[Samba] classic upgrade, splitting servers
Stefan G. Weichinger
lists at xunil.at
Wed May 24 09:36:07 UTC 2017
Am 2017-05-24 um 09:11 schrieb L.P.H. van Belle via samba:
> Hai Stefan,
>
> A heads up and few adviced changes/tips for you.
>
> smb.conf:
> realm = my.tld
> Change to
> realm = MY.TLD
>
> Try to set a REALM always in CAPS. Some programs rely on that. ( for example, MIT Kerberos expects realm in CAPS )
> So prepair for 4.7 now already to save problems in future.
skipped that after reading Andrew ;-)
> I have best results if acl_xattr:ignore system acls = Yes is set.
> Only thing is after settting and restarting samba, you must set share and security settings again.
> But now, include user SYSTEM on the shares : sysvol, profiles and optional users_home
Set for both sysvol and netlogon shares, I don't have the others (?)
> Check if you have on the security tab the following.
> Verified Users , read and exec
> System , full control
> Serer Operators, read and exec
> NTDOM\Administrators, full control
checked ok (within windows explorer, right?)
> On the share tab, if you have access denied on group policies, add users SYSTEM to the share rights on sysvol.
I don't see a share tab in the properties of \\dc\netlogon and \\dc\sysvol
> On the ..
>>> I can't logon to the PC still with some users - that error with the user login service, maybe related to some serverbased profile setting somewhere (?)
> Start with, login as NTDOM\Administrator into the domain with a domain joined pc.
> Go to the domain policy and setup
> https://technet.microsoft.com/en-us/library/gg486839.aspx
> And setup "the Always wait for the network at computer startup and logon" policy setting
> Reboot the pc 2 times. Firstime its applied, second time it should be working.
done
> And before the reboots start with cleanup the windows even logs.
done
> Start from here, see what happens and post again of you have questions.
No big change here ...
I can:
* logon as BUERO\root
* connect to the shares on \\dc
* test other users via smbclient (auth works for them)
But:
* login as BUERO\Administrator just sits there and waits for minutes ...
no error message, no desktop ... I can cancel that via CtrlAltDel
* login as some users fail with that blue error around the profile service
* as root: still the error around reading the GPOs from the DC
--- I also added the LAN-subnet as "local network" to Kaspersky
settings. I wondered if Kaspersky maybe protected me from my DC.
Do I have to remove some of the user-SIDs or so from the registry?
*scratch*
Thinking of the other ~25 machines at their site I am not yet there to
deploy the new DC, I assume.
thanks all for help, Stefan
More information about the samba
mailing list