[Samba] RSAT Hang

Gregory Sloop gregs at sloop.net
Wed May 23 00:01:25 UTC 2018

RPvs> Your very first post says that RSAT hangs when you try to view the
RPvs> security tab, this is where the NTFS permissions are viewed/changed and
RPvs> to do this, the user must be known to the underlying OS 

Hmmm. Yes, if you were in Windows Explorer, and looked at the properties of the file/directory and went to the security tab - that would view/adjust the NTFS permissions. However, it's not so obvious to me that we're changing the NTFS permissions on a AD object. [Perhaps we are, it's just not at all obvious that's what's going on.]

>> But I'm not doing anything on any file system. I'm using RSAT against
>> the Ubuntu Samba AD DC ONLY. 

RPvs> If you are trying to alter something on the DC, it gets a bit easier,
RPvs> as this uses idmap.ldb and ALL the users & groups are known to the OS,
RPvs> provided libnss_winbind etc is set up correctly.
>> [Not that it matters yet, but the FreeNAS version I'm running has
>> Samba 4.7.0 on it. But again, we've not gotten to any point where the
>> NAS is talking to the AD DC, or sharing files. I'm doing the work
>> (following the NAS docs) to get a computer and user account setup so
>> I can work on configuring the NAS as the next step.]

RPvs> I do not understand what the user account you are setting up is for and
RPvs> you do not need to set up the computer account, 'net ads join -U
RPvs> Administrator' will do this for you.

>> Again, I get that we'll get into Unix/AD user mix once we get to
>> actually sharing files and setting shared file permissions. But,
>> again, I'm simply trying to configure the AD *Computer* account via
>> RSAT. 

>> Like this: 
>> Open RSAT. [AD Users and Computers]
>> Go to the AD Domain, expand it.
>> View | Advanced features
>> Locate the AD Computer account I've already created.
>> Right Click | Properties
>> Try to move to the "Security" tab.
>> And it hangs.

RPvs> This is probably because you do not need to do this, set up smb.conf
RPvs> etc correctly, stop all Samba processes and then run 'net ads join -U
RPvs> Administrator' enter Administrators password when prompted and the
RPvs> computer account will be created for you.

>> >> In the setup steps for the NAS, I'm instructed to modify a setting
>> >> on the "security" tab in RSAT for the computer account [which I
>> >> created above] When I try to view the "security" tab of a user or
>> >> computer object, RSAT hangs.

RPvs> Let me guess, The instructions are for joining to a windows AD DC ?

Yes, that's correct.
I've not found any way in FreeNAS to do it through the normal UI [where the configuration will be handled the way FN expects] and not use a "Windows" based approach. [i.e. There's no documented way to join FN to a Samba domain that's in the official docs. Since it's standard Samba, I'm sure it's possible at the CLI. But what issues will we run into when FN is configured "on the side" and not through the UI? I am not sure - but wanted to avoid complications by doing it in the most standard way via the options in the UI. I wanted to avoid such drama, if possible.]

I've found a few threads doing so via the CLI as a standard Samba join.
Perhaps going that route is more fruitful - I dunno.

All that said - if this IS a permissions issue, how come we don't see something in the logs that looks like a denial/error/warning flagging permissions when we try to view that tab. Or why doesn't Samba return a failure to RSAT and we get an error at the RSAT console? 

More information about the samba mailing list