[Samba] After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )

Rowland Penny rowlandpenny at googlemail.com
Fri May 1 10:51:37 MDT 2015


On 01/05/15 17:41, Steve Ankeny wrote:
> On 05/01/2015 12:03 PM, Rowland Penny wrote:
>> On 01/05/15 15:29, Steve Ankeny wrote:
>>> On Samba AD DC most of these enpoint server are already running --
>>>
>>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, 
>>> lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, 
>>> backupkey, dnsserver, mapiproxy
>>>
>>> Use samba-tool testparm -v first before adding them to the smb.conf
>>>
>>> I say this because I could not "join" Windows clients to Samba with 
>>> these running from smb.conf
>>>
>>> Rowland indicated these stopped certain other services --
>>>
>>> wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, 
>>> unixinfo, browser, eventlog6, backupkey
>>>
>>> https://lists.samba.org/archive/samba/2015-February/189171.html
>>>
>>> On 05/01/2015 09:34 AM, Mario Pio Russo wrote:
>>>> ok this is my smb.conf file now
>>>>
>>>>
>>>> # Global parameters
>>>> [global]
>>>>          workgroup = CCDC
>>>>          realm = CCDC.LAN
>>>>          netbios name = CCDC-SAMBA4
>>>>          server role = active directory domain controller
>>>>          idmap_ldb:use rfc2307 = yes
>>>>          dns forwarder = 9.0.138.50
>>>>          ##For debugging
>>>>          dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>>>> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, 
>>>> eventlog6,
>>>> backupkey, dnsserver, remote, winreg, srvsvc
>>>>          auth methods = sam, winbind, ntdomain, ntdomain:winbind
>>>>
>>>> [netlogon]
>>>>          path = /var/lib/samba/sysvol/ccdc.lan/scripts
>>>>          read only = No
>>>>
>>>> [sysvol]
>>>>          path = /var/lib/samba/sysvol
>>>>          read only = No
>>>>
>>>>
>>>> still same error on the windows machine
>>>>
>>>> It looks like that the GPO are now applied when we do not define the
>>>> directive
>>>>
>>>> "auth methods = sam, winbind, ntdomain, ntdomain:winbind"
>>>>
>>>> let me know if you need any other debugging info, I'm happy to hel 
>>>> (and get
>>>> this sorted :D)
>>>>
>>>> thanks
>>>>
>>>> ___________________________________________________________________________________________ 
>>>>
>>>>
>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: 
>>>> +353 1
>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>>> IBM Ireland Product Distribution Limited registered in Ireland with 
>>>> number
>>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, 
>>>> Dublin 4
>>>>
>>>> (Embedded image moved to file: pic32512.gif)
>>>>
>>>>
>>>>
>>>> From:    "L.P.H. van Belle" <belle at bazuin.nl>
>>>> To:    "samba at lists.samba.org" <samba at lists.samba.org>
>>>> Cc:    Mario Pio Russo/Ireland/IBM at IBMIE
>>>> Date:    01/05/2015 14:24
>>>> Subject:    Re: [Samba] After the classicupgrade from samba3
>>>>              tosernet-samba-4.2.1 ,    users are not able to remote 
>>>> desktop
>>>>              anymore ( bug11061 )
>>>> Sent by:    samba-bounces at lists.samba.org
>>>>
>>>>
>>>>
>>>> Hello Mario ,
>>>>
>>>> what if you try these :
>>>>
>>>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
>>>> lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, 
>>>> backupkey,
>>>> dnsserver, remote, winreg, srvsvc
>>>> auth methods = sam, winbind, ntdomain, ntdomain:winbind
>>>>
>>>> !! these are only for helping in debugging and should not be used in
>>>> production.
>>>> !! see all the e-mails with subject : Re: [Samba] samba 4.2 RDP 
>>>> problem
>>>> (solved)
>>>> !! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett
>>>>
>>>> so if you want to help debuggen, that would be nice. see bug-id in 
>>>> subject.
>>>>
>>>> In my case ( debian wheezy, sernet samba 4.2.1, only default GPO )
>>>> auth methods = sam, winbind is sufficient to login with rdp.
>>>> so if we can find what we need to get GPO workin also, that might 
>>>> help the
>>>> developers.
>>>>
>>>> I'll set some GPOs in my test and try again also.
>>>>
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>>>>> Verzonden: vrijdag 1 mei 2015 15:08
>>>>> Aan: L.P.H. van Belle
>>>>> CC: samba at lists.samba.org
>>>>> Onderwerp: RE: [Samba] After the classicupgrade from samba3 to
>>>>> sernet-samba-4.2.1 , users are not able to remote desktop anymore
>>>>>
>>>>> Thanks Luis
>>>>>
>>>>> I've changed the smb.conf as you said, now it looks like this:
>>>>>
>>>>>
>>>>> root at ccdc-samba4:~# cat /etc/samba/smb.conf
>>>>> # Global parameters
>>>>> [global]
>>>>>         workgroup = CCDC
>>>>>         realm = CCDC.LAN
>>>>>         netbios name = CCDC-SAMBA4
>>>>>         server role = active directory domain controller
>>>>>         idmap_ldb:use rfc2307 = yes
>>>>>         dns forwarder = 9.0.138.50
>>>>>         auth methods = sam, winbind
>>>>>
>>>>> [netlogon]
>>>>>         path = /var/lib/samba/sysvol/ccdc.lan/scripts
>>>>>         read only = No
>>>>>
>>>>> [sysvol]
>>>>>         path = /var/lib/samba/sysvol
>>>>>         read only = No
>>>>> root at ccdc-samba4:~#
>>>>>
>>>>>
>>>>> however from the windows machine when i try to update the
>>>>> group policies, I
>>>>> am now getting this errors:
>>>>>
>>>>>
>>>>>
>>>>> Microsoft Windows [Version 6.1.7601]
>>>>> Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
>>>>>
>>>>> C:\Users\Administrator.CCDC>gpupdate /force
>>>>> Updating Policy...
>>>>>
>>>>> User policy could not be updated successfully. The following
>>>>> errors were
>>>>> encount
>>>>> ered:
>>>>>
>>>>> The processing of Group Policy failed. Windows attempted to
>>>>> read the file
>>>>> \\ccdc
>>>>> .lan\sysvol\ccdc.lan\Policies
>>>>> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>>>>> m a domain controller and was not successful. Group Policy
>>>>> settings may not
>>>>> be a
>>>>> pplied until this event is resolved. This issue may be
>>>>> transient and could
>>>>> be ca
>>>>> used by one or more of the following:
>>>>> a) Name Resolution/Network Connectivity to the current domain
>>>>> controller.
>>>>> b) File Replication Service Latency (a file created on another domain
>>>>> controller
>>>>> has not replicated to the current domain controller).
>>>>> c) The Distributed File System (DFS) client has been disabled.
>>>>> Computer policy could not be updated successfully. The following 
>>>>> errors
>>>>> were enc
>>>>> ountered:
>>>>>
>>>>> The processing of Group Policy failed. Windows attempted to
>>>>> read the file
>>>>> \\ccdc
>>>>> .lan\sysvol\ccdc.lan\Policies
>>>>> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>>>>> m a domain controller and was not successful. Group Policy
>>>>> settings may not
>>>>> be a
>>>>> pplied until this event is resolved. This issue may be
>>>>> transient and could
>>>>> be ca
>>>>> used by one or more of the following:
>>>>> a) Name Resolution/Network Connectivity to the current domain
>>>>> controller.
>>>>> b) File Replication Service Latency (a file created on another domain
>>>>> controller
>>>>> has not replicated to the current domain controller).
>>>>> c) The Distributed File System (DFS) client has been disabled.
>>>>>
>>>>> To diagnose the failure, review the event log or run GPRESULT /H
>>>>> GPReport.html f
>>>>> rom the command line to access information about Group Policy 
>>>>> results.
>>>>>
>>>>> C:\Users\Administrator.CCDC>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> I'm still unable to login with normal users via RDP
>>>>>
>>>>>
>>>>> _______________________________________________________________
>>>>> ____________________________
>>>>>
>>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>>>> FAX: +353 1
>>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>>>> IBM Ireland Product Distribution Limited registered in Ireland
>>>>> with number
>>>>> 92815. Registered Office: IBM House, Shelbourne Road,
>>>>> Ballsbridge, Dublin 4
>>>>>
>>>>> (Embedded image moved to file: pic60454.gif)
>>>>>
>>>>>
>>>>>
>>>>> From:         "L.P.H. van Belle" <belle at bazuin.nl>
>>>>> To:         "samba at lists.samba.org" <samba at lists.samba.org>
>>>>> Cc:         Mario Pio Russo/Ireland/IBM at IBMIE
>>>>> Date:         01/05/2015 13:55
>>>>> Subject:         RE: [Samba] After the classicupgrade from samba3 to
>>>>>             sernet-samba-4.2.1 , users are not able to remote desktop
>>>>>             anymore
>>>>>
>>>>>
>>>>>
>>>>> correct.
>>>>>
>>>>> bug still exists, just tested also on latest git master.
>>>>> see : https://bugzilla.samba.org/show_bug.cgi?id=11061
>>>>>
>>>>>
>>>>> temp solution.
>>>>>
>>>>> try adding :
>>>>> auth methods = sam, winbind
>>>>> to smb.conf on the dc and restart the DC.
>>>>>
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: mariopiorusso at ie.ibm.com
>>>>>> [mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo
>>>>>> Verzonden: vrijdag 1 mei 2015 14:51
>>>>>> Aan: samba at lists.samba.org
>>>>>> Onderwerp: [Samba] After the classicupgrade from samba3 to
>>>>>> sernet-samba-4.2.1 , users are not able to remote desktop anymore
>>>>>>
>>>>>>
>>>>>> Good Day All
>>>>>>
>>>>>> I have a current working configuration of sernet-samba-4.2.1,
>>>>>> created by
>>>>>> upgrading from a samba3 PDC using the classic upgrade.
>>>>>>
>>>>>> Now, I have added a windows 2008 machine to the domain and I'm
>>>>>> using the AD
>>>>>> snap in tools in order to browse the domain.
>>>>>>
>>>>>> I can see all the users and groups and they have been imported
>>>>>> correctly.
>>>>>> However I am able to remote desktop to the domain machines
>>>>>> only with the
>>>>>> user "Administrator at ccdc.lan"; no other user is able to RDP.
>>>>>> Furthermore I am able to add machines to the domain only form
>>>>> the users
>>>>>> Administrator, and not from any other user. I have been using
>>>>> the Group
>>>>>> Policy Manager from the window administrative tool in order
>>>>>> to grant logon
>>>>>> rights to all the users belonging to the Domain User group;
>>>>>> furthermore I
>>>>>> have added the users to the group Remote Desktop users, but
>>>>>> still I have no
>>>>>> success at all. at the moment the group policies looks like this:
>>>>>>
>>>>>> root at ccdc-samba4:/# samba-tool gpo listall
>>>>>> GPO          : {31B2F340-016D-11D2-945F-00C04FB984F9}
>>>>>> display name : Default Domain Policy
>>>>>> path         : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>>>>> \{31B2F340-016D-11D2-945F-00C04FB984F9}
>>>>>> dn           : CN=
>>>>>> {31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>>>>> =ccdc,DC=lan
>>>>>> version      : 3
>>>>>> flags        : NONE
>>>>>>
>>>>>> GPO          : {6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>>>> display name : Default Domain Controllers Policy
>>>>>> path         : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>>>>> \{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>>>> dn           : CN=
>>>>>> {6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>>>>> =ccdc,DC=lan
>>>>>> version      : 7
>>>>>> flags        : NONE
>>>>>>
>>>>>>
>>>>>> while from the GPM looks like this:
>>>>>>
>>>>>> (Embedded image moved to file: pic08924.gif)
>>>>>>
>>>>>>
>>>>>>
>>>>>> I have also run gpupdate /force from he windows machine and If I do
>>>>>> samba-tool gpo fetch <Domain Policy> I am able to see the
>>>>>> changes I have
>>>>>> done from the windows snap in
>>>>>>
>>>>>>
>>>>>> I am unsure now where the problem lies, are the GPO I have
>>>>>> modified being
>>>>>> applied correctly on samba 4 OR is the GPO itself that is not
>>>>>> configured
>>>>>> correctly in order to allow RDP (and add machine to domain)?
>>>>>> Or any other
>>>>>> issue?
>>>>>>
>>>>>> Note that all this was working correctly when I did the same
>>>>>> test upgrade
>>>>> >from samba 3 to samba 4.1.6
>>>>>> also I am able to login to every machine in the domain using
>>>>>> my domain user
>>>>>> when logging in locally.
>>>>>>
>>>>>> Any idea / suggestion?
>>>>>>
>>>>>>
>>>>>> thanks!
>>>>>>
>>>>>> _______________________________________________________________
>>>>>> ____________________________
>>>>>>
>>>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>>>>> FAX: +353 1
>>>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>>>>> IBM Ireland Product Distribution Limited registered in Ireland
>>>>>> with number
>>>>>> 92815. Registered Office: IBM House, Shelbourne Road,
>>>>>> Ballsbridge, Dublin 4
>>>>>>
>>>>>> (Embedded image moved to file: pic19418.gif)--
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>
>>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>>
>>>>
>>>
>>
>> If you use the internal dns server with a samba 4 AD DC you do not 
>> get the 'server services' line in smb.conf, this does not mean that 
>> you haven't got any 'server services' running, quite the contrary, 
>> you are using the defaults. To see these defaults, you need to run:
>>
>> samba-tool testparm -v | grep 'server services'
>>
>> this will show you the defaults (after you press enter)
>>
>> So, if you haven't got the line in smb.conf, how do you turn one of 
>> them off or another one on ?
>>
>> If you just add the line 'server services dns' for instance, you 
>> would turn off everything apart from the dns server!
>> What you need to do is, either add the entire default line with the 
>> service added that you want to run, or without the service you do not 
>> want to run. You can also turn off a service by adding the line 
>> 'server services -winbindd', this for instance will turn off the new 
>> winbindd deamon on 4.2.x, to turn on a service, you use a similar 
>> line, but replace the '-' with a '+' i.e. 'server services +winbind'. 
>> You can combine these into one line: server services -winbindd + winbind
>>
>> Rowland
> When I had an issue with joining because of my "dcerpc endpoint 
> server" line, you suggested --
>
> dcerpc endpoint servers = +mapiproxy
>
> I understand that better.  So, you're suggesting the OP could use "+" 
> instead of using the entire line?
>

If you don't have a visible 'server services' line in your samba AD DC 
smb.conf, you are still using the defaults, so if you want to add a 
service that isn't one of the defaults, you can just add a line 'server 
services +<whatever service you want to add>'

Rowland


More information about the samba mailing list