[Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore
Daniel Carrasco Marín
danielmadrid19 at gmail.com
Fri May 1 07:29:42 MDT 2015
2015-05-01 15:08 GMT+02:00 Mario Pio Russo <mariopiorusso at ie.ibm.com>:
> Thanks Luis
>
> I've changed the smb.conf as you said, now it looks like this:
>
>
> root at ccdc-samba4:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> workgroup = CCDC
> realm = CCDC.LAN
> netbios name = CCDC-SAMBA4
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> dns forwarder = 9.0.138.50
> auth methods = sam, winbind
>
> [netlogon]
> path = /var/lib/samba/sysvol/ccdc.lan/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> root at ccdc-samba4:~#
>
>
> however from the windows machine when i try to update the group policies, I
> am now getting this errors:
>
>
>
> Microsoft Windows [Version 6.1.7601]
> Copyright (c) 2009 Microsoft Corporation. All rights reserved.
>
> C:\Users\Administrator.CCDC>gpupdate /force
> Updating Policy...
>
> User policy could not be updated successfully. The following errors were
> encount
> ered:
>
> The processing of Group Policy failed. Windows attempted to read the file
> \\ccdc
> .lan\sysvol\ccdc.lan\Policies
> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
> m a domain controller and was not successful. Group Policy settings may not
> be a
> pplied until this event is resolved. This issue may be transient and could
> be ca
> used by one or more of the following:
> a) Name Resolution/Network Connectivity to the current domain controller.
> b) File Replication Service Latency (a file created on another domain
> controller
> has not replicated to the current domain controller).
> c) The Distributed File System (DFS) client has been disabled.
> Computer policy could not be updated successfully. The following errors
> were enc
> ountered:
>
> The processing of Group Policy failed. Windows attempted to read the file
> \\ccdc
> .lan\sysvol\ccdc.lan\Policies
> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
> m a domain controller and was not successful. Group Policy settings may not
> be a
> pplied until this event is resolved. This issue may be transient and could
> be ca
> used by one or more of the following:
> a) Name Resolution/Network Connectivity to the current domain controller.
> b) File Replication Service Latency (a file created on another domain
> controller
> has not replicated to the current domain controller).
> c) The Distributed File System (DFS) client has been disabled.
>
> To diagnose the failure, review the event log or run GPRESULT /H
> GPReport.html f
> rom the command line to access information about Group Policy results.
>
> C:\Users\Administrator.CCDC>
>
>
>
>
>
> I'm still unable to login with normal users via RDP
>
>
>
> ___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
>
> (Embedded image moved to file: pic16312.gif)
>
>
>
> From: "L.P.H. van Belle" <belle at bazuin.nl>
> To: "samba at lists.samba.org" <samba at lists.samba.org>
> Cc: Mario Pio Russo/Ireland/IBM at IBMIE
> Date: 01/05/2015 13:55
> Subject: RE: [Samba] After the classicupgrade from samba3 to
> sernet-samba-4.2.1 , users are not able to remote desktop
> anymore
>
>
>
> correct.
>
> bug still exists, just tested also on latest git master.
> see : https://bugzilla.samba.org/show_bug.cgi?id=11061
>
>
> temp solution.
>
> try adding :
> auth methods = sam, winbind
> to smb.conf on the dc and restart the DC.
>
>
> Greetz,
>
> Louis
>
>
> >-----Oorspronkelijk bericht-----
> >Van: mariopiorusso at ie.ibm.com
> >[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo
> >Verzonden: vrijdag 1 mei 2015 14:51
> >Aan: samba at lists.samba.org
> >Onderwerp: [Samba] After the classicupgrade from samba3 to
> >sernet-samba-4.2.1 , users are not able to remote desktop anymore
> >
> >
> >Good Day All
> >
> >I have a current working configuration of sernet-samba-4.2.1,
> >created by
> >upgrading from a samba3 PDC using the classic upgrade.
> >
> >Now, I have added a windows 2008 machine to the domain and I'm
> >using the AD
> >snap in tools in order to browse the domain.
> >
> >I can see all the users and groups and they have been imported
> >correctly.
> >However I am able to remote desktop to the domain machines
> >only with the
> >user "Administrator at ccdc.lan"; no other user is able to RDP.
> >Furthermore I am able to add machines to the domain only form the users
> >Administrator, and not from any other user. I have been using the Group
> >Policy Manager from the window administrative tool in order
> >to grant logon
> >rights to all the users belonging to the Domain User group;
> >furthermore I
> >have added the users to the group Remote Desktop users, but
> >still I have no
> >success at all. at the moment the group policies looks like this:
> >
> >root at ccdc-samba4:/# samba-tool gpo listall
> >GPO : {31B2F340-016D-11D2-945F-00C04FB984F9}
> >display name : Default Domain Policy
> >path : \\ccdc.lan\sysvol\ccdc.lan\Policies
> >\{31B2F340-016D-11D2-945F-00C04FB984F9}
> >dn : CN=
> >{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
> >=ccdc,DC=lan
> >version : 3
> >flags : NONE
> >
> >GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9}
> >display name : Default Domain Controllers Policy
> >path : \\ccdc.lan\sysvol\ccdc.lan\Policies
> >\{6AC1786C-016F-11D2-945F-00C04FB984F9}
> >dn : CN=
> >{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
> >=ccdc,DC=lan
> >version : 7
> >flags : NONE
> >
> >
> >while from the GPM looks like this:
> >
> >(Embedded image moved to file: pic08924.gif)
> >
> >
> >
> >I have also run gpupdate /force from he windows machine and If I do
> >samba-tool gpo fetch <Domain Policy> I am able to see the
> >changes I have
> >done from the windows snap in
> >
> >
> >I am unsure now where the problem lies, are the GPO I have
> >modified being
> >applied correctly on samba 4 OR is the GPO itself that is not
> >configured
> >correctly in order to allow RDP (and add machine to domain)?
> >Or any other
> >issue?
> >
> >Note that all this was working correctly when I did the same
> >test upgrade
> >from samba 3 to samba 4.1.6
> >
> >also I am able to login to every machine in the domain using
> >my domain user
> >when logging in locally.
> >
> >Any idea / suggestion?
> >
> >
> >thanks!
> >
> >_______________________________________________________________
> >____________________________
> >
> >Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
> >FAX: +353 1
> >815 2236, eMail: mariopiorusso at ie.ibm.com
> >IBM Ireland Product Distribution Limited registered in Ireland
> >with number
> >92815. Registered Office: IBM House, Shelbourne Road,
> >Ballsbridge, Dublin 4
> >
> >(Embedded image moved to file: pic19418.gif)--
> >To unsubscribe from this list go to the following URL and read the
> >instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
What is the output of "getfacl /var/lib/samba/sysvol"?
mine is:
# file: sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
Greetings!!
More information about the samba
mailing list