[Samba] After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )

L.P.H. van Belle belle at bazuin.nl
Fri May 1 07:40:15 MDT 2015


Great is you would help also in debugging this. 
and just a notice.. 
You do know that .lan is reserved by apples mDNS. (zeroconf)

---------------------------------------------------
( copy of Andrew's tekst..  ) 

Please re-try with git master, as I understand patches to fix this have
been committed.

If that doesn't help, can you get a level 10 debug with this, and with
the default configuration, and put it on bug
https://bugzilla.samba.org/show_bug.cgi?id=11061

I need specifically the time that the hang happens. 

As a developer I still don't see how this area of code changes with a
change to the auth methods, so I'm most curious but even more so, most
puzzled .

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


---------------------------------------------------



>-----Oorspronkelijk bericht-----
>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] 
>Verzonden: vrijdag 1 mei 2015 15:35
>Aan: L.P.H. van Belle
>CC: samba at lists.samba.org; samba-bounces at lists.samba.org
>Onderwerp: Re: [Samba] After the classicupgrade from samba3 
>tosernet-samba-4.2.1 , users are not able to remote desktop 
>anymore ( bug11061 )
>
>ok this is my smb.conf file now
>
>
># Global parameters
>[global]
>        workgroup = CCDC
>        realm = CCDC.LAN
>        netbios name = CCDC-SAMBA4
>        server role = active directory domain controller
>        idmap_ldb:use rfc2307 = yes
>        dns forwarder = 9.0.138.50
>        ##For debugging
>        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, 
>browser, eventlog6,
>backupkey, dnsserver, remote, winreg, srvsvc
>        auth methods = sam, winbind, ntdomain, ntdomain:winbind
>
>[netlogon]
>        path = /var/lib/samba/sysvol/ccdc.lan/scripts
>        read only = No
>
>[sysvol]
>        path = /var/lib/samba/sysvol
>        read only = No
>
>
>still same error on the windows machine
>
>It looks like that the GPO are now applied when we do not define the
>directive
>
>"auth methods = sam, winbind, ntdomain, ntdomain:winbind"
>
>let me know if you need any other debugging info, I'm happy to 
>hel (and get
>this sorted :D)
>
>thanks
>
>_______________________________________________________________
>____________________________
>
>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & 
>FAX: +353 1
>815 2236, eMail: mariopiorusso at ie.ibm.com
>IBM Ireland Product Distribution Limited registered in Ireland 
>with number
>92815. Registered Office: IBM House, Shelbourne Road, 
>Ballsbridge, Dublin 4
>
>(Embedded image moved to file: pic03533.gif)
>
>
>
>From:	"L.P.H. van Belle" <belle at bazuin.nl>
>To:	"samba at lists.samba.org" <samba at lists.samba.org>
>Cc:	Mario Pio Russo/Ireland/IBM at IBMIE
>Date:	01/05/2015 14:24
>Subject:	Re: [Samba] After the classicupgrade from samba3
>            tosernet-samba-4.2.1 ,	users are not able to 
>remote desktop
>            anymore ( bug11061 )
>Sent by:	samba-bounces at lists.samba.org
>
>
>
>Hello Mario ,
>
>what if you try these :
>
>dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
>lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, 
>eventlog6, backupkey,
>dnsserver, remote, winreg, srvsvc
>auth methods = sam, winbind, ntdomain, ntdomain:winbind
>
>!! these are only for helping in debugging and should not be used in
>production.
>!! see all the e-mails with subject : Re: [Samba] samba 4.2 RDP problem
>(solved)
>!! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett
>
>so if you want to help debuggen, that would be nice. see 
>bug-id in subject.
>
>In my case ( debian wheezy, sernet samba 4.2.1, only default GPO )
>auth methods = sam, winbind is sufficient to login with rdp.
>so if we can find what we need to get GPO workin also, that 
>might help the
>developers.
>
>I'll set some GPOs in my test and try again also.
>
>
>Greetz,
>
>Louis
>
>
>>-----Oorspronkelijk bericht-----
>>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>>Verzonden: vrijdag 1 mei 2015 15:08
>>Aan: L.P.H. van Belle
>>CC: samba at lists.samba.org
>>Onderwerp: RE: [Samba] After the classicupgrade from samba3 to
>>sernet-samba-4.2.1 , users are not able to remote desktop anymore
>>
>>Thanks Luis
>>
>>I've changed the smb.conf as you said, now it looks like this:
>>
>>
>>root at ccdc-samba4:~# cat /etc/samba/smb.conf
>># Global parameters
>>[global]
>>        workgroup = CCDC
>>        realm = CCDC.LAN
>>        netbios name = CCDC-SAMBA4
>>        server role = active directory domain controller
>>        idmap_ldb:use rfc2307 = yes
>>        dns forwarder = 9.0.138.50
>>        auth methods = sam, winbind
>>
>>[netlogon]
>>        path = /var/lib/samba/sysvol/ccdc.lan/scripts
>>        read only = No
>>
>>[sysvol]
>>        path = /var/lib/samba/sysvol
>>        read only = No
>>root at ccdc-samba4:~#
>>
>>
>>however from the windows machine when i try to update the
>>group policies, I
>>am now getting this errors:
>>
>>
>>
>>Microsoft Windows [Version 6.1.7601]
>>Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
>>
>>C:\Users\Administrator.CCDC>gpupdate /force
>>Updating Policy...
>>
>>User policy could not be updated successfully. The following
>>errors were
>>encount
>>ered:
>>
>>The processing of Group Policy failed. Windows attempted to
>>read the file
>>\\ccdc
>>.lan\sysvol\ccdc.lan\Policies
>>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>>m a domain controller and was not successful. Group Policy
>>settings may not
>>be a
>>pplied until this event is resolved. This issue may be
>>transient and could
>>be ca
>>used by one or more of the following:
>>a) Name Resolution/Network Connectivity to the current domain
>>controller.
>>b) File Replication Service Latency (a file created on another domain
>>controller
>> has not replicated to the current domain controller).
>>c) The Distributed File System (DFS) client has been disabled.
>>Computer policy could not be updated successfully. The 
>following errors
>>were enc
>>ountered:
>>
>>The processing of Group Policy failed. Windows attempted to
>>read the file
>>\\ccdc
>>.lan\sysvol\ccdc.lan\Policies
>>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>>m a domain controller and was not successful. Group Policy
>>settings may not
>>be a
>>pplied until this event is resolved. This issue may be
>>transient and could
>>be ca
>>used by one or more of the following:
>>a) Name Resolution/Network Connectivity to the current domain
>>controller.
>>b) File Replication Service Latency (a file created on another domain
>>controller
>> has not replicated to the current domain controller).
>>c) The Distributed File System (DFS) client has been disabled.
>>
>>To diagnose the failure, review the event log or run GPRESULT /H
>>GPReport.html f
>>rom the command line to access information about Group Policy results.
>>
>>C:\Users\Administrator.CCDC>
>>
>>
>>
>>
>>
>>I'm still unable to login with normal users via RDP
>>
>>
>>_______________________________________________________________
>>____________________________
>>
>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>FAX: +353 1
>>815 2236, eMail: mariopiorusso at ie.ibm.com
>>IBM Ireland Product Distribution Limited registered in Ireland
>>with number
>>92815. Registered Office: IBM House, Shelbourne Road,
>>Ballsbridge, Dublin 4
>>
>>(Embedded image moved to file: pic60454.gif)
>>
>>
>>
>>From:		 "L.P.H. van Belle" <belle at bazuin.nl>
>>To:		 "samba at lists.samba.org" <samba at lists.samba.org>
>>Cc:		 Mario Pio Russo/Ireland/IBM at IBMIE
>>Date:		 01/05/2015 13:55
>>Subject:		 RE: [Samba] After the classicupgrade 
>from samba3 to
>>            sernet-samba-4.2.1 , users are not able to remote desktop
>>            anymore
>>
>>
>>
>>correct.
>>
>>bug still exists, just tested also on latest git master.
>>see : https://bugzilla.samba.org/show_bug.cgi?id=11061
>>
>>
>>temp solution.
>>
>>try adding :
>>auth methods = sam, winbind
>>to smb.conf on the dc and restart the DC.
>>
>>
>>Greetz,
>>
>>Louis
>>
>>
>>>-----Oorspronkelijk bericht-----
>>>Van: mariopiorusso at ie.ibm.com
>>>[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo
>>>Verzonden: vrijdag 1 mei 2015 14:51
>>>Aan: samba at lists.samba.org
>>>Onderwerp: [Samba] After the classicupgrade from samba3 to
>>>sernet-samba-4.2.1 , users are not able to remote desktop anymore
>>>
>>>
>>>Good Day All
>>>
>>>I have a current working configuration of sernet-samba-4.2.1,
>>>created by
>>>upgrading from a samba3 PDC using the classic upgrade.
>>>
>>>Now, I have added a windows 2008 machine to the domain and I'm
>>>using the AD
>>>snap in tools in order to browse the domain.
>>>
>>>I can see all the users and groups and they have been imported
>>>correctly.
>>>However I am able to remote desktop to the domain machines
>>>only with the
>>>user "Administrator at ccdc.lan"; no other user is able to RDP.
>>>Furthermore I am able to add machines to the domain only form
>>the users
>>>Administrator, and not from any other user. I have been using
>>the Group
>>>Policy Manager from the window  administrative tool in order
>>>to grant logon
>>>rights to all the users belonging to the Domain User group;
>>>furthermore I
>>>have added the users to the group Remote Desktop users, but
>>>still I have no
>>>success at all. at the moment the group policies looks like this:
>>>
>>>root at ccdc-samba4:/# samba-tool gpo listall
>>>GPO          : {31B2F340-016D-11D2-945F-00C04FB984F9}
>>>display name : Default Domain Policy
>>>path         : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>>\{31B2F340-016D-11D2-945F-00C04FB984F9}
>>>dn           : CN=
>>>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>>=ccdc,DC=lan
>>>version      : 3
>>>flags        : NONE
>>>
>>>GPO          : {6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>display name : Default Domain Controllers Policy
>>>path         : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>>\{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>dn           : CN=
>>>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>>=ccdc,DC=lan
>>>version      : 7
>>>flags        : NONE
>>>
>>>
>>>while from the GPM looks like this:
>>>
>>>(Embedded image moved to file: pic08924.gif)
>>>
>>>
>>>
>>>I have also run gpupdate /force from he windows machine and If I do
>>>samba-tool gpo fetch <Domain Policy> I am able to see the
>>>changes I have
>>>done from the windows snap in
>>>
>>>
>>>I am unsure now where the problem lies, are the GPO I have
>>>modified being
>>>applied correctly on samba 4 OR is the GPO itself that is not
>>>configured
>>>correctly in order to allow RDP (and add machine to domain)?
>>>Or any other
>>>issue?
>>>
>>>Note that all this was working correctly when I did the same
>>>test upgrade
>>>from samba 3 to samba 4.1.6
>>>
>>>also I am able to login to every machine in the domain using
>>>my domain user
>>>when logging in locally.
>>>
>>>Any idea / suggestion?
>>>
>>>
>>>thanks!
>>>
>>>_______________________________________________________________
>>>____________________________
>>>
>>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>>FAX: +353 1
>>>815 2236, eMail: mariopiorusso at ie.ibm.com
>>>IBM Ireland Product Distribution Limited registered in Ireland
>>>with number
>>>92815. Registered Office: IBM House, Shelbourne Road,
>>>Ballsbridge, Dublin 4
>>>
>>>(Embedded image moved to file: pic19418.gif)--
>>>To unsubscribe from this list go to the following URL and read the
>>>instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>
>



More information about the samba mailing list