[Samba] setting up a new ADS infrastructure

Sun Jun 23 11:21:58 UTC 2019

On 23/06/2019 11:48, Stefan Froehlich via samba wrote:
> On Fri, Jun 14, 2019 at 09:09:58AM +0100, Rowland penny via samba wrote:
>> On 14/06/2019 05:50, Stefan Froehlich via samba wrote:
>>> as I can do ssh logins with this account, even based on group
>>> membership, the unix side of the job seems to be quite settled.
>>> The windows side will have to wait a little bit as it requires my
>>> physical presence.
>> Windows should just work
> Unfortunately not at all.
>
> What did work is to switch a PC from the legacy PDC (Debian Squeeze,
> now questions allowed) to the new ADS-controller and to authenticate
> against the ADS-controller with a newly created test account. This
> account can connect to network shares on the file server, including
> his own home share and the share holding the roaming profile and
> also is able to create files there.
>
> What did not work at all is automatic connection of the home drive
> and (worse) roaming profiles. (Neither did the windows ADS
> utitlities, but this did not bother me at that point of time).
>
> After that I discovered and resolved some config issues (including
> not having mapped Administrator to the root user on the file server,
> not having set SeDiskOperatorPrivilege on the file server, assigning
> a gidNumber to "Domain Admins" instead of creating a new group).
>
> But still, no home drive and no roaming profiles. Windows uses
> temporary profiles instead of creating the appropriate subdirectory
> on the file server, and if I create the directory manually, it
> denotes the profile as "server based" but refuses to save it (as
> said before, I can manually mount the share and create a test file
> from within windows). At logout there is a warning telling me to
> look into the event log for details, and their I can see a message
> with the source "GroupPolicy" and a german text saying "the network
> is not available or has not been startet", error code 1222 (German
> error messages are a pain in the ass when trying to google for
> solutions).
>
> Remarkable is perhaps (in my eyes) that the network neighbourhood on
> the windows PCs does show the legacy PDC and the other PCs, but
> neither the new ADS-controller nor the new fileserver (even though
> the PC is a domain member of the first one and can mount shares of
> the latter one).
>
> As I tried all this with two PCs and two different accounts I highly
> suspect that the problem is located within my setup, but I simply
> don't know how and where to start with debugging.
>
> I created <http://froehlich.priv.at/samba/> with copies of my config
> files and LDAP-excerpts to avoid including them all in this mail.
> The profiles and users share look like this at the moment (I added a
> g+w to /home/profiles for testing purposes at some point of time):
>
> root at herakles:~# ls -al /home/profiles/
> total 20
> drwxrwx--T  5 root domain users 4096 Jun 21 15:59 .
> drwxr-xr-x  8 root root         4096 Jun 19 10:41 ..
> drwxr-xr-x 22 gk   domain users 4096 Jun 12 15:04 gk.V2
> drwxr-xr-x  2 sf   domain users 4096 Jun 21 16:06 sf.V2
> drwxr-xr-x  2 test domain users 4096 Jun 21 13:45 test.V2
> root at herakles:~# ls -l /home/users/
> total 12
> drwxrws--- 12 gk           1006 4096 Jun 21 14:13 gk
> drwxr-sr-x  2 sf   domain users 4096 Jun 21 16:42 sf
> drwxr-sr-x  2 test domain users 4096 Jun 21 13:09 test
>
> If anything else could be helpful, just tell; as far as the unix side is
> concerned I can provide pretty much everything.
>
> Bye,
>
> Stefan
>
You are coming from a PDC domain to an AD DC domain, easiest thing 
first, you do not use 'wins' with an AD DC, you use 'dns'.

Can you download this:

https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh

Run it on your DC and Unix domain member, then post the output, either 
in a post to here or with the other ones you posted.

Can you also supply the AD object for 'Domain Users', I know where you 
got '100' from, but I need to see if you used it for the 'Domain Users' 
gidNumber.

Rowland