[Samba] After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
Steve Ankeny
steve_a at cinergymetro.net
Fri May 1 10:41:47 MDT 2015
On 05/01/2015 12:03 PM, Rowland Penny wrote:
> On 01/05/15 15:29, Steve Ankeny wrote:
>> On Samba AD DC most of these enpoint server are already running --
>>
>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
>> lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
>> backupkey, dnsserver, mapiproxy
>>
>> Use samba-tool testparm -v first before adding them to the smb.conf
>>
>> I say this because I could not "join" Windows clients to Samba with
>> these running from smb.conf
>>
>> Rowland indicated these stopped certain other services --
>>
>> wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup,
>> unixinfo, browser, eventlog6, backupkey
>>
>> https://lists.samba.org/archive/samba/2015-February/189171.html
>>
>> On 05/01/2015 09:34 AM, Mario Pio Russo wrote:
>>> ok this is my smb.conf file now
>>>
>>>
>>> # Global parameters
>>> [global]
>>> workgroup = CCDC
>>> realm = CCDC.LAN
>>> netbios name = CCDC-SAMBA4
>>> server role = active directory domain controller
>>> idmap_ldb:use rfc2307 = yes
>>> dns forwarder = 9.0.138.50
>>> ##For debugging
>>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>>> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
>>> eventlog6,
>>> backupkey, dnsserver, remote, winreg, srvsvc
>>> auth methods = sam, winbind, ntdomain, ntdomain:winbind
>>>
>>> [netlogon]
>>> path = /var/lib/samba/sysvol/ccdc.lan/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>>
>>>
>>> still same error on the windows machine
>>>
>>> It looks like that the GPO are now applied when we do not define the
>>> directive
>>>
>>> "auth methods = sam, winbind, ntdomain, ntdomain:winbind"
>>>
>>> let me know if you need any other debugging info, I'm happy to hel
>>> (and get
>>> this sorted :D)
>>>
>>> thanks
>>>
>>> ___________________________________________________________________________________________
>>>
>>>
>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX:
>>> +353 1
>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>> IBM Ireland Product Distribution Limited registered in Ireland with
>>> number
>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge,
>>> Dublin 4
>>>
>>> (Embedded image moved to file: pic32512.gif)
>>>
>>>
>>>
>>> From: "L.P.H. van Belle" <belle at bazuin.nl>
>>> To: "samba at lists.samba.org" <samba at lists.samba.org>
>>> Cc: Mario Pio Russo/Ireland/IBM at IBMIE
>>> Date: 01/05/2015 14:24
>>> Subject: Re: [Samba] After the classicupgrade from samba3
>>> tosernet-samba-4.2.1 , users are not able to remote
>>> desktop
>>> anymore ( bug11061 )
>>> Sent by: samba-bounces at lists.samba.org
>>>
>>>
>>>
>>> Hello Mario ,
>>>
>>> what if you try these :
>>>
>>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
>>> lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
>>> backupkey,
>>> dnsserver, remote, winreg, srvsvc
>>> auth methods = sam, winbind, ntdomain, ntdomain:winbind
>>>
>>> !! these are only for helping in debugging and should not be used in
>>> production.
>>> !! see all the e-mails with subject : Re: [Samba] samba 4.2 RDP problem
>>> (solved)
>>> !! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett
>>>
>>> so if you want to help debuggen, that would be nice. see bug-id in
>>> subject.
>>>
>>> In my case ( debian wheezy, sernet samba 4.2.1, only default GPO )
>>> auth methods = sam, winbind is sufficient to login with rdp.
>>> so if we can find what we need to get GPO workin also, that might
>>> help the
>>> developers.
>>>
>>> I'll set some GPOs in my test and try again also.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>>>> Verzonden: vrijdag 1 mei 2015 15:08
>>>> Aan: L.P.H. van Belle
>>>> CC: samba at lists.samba.org
>>>> Onderwerp: RE: [Samba] After the classicupgrade from samba3 to
>>>> sernet-samba-4.2.1 , users are not able to remote desktop anymore
>>>>
>>>> Thanks Luis
>>>>
>>>> I've changed the smb.conf as you said, now it looks like this:
>>>>
>>>>
>>>> root at ccdc-samba4:~# cat /etc/samba/smb.conf
>>>> # Global parameters
>>>> [global]
>>>> workgroup = CCDC
>>>> realm = CCDC.LAN
>>>> netbios name = CCDC-SAMBA4
>>>> server role = active directory domain controller
>>>> idmap_ldb:use rfc2307 = yes
>>>> dns forwarder = 9.0.138.50
>>>> auth methods = sam, winbind
>>>>
>>>> [netlogon]
>>>> path = /var/lib/samba/sysvol/ccdc.lan/scripts
>>>> read only = No
>>>>
>>>> [sysvol]
>>>> path = /var/lib/samba/sysvol
>>>> read only = No
>>>> root at ccdc-samba4:~#
>>>>
>>>>
>>>> however from the windows machine when i try to update the
>>>> group policies, I
>>>> am now getting this errors:
>>>>
>>>>
>>>>
>>>> Microsoft Windows [Version 6.1.7601]
>>>> Copyright (c) 2009 Microsoft Corporation. All rights reserved.
>>>>
>>>> C:\Users\Administrator.CCDC>gpupdate /force
>>>> Updating Policy...
>>>>
>>>> User policy could not be updated successfully. The following
>>>> errors were
>>>> encount
>>>> ered:
>>>>
>>>> The processing of Group Policy failed. Windows attempted to
>>>> read the file
>>>> \\ccdc
>>>> .lan\sysvol\ccdc.lan\Policies
>>>> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>>>> m a domain controller and was not successful. Group Policy
>>>> settings may not
>>>> be a
>>>> pplied until this event is resolved. This issue may be
>>>> transient and could
>>>> be ca
>>>> used by one or more of the following:
>>>> a) Name Resolution/Network Connectivity to the current domain
>>>> controller.
>>>> b) File Replication Service Latency (a file created on another domain
>>>> controller
>>>> has not replicated to the current domain controller).
>>>> c) The Distributed File System (DFS) client has been disabled.
>>>> Computer policy could not be updated successfully. The following
>>>> errors
>>>> were enc
>>>> ountered:
>>>>
>>>> The processing of Group Policy failed. Windows attempted to
>>>> read the file
>>>> \\ccdc
>>>> .lan\sysvol\ccdc.lan\Policies
>>>> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>>>> m a domain controller and was not successful. Group Policy
>>>> settings may not
>>>> be a
>>>> pplied until this event is resolved. This issue may be
>>>> transient and could
>>>> be ca
>>>> used by one or more of the following:
>>>> a) Name Resolution/Network Connectivity to the current domain
>>>> controller.
>>>> b) File Replication Service Latency (a file created on another domain
>>>> controller
>>>> has not replicated to the current domain controller).
>>>> c) The Distributed File System (DFS) client has been disabled.
>>>>
>>>> To diagnose the failure, review the event log or run GPRESULT /H
>>>> GPReport.html f
>>>> rom the command line to access information about Group Policy results.
>>>>
>>>> C:\Users\Administrator.CCDC>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> I'm still unable to login with normal users via RDP
>>>>
>>>>
>>>> _______________________________________________________________
>>>> ____________________________
>>>>
>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>>> FAX: +353 1
>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>>> IBM Ireland Product Distribution Limited registered in Ireland
>>>> with number
>>>> 92815. Registered Office: IBM House, Shelbourne Road,
>>>> Ballsbridge, Dublin 4
>>>>
>>>> (Embedded image moved to file: pic60454.gif)
>>>>
>>>>
>>>>
>>>> From: "L.P.H. van Belle" <belle at bazuin.nl>
>>>> To: "samba at lists.samba.org" <samba at lists.samba.org>
>>>> Cc: Mario Pio Russo/Ireland/IBM at IBMIE
>>>> Date: 01/05/2015 13:55
>>>> Subject: RE: [Samba] After the classicupgrade from samba3 to
>>>> sernet-samba-4.2.1 , users are not able to remote desktop
>>>> anymore
>>>>
>>>>
>>>>
>>>> correct.
>>>>
>>>> bug still exists, just tested also on latest git master.
>>>> see : https://bugzilla.samba.org/show_bug.cgi?id=11061
>>>>
>>>>
>>>> temp solution.
>>>>
>>>> try adding :
>>>> auth methods = sam, winbind
>>>> to smb.conf on the dc and restart the DC.
>>>>
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: mariopiorusso at ie.ibm.com
>>>>> [mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo
>>>>> Verzonden: vrijdag 1 mei 2015 14:51
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: [Samba] After the classicupgrade from samba3 to
>>>>> sernet-samba-4.2.1 , users are not able to remote desktop anymore
>>>>>
>>>>>
>>>>> Good Day All
>>>>>
>>>>> I have a current working configuration of sernet-samba-4.2.1,
>>>>> created by
>>>>> upgrading from a samba3 PDC using the classic upgrade.
>>>>>
>>>>> Now, I have added a windows 2008 machine to the domain and I'm
>>>>> using the AD
>>>>> snap in tools in order to browse the domain.
>>>>>
>>>>> I can see all the users and groups and they have been imported
>>>>> correctly.
>>>>> However I am able to remote desktop to the domain machines
>>>>> only with the
>>>>> user "Administrator at ccdc.lan"; no other user is able to RDP.
>>>>> Furthermore I am able to add machines to the domain only form
>>>> the users
>>>>> Administrator, and not from any other user. I have been using
>>>> the Group
>>>>> Policy Manager from the window administrative tool in order
>>>>> to grant logon
>>>>> rights to all the users belonging to the Domain User group;
>>>>> furthermore I
>>>>> have added the users to the group Remote Desktop users, but
>>>>> still I have no
>>>>> success at all. at the moment the group policies looks like this:
>>>>>
>>>>> root at ccdc-samba4:/# samba-tool gpo listall
>>>>> GPO : {31B2F340-016D-11D2-945F-00C04FB984F9}
>>>>> display name : Default Domain Policy
>>>>> path : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>>>> \{31B2F340-016D-11D2-945F-00C04FB984F9}
>>>>> dn : CN=
>>>>> {31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>>>> =ccdc,DC=lan
>>>>> version : 3
>>>>> flags : NONE
>>>>>
>>>>> GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>>> display name : Default Domain Controllers Policy
>>>>> path : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>>>> \{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>>> dn : CN=
>>>>> {6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>>>> =ccdc,DC=lan
>>>>> version : 7
>>>>> flags : NONE
>>>>>
>>>>>
>>>>> while from the GPM looks like this:
>>>>>
>>>>> (Embedded image moved to file: pic08924.gif)
>>>>>
>>>>>
>>>>>
>>>>> I have also run gpupdate /force from he windows machine and If I do
>>>>> samba-tool gpo fetch <Domain Policy> I am able to see the
>>>>> changes I have
>>>>> done from the windows snap in
>>>>>
>>>>>
>>>>> I am unsure now where the problem lies, are the GPO I have
>>>>> modified being
>>>>> applied correctly on samba 4 OR is the GPO itself that is not
>>>>> configured
>>>>> correctly in order to allow RDP (and add machine to domain)?
>>>>> Or any other
>>>>> issue?
>>>>>
>>>>> Note that all this was working correctly when I did the same
>>>>> test upgrade
>>>> >from samba 3 to samba 4.1.6
>>>>> also I am able to login to every machine in the domain using
>>>>> my domain user
>>>>> when logging in locally.
>>>>>
>>>>> Any idea / suggestion?
>>>>>
>>>>>
>>>>> thanks!
>>>>>
>>>>> _______________________________________________________________
>>>>> ____________________________
>>>>>
>>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>>>> FAX: +353 1
>>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>>>> IBM Ireland Product Distribution Limited registered in Ireland
>>>>> with number
>>>>> 92815. Registered Office: IBM House, Shelbourne Road,
>>>>> Ballsbridge, Dublin 4
>>>>>
>>>>> (Embedded image moved to file: pic19418.gif)--
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>>
>>
>
> If you use the internal dns server with a samba 4 AD DC you do not get
> the 'server services' line in smb.conf, this does not mean that you
> haven't got any 'server services' running, quite the contrary, you are
> using the defaults. To see these defaults, you need to run:
>
> samba-tool testparm -v | grep 'server services'
>
> this will show you the defaults (after you press enter)
>
> So, if you haven't got the line in smb.conf, how do you turn one of
> them off or another one on ?
>
> If you just add the line 'server services dns' for instance, you would
> turn off everything apart from the dns server!
> What you need to do is, either add the entire default line with the
> service added that you want to run, or without the service you do not
> want to run. You can also turn off a service by adding the line
> 'server services -winbindd', this for instance will turn off the new
> winbindd deamon on 4.2.x, to turn on a service, you use a similar
> line, but replace the '-' with a '+' i.e. 'server services +winbind'.
> You can combine these into one line: server services -winbindd + winbind
>
> Rowland
When I had an issue with joining because of my "dcerpc endpoint server"
line, you suggested --
dcerpc endpoint servers = +mapiproxy
I understand that better. So, you're suggesting the OP could use "+"
instead of using the entire line?
More information about the samba
mailing list