[Samba] setting up a new ADS infrastructure

Stefan Froehlich samba at froehlich.priv.at
Sun Jun 23 10:48:53 UTC 2019 

On Fri, Jun 14, 2019 at 09:09:58AM +0100, Rowland penny via samba wrote:
> On 14/06/2019 05:50, Stefan Froehlich via samba wrote:
> >as I can do ssh logins with this account, even based on group
> >membership, the unix side of the job seems to be quite settled.
> >The windows side will have to wait a little bit as it requires my
> >physical presence.

> Windows should just work

Unfortunately not at all.

What did work is to switch a PC from the legacy PDC (Debian Squeeze,
now questions allowed) to the new ADS-controller and to authenticate
against the ADS-controller with a newly created test account. This
account can connect to network shares on the file server, including
his own home share and the share holding the roaming profile and
also is able to create files there.

What did not work at all is automatic connection of the home drive
and (worse) roaming profiles. (Neither did the windows ADS
utitlities, but this did not bother me at that point of time).

After that I discovered and resolved some config issues (including
not having mapped Administrator to the root user on the file server,
not having set SeDiskOperatorPrivilege on the file server, assigning
a gidNumber to "Domain Admins" instead of creating a new group).

But still, no home drive and no roaming profiles. Windows uses
temporary profiles instead of creating the appropriate subdirectory
on the file server, and if I create the directory manually, it
denotes the profile as "server based" but refuses to save it (as
said before, I can manually mount the share and create a test file
from within windows). At logout there is a warning telling me to
look into the event log for details, and their I can see a message
with the source "GroupPolicy" and a german text saying "the network
is not available or has not been startet", error code 1222 (German
error messages are a pain in the ass when trying to google for
solutions).

Remarkable is perhaps (in my eyes) that the network neighbourhood on
the windows PCs does show the legacy PDC and the other PCs, but
neither the new ADS-controller nor the new fileserver (even though
the PC is a domain member of the first one and can mount shares of
the latter one).

As I tried all this with two PCs and two different accounts I highly
suspect that the problem is located within my setup, but I simply
don't know how and where to start with debugging.

I created <http://froehlich.priv.at/samba/> with copies of my config
files and LDAP-excerpts to avoid including them all in this mail.
The profiles and users share look like this at the moment (I added a
g+w to /home/profiles for testing purposes at some point of time):

root at herakles:~# ls -al /home/profiles/
total 20
drwxrwx--T  5 root domain users 4096 Jun 21 15:59 .
drwxr-xr-x  8 root root         4096 Jun 19 10:41 ..
drwxr-xr-x 22 gk   domain users 4096 Jun 12 15:04 gk.V2
drwxr-xr-x  2 sf   domain users 4096 Jun 21 16:06 sf.V2
drwxr-xr-x  2 test domain users 4096 Jun 21 13:45 test.V2
root at herakles:~# ls -l /home/users/
total 12
drwxrws--- 12 gk           1006 4096 Jun 21 14:13 gk
drwxr-sr-x  2 sf   domain users 4096 Jun 21 16:42 sf
drwxr-sr-x  2 test domain users 4096 Jun 21 13:09 test

If anything else could be helpful, just tell; as far as the unix side is
concerned I can provide pretty much everything.

Bye,

Stefan

More information about the samba mailing list