[Samba] Problem to access from Win to Win after classicupdate to Samba DC 4.10.7

Dario Lesca d.lesca at solinos.it
Sun Sep 1 22:44:32 UTC 2019 

I have do a classicupdate from a NT4 style domain to Samba DC 4.10.7
BIND_DLZ without (apparently) problem

All seem work fine, access to PC work, join or re-join a PC to domain
work, access from a Linux samba member server to Win7 PC work, access
from Win7 to samba member server work.

But I cannot access from a PC with win7 to another PC with win7.

If I try to access from win7-0 to win7-1 via "\\win7-1\" I get a error
message of Insufficient Right to access.

Another strange thing that happens is that I don't see any PC browsing
the net

If I try to access via IP  of win-7-1 (es: \\10.1.1.1\) I see and can
access to  shared folder, but I do not have the right access to
read/write into it.

The name of PC to which I connect it is into DNS an it's resolve
correctly the IP.

I have try to remove this PC from domain and rejoin it, but none is
change.

When I join to domain (or if I run "ipconfig /registerdns" on joined
PC) I get this error[1] into syslog (is  the name ending with
"$" correct ?)

If I run RSAT tools on a Win7 I can see and modify all object of the
domain (user, group, computer, ecc)

This problem occurs with all PC: all can access to two new samba member
server, but they cannot access to other windows 

Before classicupdate these problems did not occur and all worked fine.

This[2] is the smb.conf of AD-DC:

Some one have some suggest how to debug this issue?
If I missing some information, let me know.

Many thanks.
Dario


[1] ---- [error log]
set 01 22:36:56 s-addc.studiomosca.net named[639]: samba_dlz: starting transaction on zone studiomosca.net
set 01 22:36:56 s-addc.studiomosca.net named[639]: client @0x7fce39095d90 192.168.1.243#54874: update 'studiomosca.net/IN' denied
set 01 22:36:56 s-addc.studiomosca.net named[639]: samba_dlz: cancelling transaction on zone studiomosca.net
set 01 22:36:56 s-addc.studiomosca.net named[639]: samba_dlz: starting transaction on zone studiomosca.net
set 01 22:36:56 s-addc.studiomosca.net named[639]: samba_dlz: disallowing update of signer=WIN7-1\$\@STUDIOMOSCA.NET name=WIN7-1.studiomosca.net type>
set 01 22:36:56 s-addc.studiomosca.net named[639]: client @0x7fce39095d90 192.168.1.243#57567/key WIN7-1\$\@STUDIOMOSCA.NET: updating zone 'studiomos>
set 01 22:36:56 s-addc.studiomosca.net named[639]: samba_dlz: cancelling transaction on zone studiomosca.net

[2] ----[smb.conf]
Server role: ROLE_ACTIVE_DIRECTORY_DC

# Global parameters
[global]
        passdb backend = samba_dsdb
        realm = STUDIOMOSCA.NET
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        template homedir = /home/%U
        template shell = /bin/bash
        workgroup = STUDIO_MOSCA
        rpc_server:tcpip = no
        rpc_daemon:spoolssd = embedded
        rpc_server:spoolss = embedded
        rpc_server:winreg = embedded
        rpc_server:ntsvcs = embedded
        rpc_server:eventlog = embedded
        rpc_server:srvsvc = embedded
        rpc_server:svcctl = embedded
        rpc_server:default = external
        winbindd:use external pipes = true
        idmap_ldb:use rfc2307 = yes
        idmap config * : backend = tdb
        map archive = No
        vfs objects = dfs_samba4 acl_xattr
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
[netlogon]
        path = /var/lib/samba/sysvol/studiomosca.net/scripts
        read only = No

 
-- 
Dario Lesca
(inviato dal mio Linux Fedora 30 Workstation)

More information about the samba mailing list