[Samba] After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
Steve Ankeny
steve_a at cinergymetro.net
Fri May 1 08:29:57 MDT 2015
On Samba AD DC most of these enpoint server are already running --
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver, mapiproxy
Use samba-tool testparm -v first before adding them to the smb.conf
I say this because I could not "join" Windows clients to Samba with
these running from smb.conf
Rowland indicated these stopped certain other services --
wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup,
unixinfo, browser, eventlog6, backupkey
https://lists.samba.org/archive/samba/2015-February/189171.html
On 05/01/2015 09:34 AM, Mario Pio Russo wrote:
> ok this is my smb.conf file now
>
>
> # Global parameters
> [global]
> workgroup = CCDC
> realm = CCDC.LAN
> netbios name = CCDC-SAMBA4
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> dns forwarder = 9.0.138.50
> ##For debugging
> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
> backupkey, dnsserver, remote, winreg, srvsvc
> auth methods = sam, winbind, ntdomain, ntdomain:winbind
>
> [netlogon]
> path = /var/lib/samba/sysvol/ccdc.lan/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
> still same error on the windows machine
>
> It looks like that the GPO are now applied when we do not define the
> directive
>
> "auth methods = sam, winbind, ntdomain, ntdomain:winbind"
>
> let me know if you need any other debugging info, I'm happy to hel (and get
> this sorted :D)
>
> thanks
>
> ___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
>
> (Embedded image moved to file: pic32512.gif)
>
>
>
> From: "L.P.H. van Belle" <belle at bazuin.nl>
> To: "samba at lists.samba.org" <samba at lists.samba.org>
> Cc: Mario Pio Russo/Ireland/IBM at IBMIE
> Date: 01/05/2015 14:24
> Subject: Re: [Samba] After the classicupgrade from samba3
> tosernet-samba-4.2.1 , users are not able to remote desktop
> anymore ( bug11061 )
> Sent by: samba-bounces at lists.samba.org
>
>
>
> Hello Mario ,
>
> what if you try these :
>
> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
> lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey,
> dnsserver, remote, winreg, srvsvc
> auth methods = sam, winbind, ntdomain, ntdomain:winbind
>
> !! these are only for helping in debugging and should not be used in
> production.
> !! see all the e-mails with subject : Re: [Samba] samba 4.2 RDP problem
> (solved)
> !! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett
>
> so if you want to help debuggen, that would be nice. see bug-id in subject.
>
> In my case ( debian wheezy, sernet samba 4.2.1, only default GPO )
> auth methods = sam, winbind is sufficient to login with rdp.
> so if we can find what we need to get GPO workin also, that might help the
> developers.
>
> I'll set some GPOs in my test and try again also.
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>> Verzonden: vrijdag 1 mei 2015 15:08
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: RE: [Samba] After the classicupgrade from samba3 to
>> sernet-samba-4.2.1 , users are not able to remote desktop anymore
>>
>> Thanks Luis
>>
>> I've changed the smb.conf as you said, now it looks like this:
>>
>>
>> root at ccdc-samba4:~# cat /etc/samba/smb.conf
>> # Global parameters
>> [global]
>> workgroup = CCDC
>> realm = CCDC.LAN
>> netbios name = CCDC-SAMBA4
>> server role = active directory domain controller
>> idmap_ldb:use rfc2307 = yes
>> dns forwarder = 9.0.138.50
>> auth methods = sam, winbind
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/ccdc.lan/scripts
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>> root at ccdc-samba4:~#
>>
>>
>> however from the windows machine when i try to update the
>> group policies, I
>> am now getting this errors:
>>
>>
>>
>> Microsoft Windows [Version 6.1.7601]
>> Copyright (c) 2009 Microsoft Corporation. All rights reserved.
>>
>> C:\Users\Administrator.CCDC>gpupdate /force
>> Updating Policy...
>>
>> User policy could not be updated successfully. The following
>> errors were
>> encount
>> ered:
>>
>> The processing of Group Policy failed. Windows attempted to
>> read the file
>> \\ccdc
>> .lan\sysvol\ccdc.lan\Policies
>> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>> m a domain controller and was not successful. Group Policy
>> settings may not
>> be a
>> pplied until this event is resolved. This issue may be
>> transient and could
>> be ca
>> used by one or more of the following:
>> a) Name Resolution/Network Connectivity to the current domain
>> controller.
>> b) File Replication Service Latency (a file created on another domain
>> controller
>> has not replicated to the current domain controller).
>> c) The Distributed File System (DFS) client has been disabled.
>> Computer policy could not be updated successfully. The following errors
>> were enc
>> ountered:
>>
>> The processing of Group Policy failed. Windows attempted to
>> read the file
>> \\ccdc
>> .lan\sysvol\ccdc.lan\Policies
>> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>> m a domain controller and was not successful. Group Policy
>> settings may not
>> be a
>> pplied until this event is resolved. This issue may be
>> transient and could
>> be ca
>> used by one or more of the following:
>> a) Name Resolution/Network Connectivity to the current domain
>> controller.
>> b) File Replication Service Latency (a file created on another domain
>> controller
>> has not replicated to the current domain controller).
>> c) The Distributed File System (DFS) client has been disabled.
>>
>> To diagnose the failure, review the event log or run GPRESULT /H
>> GPReport.html f
>> rom the command line to access information about Group Policy results.
>>
>> C:\Users\Administrator.CCDC>
>>
>>
>>
>>
>>
>> I'm still unable to login with normal users via RDP
>>
>>
>> _______________________________________________________________
>> ____________________________
>>
>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>> FAX: +353 1
>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>> IBM Ireland Product Distribution Limited registered in Ireland
>> with number
>> 92815. Registered Office: IBM House, Shelbourne Road,
>> Ballsbridge, Dublin 4
>>
>> (Embedded image moved to file: pic60454.gif)
>>
>>
>>
>> From: "L.P.H. van Belle" <belle at bazuin.nl>
>> To: "samba at lists.samba.org" <samba at lists.samba.org>
>> Cc: Mario Pio Russo/Ireland/IBM at IBMIE
>> Date: 01/05/2015 13:55
>> Subject: RE: [Samba] After the classicupgrade from samba3 to
>> sernet-samba-4.2.1 , users are not able to remote desktop
>> anymore
>>
>>
>>
>> correct.
>>
>> bug still exists, just tested also on latest git master.
>> see : https://bugzilla.samba.org/show_bug.cgi?id=11061
>>
>>
>> temp solution.
>>
>> try adding :
>> auth methods = sam, winbind
>> to smb.conf on the dc and restart the DC.
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: mariopiorusso at ie.ibm.com
>>> [mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo
>>> Verzonden: vrijdag 1 mei 2015 14:51
>>> Aan: samba at lists.samba.org
>>> Onderwerp: [Samba] After the classicupgrade from samba3 to
>>> sernet-samba-4.2.1 , users are not able to remote desktop anymore
>>>
>>>
>>> Good Day All
>>>
>>> I have a current working configuration of sernet-samba-4.2.1,
>>> created by
>>> upgrading from a samba3 PDC using the classic upgrade.
>>>
>>> Now, I have added a windows 2008 machine to the domain and I'm
>>> using the AD
>>> snap in tools in order to browse the domain.
>>>
>>> I can see all the users and groups and they have been imported
>>> correctly.
>>> However I am able to remote desktop to the domain machines
>>> only with the
>>> user "Administrator at ccdc.lan"; no other user is able to RDP.
>>> Furthermore I am able to add machines to the domain only form
>> the users
>>> Administrator, and not from any other user. I have been using
>> the Group
>>> Policy Manager from the window administrative tool in order
>>> to grant logon
>>> rights to all the users belonging to the Domain User group;
>>> furthermore I
>>> have added the users to the group Remote Desktop users, but
>>> still I have no
>>> success at all. at the moment the group policies looks like this:
>>>
>>> root at ccdc-samba4:/# samba-tool gpo listall
>>> GPO : {31B2F340-016D-11D2-945F-00C04FB984F9}
>>> display name : Default Domain Policy
>>> path : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>> \{31B2F340-016D-11D2-945F-00C04FB984F9}
>>> dn : CN=
>>> {31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>> =ccdc,DC=lan
>>> version : 3
>>> flags : NONE
>>>
>>> GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9}
>>> display name : Default Domain Controllers Policy
>>> path : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>> \{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>> dn : CN=
>>> {6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>> =ccdc,DC=lan
>>> version : 7
>>> flags : NONE
>>>
>>>
>>> while from the GPM looks like this:
>>>
>>> (Embedded image moved to file: pic08924.gif)
>>>
>>>
>>>
>>> I have also run gpupdate /force from he windows machine and If I do
>>> samba-tool gpo fetch <Domain Policy> I am able to see the
>>> changes I have
>>> done from the windows snap in
>>>
>>>
>>> I am unsure now where the problem lies, are the GPO I have
>>> modified being
>>> applied correctly on samba 4 OR is the GPO itself that is not
>>> configured
>>> correctly in order to allow RDP (and add machine to domain)?
>>> Or any other
>>> issue?
>>>
>>> Note that all this was working correctly when I did the same
>>> test upgrade
>> >from samba 3 to samba 4.1.6
>>> also I am able to login to every machine in the domain using
>>> my domain user
>>> when logging in locally.
>>>
>>> Any idea / suggestion?
>>>
>>>
>>> thanks!
>>>
>>> _______________________________________________________________
>>> ____________________________
>>>
>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>> FAX: +353 1
>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>> IBM Ireland Product Distribution Limited registered in Ireland
>>> with number
>>> 92815. Registered Office: IBM House, Shelbourne Road,
>>> Ballsbridge, Dublin 4
>>>
>>> (Embedded image moved to file: pic19418.gif)--
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
More information about the samba
mailing list