[Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )

Mario Pio Russo mariopiorusso at ie.ibm.com
Tue Jun 9 06:17:44 MDT 2015


Hey Guys!!

thank you it's working now!!!

thank you all!
___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic57838.gif)



From:	James <lingpanda101 at gmail.com>
To:	Mario Pio Russo/Ireland/IBM at IBMIE, samba
            <samba at lists.samba.org>
Date:	04/06/2015 15:59
Subject:	Re: [Samba] After the classicupgrade from samba3 to
            sernet-samba-4.2.1 , users are not able to remote desktop
            anymore ( bug11061 )
Sent by:	samba-bounces at lists.samba.org



On 6/4/2015 9:57 AM, Mario Pio Russo wrote:
> guys sorry to take this thread onboard once more, but I still can't get
> this sorted.
>
> I have compiled the latest tarball from samba, 4.2.2 . compilation works
> fine and after that I am able to upgrade from samba 3 with the following
> command:
>
> samba-tool domain classicupgrade --dbdir=/var/lib/samba-ccdc1/dbdir/
> --use-xattrs=yes --realm=ccdc.lan /etc/samba/smb-ccdc1.conf 2>&1 | tee
> upgrade.log
>
> the upgrade works fine as far as I can see, samba starts and I am able to
> RDP using my domain admin rights. however I am not able to RDP using any
> other user.
>
> the error i get is:
>
> "The connection is denied because the user account is not authorized for
> remote login"
>
> however the user I am testing is member of the BUILTIN/REMOTE DESKTOP
USERS
>
> dn: CN=mariopio,CN=Users,DC=ccdc,DC=lan
> cn: mariopio
> instanceType: 4
> whenCreated: 20150604120049.0Z
> whenChanged: 20150604120049.0Z
> uSNCreated: 6165
> name: mariopio
> objectGUID:: cBOr+Abs90yYT6r612524Q==
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAANxKzmMQKGuPHWLf6VCAAAA==
> logonCount: 0
> sAMAccountName: mariopio
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ccdc,DC=lan
> pwdLastSet: 130746879650000000
> displayName: Mario Pio Russo/Ireland/IBM
> scriptPath: logon.bat
> accountExpires: 137919572470000000
> lastLogoff: 137919572470000000
> logonHours:: ////////////////////////////
> userAccountControl: 512
> description: mariopiorusso at ie.ibm.com
> uidNumber: 3638
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> unixHomeDirectory: /home/mariopio
> loginShell: /bin/bash
> gidNumber: 513
> msSFU30NisDomain: ccdc
> uSNChanged: 6169
> memberOf: CN=DomainUsers,CN=Users,DC=ccdc,DC=lan
> memberOf: CN=Remote Desktop Users,CN=Builtin,DC=ccdc,DC=lan
> distinguishedName: CN=mariopio,CN=Users,DC=ccdc,DC=lan
>
> This is my smb.conf
>
>  cat /etc/samba/smb.conf
> # Global parameters
> [global]
>         workgroup = CCDC
>         realm = ccdc.lan
>         netbios name = CCDC-SAMBA4
>         server role = active directory domain controller
>         server services = -winbindd +winbind
>         auth methods = winbind, sam
>         idmap_ldb:use rfc2307 = yes
>         dns forwarder = 9.0.138.50
>         idmap config CCDC:backend = ad
>         idmap config CCDC:schema_mode = rfc2307
>         idmap config CCDC:range = 10000-40000
>
>         # Store UIDs/GIDs for all other domains (including local
>         # accounts/groups of this server) in a tdb file
>         idmap config *:backend = tdb
>         idmap config *:range = 2000-9999
>
>         # Use home directory and shell information from AD
>         winbind nss info = rfc2307
>
> [netlogon]
>         path = /var/lib/samba/sysvol/ccdc.lan/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
>
>
> any suggestion?
>
>
___________________________________________________________________________________________

>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with
number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin
4
>
> (Embedded image moved to file: pic18258.gif)
>
>
>
> From:		 "L.P.H. van Belle" <belle at bazuin.nl>
> To:		 Mario Pio Russo/Ireland/IBM at IBMIE
> Date:		 01/05/2015 16:00
> Subject:		 RE: [Samba] After the classicupgrade from samba3 to
>             sernet-samba-4.2.1 , users are not able to remote desktop
>             anymore ( bug11061 )
>
>
>
> yes, you did hit that bug, like lots of us..
>
> 4.1.x was ok yes.
>
> you can also try this one. ( remove the others ) for the 4.2.1 samba
> server services = -winbindd +winbind
>
> and use the old winbind behavoir.
>
> and you should get my scripts, change it for ubuntu. ( mail me the
> changes ;-)  )
> and you have a clean and quick setup.
>
> look here.
> https://secure.bazuin.nl/scripts/
> read the 0-README-FIRST.TXT file
>
> I think most wil work for ubuntu.
> Get this one for the ad install 4-sernet-samba-addc-debian-wheezy.sh
>
> Have a nice weekend..
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>> Verzonden: vrijdag 1 mei 2015 16:49
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: RE: [Samba] After the classicupgrade from samba3 to
>> sernet-samba-4.2.1 , users are not able to remote desktop
>> anymore ( bug11061 )
>>
>> yeah I'm confused too. I think AD is the backend to be honest. that
>> parameter was automatically added to the smb.conf when running the
>> classigupgrade. nothig else has been populated.
>>
>> I can def try to give it a go with the parameters set on the
>> link you sent
>> me.
>>
>> It's a strange behaviour tho, I am still unsure if I have run in bug
>> https://bugzilla.samba.org/show_bug.cgi?id=11061
>>
>> or I am still a step behind that bug. neverthless, with the
>> native 4.1.6
>> all was working fine
>> _______________________________________________________________
>> ____________________________
>>
>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>> FAX: +353 1
>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>> IBM Ireland Product Distribution Limited registered in Ireland
>> with number
>> 92815. Registered Office: IBM House, Shelbourne Road,
>> Ballsbridge, Dublin 4
>>
>> (Embedded image moved to file: pic57978.gif)
>>
>>
>>
>> From:		 		  "L.P.H. van Belle" <belle at bazuin.nl>
>> To:		 		  Mario Pio Russo/Ireland/IBM at IBMIE
>> Cc:		 		  "samba at lists.samba.org"
<samba at lists.samba.org>
>> Date:		 		  01/05/2015 14:50
>> Subject:		 		  RE: [Samba] After the classicupgrade from
samba3 to
>>            sernet-samba-4.2.1 , users are not able to remote desktop
>>            anymore ( bug11061 )
>>
>>
>>
>> while im reading..
>>
>> im seeing :
>> getfacl: Removing leading '/' from absolute path names
>> # file: var/lib/samba/sysvol
>> # owner: root
>> # group: 544
>>
>>
>> your using :
>> idmap_ldb:use rfc2307 = yes
>> but i dont see a complete smb.conf for a rfc2307 setup.
>>
>> please also read : https://wiki.samba.org/index.php/RFC2307_backend
>>
>> so im puzzel what your backend is set to (AD or RID) and what
>> the ranges
>> are.
>>
>>
>>
>> Greetz,
>>
>> louis
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>>> Verzonden: vrijdag 1 mei 2015 15:35
>>> Aan: L.P.H. van Belle
>>> CC: samba at lists.samba.org; samba-bounces at lists.samba.org
>>> Onderwerp: Re: [Samba] After the classicupgrade from samba3
>>> tosernet-samba-4.2.1 , users are not able to remote desktop
>>> anymore ( bug11061 )
>>>
>>> ok this is my smb.conf file now
>>>
>>>
>>> # Global parameters
>>> [global]
>>>        workgroup = CCDC
>>>        realm = CCDC.LAN
>>>        netbios name = CCDC-SAMBA4
>>>        server role = active directory domain controller
>>>        idmap_ldb:use rfc2307 = yes
>>>        dns forwarder = 9.0.138.50
>>>        ##For debugging
>>>        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>>> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo,
>>> browser, eventlog6,
>>> backupkey, dnsserver, remote, winreg, srvsvc
>>>        auth methods = sam, winbind, ntdomain, ntdomain:winbind
>>>
>>> [netlogon]
>>>        path = /var/lib/samba/sysvol/ccdc.lan/scripts
>>>        read only = No
>>>
>>> [sysvol]
>>>        path = /var/lib/samba/sysvol
>>>        read only = No
>>>
>>>
>>> still same error on the windows machine
>>>
>>> It looks like that the GPO are now applied when we do not define the
>>> directive
>>>
>>> "auth methods = sam, winbind, ntdomain, ntdomain:winbind"
>>>
>>> let me know if you need any other debugging info, I'm happy to
>>> hel (and get
>>> this sorted :D)
>>>
>>> thanks
>>>
>>> _______________________________________________________________
>>> ____________________________
>>>
>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>> FAX: +353 1
>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>> IBM Ireland Product Distribution Limited registered in Ireland
>>> with number
>>> 92815. Registered Office: IBM House, Shelbourne Road,
>>> Ballsbridge, Dublin 4
>>>
>>> (Embedded image moved to file: pic03533.gif)
>>>
>>>
>>>
>>> From:		 		  		 		   "L.P.H. van Belle"
<belle at bazuin.nl>
>>> To:
"samba at lists.samba.org" <samba at lists.samba.org>
>>> Cc:		 		  		 		   Mario Pio
Russo/Ireland/IBM at IBMIE
>>> Date:		 		  		 		   01/05/2015 14:24
>>> Subject:		 		  		 		   Re: [Samba]
After the classicupgrade
> >from samba3
>>>            tosernet-samba-4.2.1 ,
	   users are not
> able to
>>> remote desktop
>>>            anymore ( bug11061 )
>>> Sent by:
samba-bounces at lists.samba.org
>>>
>>>
>>>
>>> Hello Mario ,
>>>
>>> what if you try these :
>>>
>>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
>>> lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
>>> eventlog6, backupkey,
>>> dnsserver, remote, winreg, srvsvc
>>> auth methods = sam, winbind, ntdomain, ntdomain:winbind
>>>
>>> !! these are only for helping in debugging and should not be used in
>>> production.
>>> !! see all the e-mails with subject : Re: [Samba] samba 4.2
>> RDP problem
>>> (solved)
>>> !! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett
>>>
>>> so if you want to help debuggen, that would be nice. see
>>> bug-id in subject.
>>>
>>> In my case ( debian wheezy, sernet samba 4.2.1, only default GPO )
>>> auth methods = sam, winbind is sufficient to login with rdp.
>>> so if we can find what we need to get GPO workin also, that
>>> might help the
>>> developers.
>>>
>>> I'll set some GPOs in my test and try again also.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>>>> Verzonden: vrijdag 1 mei 2015 15:08
>>>> Aan: L.P.H. van Belle
>>>> CC: samba at lists.samba.org
>>>> Onderwerp: RE: [Samba] After the classicupgrade from samba3 to
>>>> sernet-samba-4.2.1 , users are not able to remote desktop anymore
>>>>
>>>> Thanks Luis
>>>>
>>>> I've changed the smb.conf as you said, now it looks like this:
>>>>
>>>>
>>>> root at ccdc-samba4:~# cat /etc/samba/smb.conf
>>>> # Global parameters
>>>> [global]
>>>>        workgroup = CCDC
>>>>        realm = CCDC.LAN
>>>>        netbios name = CCDC-SAMBA4
>>>>        server role = active directory domain controller
>>>>        idmap_ldb:use rfc2307 = yes
>>>>        dns forwarder = 9.0.138.50
>>>>        auth methods = sam, winbind
>>>>
>>>> [netlogon]
>>>>        path = /var/lib/samba/sysvol/ccdc.lan/scripts
>>>>        read only = No
>>>>
>>>> [sysvol]
>>>>        path = /var/lib/samba/sysvol
>>>>        read only = No
>>>> root at ccdc-samba4:~#
>>>>
>>>>
>>>> however from the windows machine when i try to update the
>>>> group policies, I
>>>> am now getting this errors:
>>>>
>>>>
>>>>
>>>> Microsoft Windows [Version 6.1.7601]
>>>> Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
>>>>
>>>> C:\Users\Administrator.CCDC>gpupdate /force
>>>> Updating Policy...
>>>>
>>>> User policy could not be updated successfully. The following
>>>> errors were
>>>> encount
>>>> ered:
>>>>
>>>> The processing of Group Policy failed. Windows attempted to
>>>> read the file
>>>> \\ccdc
>>>> .lan\sysvol\ccdc.lan\Policies
>>>> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>>>> m a domain controller and was not successful. Group Policy
>>>> settings may not
>>>> be a
>>>> pplied until this event is resolved. This issue may be
>>>> transient and could
>>>> be ca
>>>> used by one or more of the following:
>>>> a) Name Resolution/Network Connectivity to the current domain
>>>> controller.
>>>> b) File Replication Service Latency (a file created on another domain
>>>> controller
>>>> has not replicated to the current domain controller).
>>>> c) The Distributed File System (DFS) client has been disabled.
>>>> Computer policy could not be updated successfully. The
>>> following errors
>>>> were enc
>>>> ountered:
>>>>
>>>> The processing of Group Policy failed. Windows attempted to
>>>> read the file
>>>> \\ccdc
>>>> .lan\sysvol\ccdc.lan\Policies
>>>> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>>>> m a domain controller and was not successful. Group Policy
>>>> settings may not
>>>> be a
>>>> pplied until this event is resolved. This issue may be
>>>> transient and could
>>>> be ca
>>>> used by one or more of the following:
>>>> a) Name Resolution/Network Connectivity to the current domain
>>>> controller.
>>>> b) File Replication Service Latency (a file created on another domain
>>>> controller
>>>> has not replicated to the current domain controller).
>>>> c) The Distributed File System (DFS) client has been disabled.
>>>>
>>>> To diagnose the failure, review the event log or run GPRESULT /H
>>>> GPReport.html f
>>>> rom the command line to access information about Group
>> Policy results.
>>>> C:\Users\Administrator.CCDC>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> I'm still unable to login with normal users via RDP
>>>>
>>>>
>>>> _______________________________________________________________
>>>> ____________________________
>>>>
>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>>> FAX: +353 1
>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>>> IBM Ireland Product Distribution Limited registered in Ireland
>>>> with number
>>>> 92815. Registered Office: IBM House, Shelbourne Road,
>>>> Ballsbridge, Dublin 4
>>>>
>>>> (Embedded image moved to file: pic60454.gif)
>>>>
>>>>
>>>>
>>>> From:
  		 		    "L.P.H. van Belle"
>> <belle at bazuin.nl>
>>>> To:
> "samba at lists.samba.org"
>> <samba at lists.samba.org>
>>>> Cc:
  		 		    Mario Pio
> Russo/Ireland/IBM at IBMIE
>>>> Date:
  		 		    01/05/2015 13:55
>>>> Subject:
	  		 		    RE: [Samba] After
> the
>> classicupgrade
>> >from samba3 to
>>>>            sernet-samba-4.2.1 , users are not able to remote desktop
>>>>            anymore
>>>>
>>>>
>>>>
>>>> correct.
>>>>
>>>> bug still exists, just tested also on latest git master.
>>>> see : https://bugzilla.samba.org/show_bug.cgi?id=11061
>>>>
>>>>
>>>> temp solution.
>>>>
>>>> try adding :
>>>> auth methods = sam, winbind
>>>> to smb.conf on the dc and restart the DC.
>>>>
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: mariopiorusso at ie.ibm.com
>>>>> [mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo
>>>>> Verzonden: vrijdag 1 mei 2015 14:51
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: [Samba] After the classicupgrade from samba3 to
>>>>> sernet-samba-4.2.1 , users are not able to remote desktop anymore
>>>>>
>>>>>
>>>>> Good Day All
>>>>>
>>>>> I have a current working configuration of sernet-samba-4.2.1,
>>>>> created by
>>>>> upgrading from a samba3 PDC using the classic upgrade.
>>>>>
>>>>> Now, I have added a windows 2008 machine to the domain and I'm
>>>>> using the AD
>>>>> snap in tools in order to browse the domain.
>>>>>
>>>>> I can see all the users and groups and they have been imported
>>>>> correctly.
>>>>> However I am able to remote desktop to the domain machines
>>>>> only with the
>>>>> user "Administrator at ccdc.lan"; no other user is able to RDP.
>>>>> Furthermore I am able to add machines to the domain only form
>>>> the users
>>>>> Administrator, and not from any other user. I have been using
>>>> the Group
>>>>> Policy Manager from the window  administrative tool in order
>>>>> to grant logon
>>>>> rights to all the users belonging to the Domain User group;
>>>>> furthermore I
>>>>> have added the users to the group Remote Desktop users, but
>>>>> still I have no
>>>>> success at all. at the moment the group policies looks like this:
>>>>>
>>>>> root at ccdc-samba4:/# samba-tool gpo listall
>>>>> GPO          : {31B2F340-016D-11D2-945F-00C04FB984F9}
>>>>> display name : Default Domain Policy
>>>>> path         : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>>>> \{31B2F340-016D-11D2-945F-00C04FB984F9}
>>>>> dn           : CN=
>>>>> {31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>>>> =ccdc,DC=lan
>>>>> version      : 3
>>>>> flags        : NONE
>>>>>
>>>>> GPO          : {6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>>> display name : Default Domain Controllers Policy
>>>>> path         : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>>>> \{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>>> dn           : CN=
>>>>> {6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>>>> =ccdc,DC=lan
>>>>> version      : 7
>>>>> flags        : NONE
>>>>>
>>>>>
>>>>> while from the GPM looks like this:
>>>>>
>>>>> (Embedded image moved to file: pic08924.gif)
>>>>>
>>>>>
>>>>>
>>>>> I have also run gpupdate /force from he windows machine and If I do
>>>>> samba-tool gpo fetch <Domain Policy> I am able to see the
>>>>> changes I have
>>>>> done from the windows snap in
>>>>>
>>>>>
>>>>> I am unsure now where the problem lies, are the GPO I have
>>>>> modified being
>>>>> applied correctly on samba 4 OR is the GPO itself that is not
>>>>> configured
>>>>> correctly in order to allow RDP (and add machine to domain)?
>>>>> Or any other
>>>>> issue?
>>>>>
>>>>> Note that all this was working correctly when I did the same
>>>>> test upgrade
>>>> >from samba 3 to samba 4.1.6
>>>>> also I am able to login to every machine in the domain using
>>>>> my domain user
>>>>> when logging in locally.
>>>>>
>>>>> Any idea / suggestion?
>>>>>
>>>>>
>>>>> thanks!
>>>>>
>>>>> _______________________________________________________________
>>>>> ____________________________
>>>>>
>>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>>>> FAX: +353 1
>>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>>>> IBM Ireland Product Distribution Limited registered in Ireland
>>>>> with number
>>>>> 92815. Registered Office: IBM House, Shelbourne Road,
>>>>> Ballsbridge, Dublin 4
>>>>>
>>>>> (Embedded image moved to file: pic19418.gif)--
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>>
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>
>>
>
>
>
Mario,

    This guide may help you.

http://www.dannyeckes.com/server-2012-enable-remote-desktop-rdp-group-policy-gpo/


--
-James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




More information about the samba mailing list