[Samba] classic upgrade, splitting servers

L.P.H. van Belle belle at bazuin.nl
Wed May 24 10:23:42 UTC 2017

Ok, lets start with : 
> Thinking of the other ~25 machines at their site I am not yet 
> there to deploy the new DC, I assume.
Correct, your not there yet. 

> I don't see a share tab in the properties of \\dc\netlogon 
> and \\dc\sysvol

Login as Adminstrator, 
Open de  "computer manager" ( rigth klik computer, manage ), right klik, connect to, .. 
Now you should see share and security tab. 

Now, you can login as root, yes, but use Administrator. 
Root is not known in AD, this is why it logins faster. 
Adminsitrator is in an OU=Users, which "should not" have any GPO settings assigned expect domain defaults.

How long did you wait the first time for the login and any windows event id's from that login? 

How did you migrate your users profiles. 
Just a copy past? Because as far i know thats not going to work. 

You need something like : 

USMT http://technet.microsoft.com/en-us/library/dd560801(WS.10).aspx

But in all three above, i dont use it. :-/ 
I configure everything in GPO, only 1 thing i have to do manualy, setup the email signing. 
And for that on my new mail server its done also. 
I only do , rename a pc, join a pc domain, set static ip if needed, reboot 2x and 
login as my "second" Admin users to apply every computer policy. 
Yes these first logins can take some time, i see that also, but thats only once here.
And the first login added my root CA.

So, if your network setup is good, every is applied by GPO. 
Im setting for example 
any windows setting i want. ( per user/group or OU) 
Deploy software where needed.
All my (MS) Office settings, Adobe reader, Printer deployment, certifcate deployment and security settings. 

But my best advice about GPO'.s start with small changes, and group you changes.
Like "GPO:InternetSettings"  i have 1 gpo for IE/EDGE/CHROME/Firefox. With defaults. 
Or GPO:PrinterDeploy, with only printer settings. 
Etc. think good about this, and ask questions. 
Order is > Computer policy rules, and most settings can be overruled by a user setting. 
For example, my user are not allowed to read/write from USB. 

Thats simple done in GPO, I now have for example. 
1) nobody can read/write from USB	( domain wide policy ) 
2) a computer gpo setting can overwrite this by GPO. ( computer policy per OU or computer or group member ) 
3) 2 groups contains, 1 read and 1 write 			( regular groups USB_read and USB_write with members ) 
4) select group of users has read right on usb.		( GPO linked to USB_read )
5) select group of users has read/write right on usb.	( GPO linked to USB_read and USB_write ) 

And really take small steps how this works, but once setup, your done, 
and then you can enjoy for extra free time on samba problems on the list ;-P 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: woensdag 24 mei 2017 11:36
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] classic upgrade, splitting servers
> Am 2017-05-24 um 09:11 schrieb L.P.H. van Belle via samba:
> > Hai Stefan,
> > 
> > A heads up and few adviced changes/tips for you. 
> > 
> > smb.conf: 
> > realm = my.tld
> > Change to
> > realm = MY.TLD
> > 
> > Try to set a REALM always in CAPS. Some programs rely on 
> that. ( for 
> > example, MIT Kerberos expects realm in CAPS ) So prepair 
> for 4.7 now already to save problems in future.
> skipped that after reading Andrew ;-)
> > I have best results if acl_xattr:ignore system acls = Yes  is set.
> > Only thing is after settting and restarting samba, you must 
> set share and security settings again. 
> > But now, include user SYSTEM on the shares : sysvol, profiles and 
> > optional users_home
> Set for both sysvol and netlogon shares, I don't have the others (?)
> > Check if you have on the security tab the following. 
> > Verified Users , read and exec
> > System , full control
> > Serer Operators, read and exec
> > NTDOM\Administrators, full control
> checked ok (within windows explorer, right?)
> > On the share tab, if you have access denied on group 
> policies, add users SYSTEM to the share rights on sysvol. 
> I don't see a share tab in the properties of \\dc\netlogon 
> and \\dc\sysvol
> > On the .. 
> >>> I can't logon to the PC still with some users - that 
> error with the 
> >>> user login service, maybe related to some serverbased profile 
> >>> setting somewhere (?)
> > Start with, login as NTDOM\Administrator into the domain 
> with a domain joined pc. 
> > Go to the domain policy and setup
> > https://technet.microsoft.com/en-us/library/gg486839.aspx
> > And setup "the Always wait for the network at computer startup and 
> > logon" policy setting Reboot the pc 2 times. Firstime its 
> applied, second time it should be working.
> done
> > And before the reboots start with cleanup the windows even logs. 
> done
> > Start from here, see what happens and post again of you 
> have questions.
> No big change here ...
> I can:
> * logon as BUERO\root
> * connect to the shares on \\dc
> * test other users via smbclient (auth works for them)
> But:
> * login as BUERO\Administrator just sits there and waits for 
> minutes ...
> no error message, no desktop ... I can cancel that via CtrlAltDel
> * login as some users fail with that blue error around the 
> profile service
> * as root: still the error around reading the GPOs from the DC
> --- I also added the LAN-subnet as "local network" to 
> Kaspersky settings. I wondered if Kaspersky maybe protected 
> me from my DC.
> Do I have to remove some of the user-SIDs or so from the registry?
> *scratch*
> Thinking of the other ~25 machines at their site I am not yet 
> there to deploy the new DC, I assume.
> thanks all for help, Stefan
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list