribution Limited registered in Ireland
>with number
>92815. Registered Office: IBM House, Shelbourne Road,
>Ballsbridge, Dublin 4
>
>(Embedded image moved to file: pic18258.gif)
>
>
>
>From: "L.P.H. van Belle" <belle at bazuin.nl>
>To: Mario Pio Russo/Ireland/IBM at IBMIE
>Date: 01/05/2015 16:00
>Subject: RE: [Samba] After the classicupgrade from samba3 to
> sernet-samba-4.2.1 , users are not able to remote desktop
> anymore ( bug11061 )
>
>
>
>yes, you did hit that bug, like lots of us..
>
>4.1.x was ok yes.
>
>you can also try this one. ( remove the others ) for the 4.2.1 samba
>server services = -winbindd +winbind
>
>and use the old winbind behavoir.
>
>and you should get my scripts, change it for ubuntu. ( mail me the
>changes ;-) )
>and you have a clean and quick setup.
>
>look here.
>https://secure.bazuin.nl/scripts/
>read the 0-README-FIRST.TXT file
>
>I think most wil work for ubuntu.
>Get this one for the ad install 4-sernet-samba-addc-debian-wheezy.sh
>
>Have a nice weekend..
>
>Greetz,
>
>Louis
>
>
>
>>-----Oorspronkelijk bericht-----
>>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>>Verzonden: vrijdag 1 mei 2015 16:49
>>Aan: L.P.H. van Belle
>>CC: samba at lists.samba.org
>>Onderwerp: RE: [Samba] After the classicupgrade from samba3 to
>>sernet-samba-4.2.1 , users are not able to remote desktop
>>anymore ( bug11061 )
>>
>>yeah I'm confused too. I think AD is the backend to be honest. that
>>parameter was automatically added to the smb.conf when running the
>>classigupgrade. nothig else has been populated.
>>
>>I can def try to give it a go with the parameters set on the
>>link you sent
>>me.
>>
>>It's a strange behaviour tho, I am still unsure if I have run in bug
>>https://bugzilla.samba.org/show_bug.cgi?id=11061
>>
>>or I am still a step behind that bug. neverthless, with the
>>native 4.1.6
>>all was working fine
>>_______________________________________________________________
>>____________________________
>>
>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>FAX: +353 1
>>815 2236, eMail: mariopiorusso at ie.ibm.com
>>IBM Ireland Product Distribution Limited registered in Ireland
>>with number
>>92815. Registered Office: IBM House, Shelbourne Road,
>>Ballsbridge, Dublin 4
>>
>>(Embedded image moved to file: pic57978.gif)
>>
>>
>>
>>From: "L.P.H. van Belle" <belle at bazuin.nl>
>>To: Mario Pio Russo/Ireland/IBM at IBMIE
>>Cc: "samba at lists.samba.org" <samba at lists.samba.org>
>>Date: 01/05/2015 14:50
>>Subject: RE: [Samba] After the classicupgrade
>from samba3 to
>> sernet-samba-4.2.1 , users are not able to remote desktop
>> anymore ( bug11061 )
>>
>>
>>
>>while im reading..
>>
>>im seeing :
>>getfacl: Removing leading '/' from absolute path names
>># file: var/lib/samba/sysvol
>># owner: root
>># group: 544
>>
>>
>>your using :
>>idmap_ldb:use rfc2307 = yes
>>but i dont see a complete smb.conf for a rfc2307 setup.
>>
>>please also read : https://wiki.samba.org/index.php/RFC2307_backend
>>
>>so im puzzel what your backend is set to (AD or RID) and what
>>the ranges
>>are.
>>
>>
>>
>>Greetz,
>>
>>louis
>>
>>>-----Oorspronkelijk bericht-----
>>>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>>>Verzonden: vrijdag 1 mei 2015 15:35
>>>Aan: L.P.H. van Belle
>>>CC: samba at lists.samba.org; samba-bounces at lists.samba.org
>>>Onderwerp: Re: [Samba] After the classicupgrade from samba3
>>>tosernet-samba-4.2.1 , users are not able to remote desktop
>>>anymore ( bug11061 )
>>>
>>>ok this is my smb.conf file now
>>>
>>>
>>># Global parameters
>>>[global]
>>> workgroup = CCDC
>>> realm = CCDC.LAN
>>> netbios name = CCDC-SAMBA4
>>> server role = active directory domain controller
>>> idmap_ldb:use rfc2307 = yes
>>> dns forwarder = 9.0.138.50
>>> ##For debugging
>>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>>>netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo,
>>>browser, eventlog6,
>>>backupkey, dnsserver, remote, winreg, srvsvc
>>> auth methods = sam, winbind, ntdomain, ntdomain:winbind
>>>
>>>[netlogon]
>>> path = /var/lib/samba/sysvol/ccdc.lan/scripts
>>> read only = No
>>>
>>>[sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>>
>>>
>>>still same error on the windows machine
>>>
>>>It looks like that the GPO are now applied when we do not define the
>>>directive
>>>
>>>"auth methods = sam, winbind, ntdomain, ntdomain:winbind"
>>>
>>>let me know if you need any other debugging info, I'm happy to
>>>hel (and get
>>>this sorted :D)
>>>
>>>thanks
>>>
>>>_______________________________________________________________
>>>____________________________
>>>
>>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>>FAX: +353 1
>>>815 2236, eMail: mariopiorusso at ie.ibm.com
>>>IBM Ireland Product Distribution Limited registered in Ireland
>>>with number
>>>92815. Registered Office: IBM House, Shelbourne Road,
>>>Ballsbridge, Dublin 4
>>>
>>>(Embedded image moved to file: pic03533.gif)
>>>
>>>
>>>
>>>From: "L.P.H. van Belle"
><belle at bazuin.nl>
>>>To: "samba at lists.samba.org"
><samba at lists.samba.org>
>>>Cc: Mario Pio Russo/Ireland/IBM at IBMIE
>>>Date: 01/05/2015 14:24
>>>Subject: Re: [Samba] After the
>classicupgrade
>>from samba3
>>> tosernet-samba-4.2.1 ,
> users are not
>able to
>>>remote desktop
>>> anymore ( bug11061 )
>>>Sent by: samba-bounces at lists.samba.org
>>>
>>>
>>>
>>>Hello Mario ,
>>>
>>>what if you try these :
>>>
>>>dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
>>>lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
>>>eventlog6, backupkey,
>>>dnsserver, remote, winreg, srvsvc
>>>auth methods = sam, winbind, ntdomain, ntdomain:winbind
>>>
>>>!! these are only for helping in debugging and should not be used in
>>>production.
>>>!! see all the e-mails with subject : Re: [Samba] samba 4.2
>>RDP problem
>>>(solved)
>>>!! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett
>>>
>>>so if you want to help debuggen, that would be nice. see
>>>bug-id in subject.
>>>
>>>In my case ( debian wheezy, sernet samba 4.2.1, only default GPO )
>>>auth methods = sam, winbind is sufficient to login with rdp.
>>>so if we can find what we need to get GPO workin also, that
>>>might help the
>>>developers.
>>>
>>>I'll set some GPOs in my test and try again also.
>>>
>>>
>>>Greetz,
>>>
>>>Louis
>>>
>>>
>>>>-----Oorspronkelijk bericht-----
>>>>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>>>>Verzonden: vrijdag 1 mei 2015 15:08
>>>>Aan: L.P.H. van Belle
>>>>CC: samba at lists.samba.org
>>>>Onderwerp: RE: [Samba] After the classicupgrade from samba3 to
>>>>sernet-samba-4.2.1 , users are not able to remote desktop anymore
>>>>
>>>>Thanks Luis
>>>>
>>>>I've changed the smb.conf as you said, now it looks like this:
>>>>
>>>>
>>>>root at ccdc-samba4:~# cat /etc/samba/smb.conf
>>>># Global parameters
>>>>[global]
>>>> workgroup = CCDC
>>>> realm = CCDC.LAN
>>>> netbios name = CCDC-SAMBA4
>>>> server role = active directory domain controller
>>>> idmap_ldb:use rfc2307 = yes
>>>> dns forwarder = 9.0.138.50
>>>> auth methods = sam, winbind
>>>>
>>>>[netlogon]
>>>> path = /var/lib/samba/sysvol/ccdc.lan/scripts
>>>> read only = No
>>>>
>>>>[sysvol]
>>>> path = /var/lib/samba/sysvol
>>>> read only = No
>>>>root at ccdc-samba4:~#
>>>>
>>>>
>>>>however from the windows machine when i try to update the
>>>>group policies, I
>>>>am now getting this errors:
>>>>
>>>>
>>>>
>>>>Microsoft Windows [Version 6.1.7601]
>>>>Copyright (c) 2009 Microsoft Corporation. All rights reserved.
>>>>
>>>>C:\Users\Administrator.CCDC>gpupdate /force
>>>>Updating Policy...
>>>>
>>>>User policy could not be updated successfully. The following
>>>>errors were
>>>>encount
>>>>ered:
>>>>
>>>>The processing of Group Policy failed. Windows attempted to
>>>>read the file
>>>>\\ccdc
>>>>.lan\sysvol\ccdc.lan\Policies
>>>>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>>>>m a domain controller and was not successful. Group Policy
>>>>settings may not
>>>>be a
>>>>pplied until this event is resolved. This issue may be
>>>>transient and could
>>>>be ca
>>>>used by one or more of the following:
>>>>a) Name Resolution/Network Connectivity to the current domain
>>>>controller.
>>>>b) File Replication Service Latency (a file created on
>another domain
>>>>controller
>>>> has not replicated to the current domain controller).
>>>>c) The Distributed File System (DFS) client has been disabled.
>>>>Computer policy could not be updated successfully. The
>>>following errors
>>>>were enc
>>>>ountered:
>>>>
>>>>The processing of Group Policy failed. Windows attempted to
>>>>read the file
>>>>\\ccdc
>>>>.lan\sysvol\ccdc.lan\Policies
>>>>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>>>>m a domain controller and was not successful. Group Policy
>>>>settings may not
>>>>be a
>>>>pplied until this event is resolved. This issue may be
>>>>transient and could
>>>>be ca
>>>>used by one or more of the following:
>>>>a) Name Resolution/Network Connectivity to the current domain
>>>>controller.
>>>>b) File Replication Service Latency (a file created on
>another domain
>>>>controller
>>>> has not replicated to the current domain controller).
>>>>c) The Distributed File System (DFS) client has been disabled.
>>>>
>>>>To diagnose the failure, review the event log or run GPRESULT /H
>>>>GPReport.html f
>>>>rom the command line to access information about Group
>>Policy results.
>>>>
>>>>C:\Users\Administrator.CCDC>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>I'm still unable to login with normal users via RDP
>>>>
>>>>
>>>>_______________________________________________________________
>>>>____________________________
>>>>
>>>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>>>FAX: +353 1
>>>>815 2236, eMail: mariopiorusso at ie.ibm.com
>>>>IBM Ireland Product Distribution Limited registered in Ireland
>>>>with number
>>>>92815. Registered Office: IBM House, Shelbourne Road,
>>>>Ballsbridge, Dublin 4
>>>>
>>>>(Embedded image moved to file: pic60454.gif)
>>>>
>>>>
>>>>
>>>>From:
> "L.P.H. van Belle"
>
>><belle at bazuin.nl>
>>>>To:
>"samba at lists.samba.org"
>><samba at lists.samba.org>
>>>>Cc:
> Mario Pio
>Russo/Ireland/IBM at IBMIE
>>>>Date:
> 01/05/2015 13:55
>>>>Subject:
> RE: [Samba] After
>the
>>classicupgrade
>>>from samba3 to
>>>> sernet-samba-4.2.1 , users are not able to
>remote desktop
>>>> anymore
>>>>
>>>>
>>>>
>>>>correct.
>>>>
>>>>bug still exists, just tested also on latest git master.
>>>>see : https://bugzilla.samba.org/show_bug.cgi?id=11061
>>>>
>>>>
>>>>temp solution.
>>>>
>>>>try adding :
>>>>auth methods = sam, winbind
>>>>to smb.conf on the dc and restart the DC.
>>>>
>>>>
>>>>Greetz,
>>>>
>>>>Louis
>>>>
>>>>
>>>>>-----Oorspronkelijk bericht-----
>>>>>Van: mariopiorusso at ie.ibm.com
>>>>>[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo
>>>>>Verzonden: vrijdag 1 mei 2015 14:51
>>>>>Aan: samba at lists.samba.org
>>>>>Onderwerp: [Samba] After the classicupgrade from samba3 to
>>>>>sernet-samba-4.2.1 , users are not able to remote desktop anymore
>>>>>
>>>>>
>>>>>Good Day All
>>>>>
>>>>>I have a current working configuration of sernet-samba-4.2.1,
>>>>>created by
>>>>>upgrading from a samba3 PDC using the classic upgrade.
>>>>>
>>>>>Now, I have added a windows 2008 machine to the domain and I'm
>>>>>using the AD
>>>>>snap in tools in order to browse the domain.
>>>>>
>>>>>I can see all the users and groups and they have been imported
>>>>>correctly.
>>>>>However I am able to remote desktop to the domain machines
>>>>>only with the
>>>>>user "Administrator at ccdc.lan"; no other user is able to RDP.
>>>>>Furthermore I am able to add machines to the domain only form
>>>>the users
>>>>>Administrator, and not from any other user. I have been using
>>>>the Group
>>>>>Policy Manager from the window administrative tool in order
>>>>>to grant logon
>>>>>rights to all the users belonging to the Domain User group;
>>>>>furthermore I
>>>>>have added the users to the group Remote Desktop users, but
>>>>>still I have no
>>>>>success at all. at the moment the group policies looks like this:
>>>>>
>>>>>root at ccdc-samba4:/# samba-tool gpo listall
>>>>>GPO : {31B2F340-016D-11D2-945F-00C04FB984F9}
>>>>>display name : Default Domain Policy
>>>>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>>>>\{31B2F340-016D-11D2-945F-00C04FB984F9}
>>>>>dn : CN=
>>>>>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>>>>=ccdc,DC=lan
>>>>>version : 3
>>>>>flags : NONE
>>>>>
>>>>>GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>>>display name : Default Domain Controllers Policy
>>>>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>>>>\{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>>>dn : CN=
>>>>>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>>>>=ccdc,DC=lan
>>>>>version : 7
>>>>>flags : NONE
>>>>>
>>>>>
>>>>>while from the GPM looks like this:
>>>>>
>>>>>(Embedded image moved to file: pic08924.gif)
>>>>>
>>>>>
>>>>>
>>>>>I have also run gpupdate /force from he windows machine and If I do
>>>>>samba-tool gpo fetch <Domain Policy> I am able to see the
>>>>>changes I have
>>>>>done from the windows snap in
>>>>>
>>>>>
>>>>>I am unsure now where the problem lies, are the GPO I have
>>>>>modified being
>>>>>applied correctly on samba 4 OR is the GPO itself that is not
>>>>>configured
>>>>>correctly in order to allow RDP (and add machine to domain)?
>>>>>Or any other
>>>>>issue?
>>>>>
>>>>>Note that all this was working correctly when I did the same
>>>>>test upgrade
>>>>>from samba 3 to samba 4.1.6
>>>>>
>>>>>also I am able to login to every machine in the domain using
>>>>>my domain user
>>>>>when logging in locally.
>>>>>
>>>>>Any idea / suggestion?
>>>>>
>>>>>
>>>>>thanks!
>>>>>
>>>>>_______________________________________________________________
>>>>>____________________________
>>>>>
>>>>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>>>>FAX: +353 1
>>>>>815 2236, eMail: mariopiorusso at ie.ibm.com
>>>>>IBM Ireland Product Distribution Limited registered in Ireland
>>>>>with number
>>>>>92815. Registered Office: IBM House, Shelbourne Road,
>>>>>Ballsbridge, Dublin 4
>>>>>
>>>>>(Embedded image moved to file: pic19418.gif)--
>>>>>To unsubscribe from this list go to the following URL and read the
>>>>>instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>
>>>>
>>>>
>>>
>>>--
>>>To unsubscribe from this list go to the following URL and read the
>>>instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>
>>
>>
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list