[Samba] Problem to access from Win to Win after classicupdate to Samba DC 4.10.7
Rowland penny
rpenny at samba.org
Mon Sep 2 07:26:39 UTC 2019
On 01/09/2019 23:44, Dario Lesca via samba wrote:
> I have do a classicupdate from a NT4 style domain to Samba DC 4.10.7
> BIND_DLZ without (apparently) problem
>
> All seem work fine, access to PC work, join or re-join a PC to domain
> work, access from a Linux samba member server to Win7 PC work, access
> from Win7 to samba member server work.
>
> But I cannot access from a PC with win7 to another PC with win7.
>
> If I try to access from win7-0 to win7-1 via "\\win7-1\" I get a error
> message of Insufficient Right to access.
>
> Another strange thing that happens is that I don't see any PC browsing
> the net
>
> If I try to access via IP of win-7-1 (es: \\10.1.1.1\) I see and can
> access to shared folder, but I do not have the right access to
> read/write into it.
>
> The name of PC to which I connect it is into DNS an it's resolve
> correctly the IP.
>
> I have try to remove this PC from domain and rejoin it, but none is
> change.
>
> When I join to domain (or if I run "ipconfig /registerdns" on joined
> PC) I get this error[1] into syslog (is the name ending with
> "$" correct ?)
>
> If I run RSAT tools on a Win7 I can see and modify all object of the
> domain (user, group, computer, ecc)
>
> This problem occurs with all PC: all can access to two new samba member
> server, but they cannot access to other windows
>
> Before classicupdate these problems did not occur and all worked fine.
>
> This[2] is the smb.conf of AD-DC:
>
> Some one have some suggest how to debug this issue?
> If I missing some information, let me know.
>
> Many thanks.
> Dario
>
>
> [1] ---- [error log]
> set 01 22:36:56 s-addc.studiomosca.net named[639]: samba_dlz: starting transaction on zone studiomosca.net
> set 01 22:36:56 s-addc.studiomosca.net named[639]: client @0x7fce39095d90 192.168.1.243#54874: update 'studiomosca.net/IN' denied
> set 01 22:36:56 s-addc.studiomosca.net named[639]: samba_dlz: cancelling transaction on zone studiomosca.net
> set 01 22:36:56 s-addc.studiomosca.net named[639]: samba_dlz: starting transaction on zone studiomosca.net
> set 01 22:36:56 s-addc.studiomosca.net named[639]: samba_dlz: disallowing update of signer=WIN7-1\$\@STUDIOMOSCA.NET name=WIN7-1.studiomosca.net type>
> set 01 22:36:56 s-addc.studiomosca.net named[639]: client @0x7fce39095d90 192.168.1.243#57567/key WIN7-1\$\@STUDIOMOSCA.NET: updating zone 'studiomos>
> set 01 22:36:56 s-addc.studiomosca.net named[639]: samba_dlz: cancelling transaction on zone studiomosca.net
That is showing that a client isn't being allowed to update a record.
>
> [2] ----[smb.conf]
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> # Global parameters
> [global]
> passdb backend = samba_dsdb
> realm = STUDIOMOSCA.NET
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> template homedir = /home/%U
> template shell = /bin/bash
> workgroup = STUDIO_MOSCA
> rpc_server:tcpip = no
> rpc_daemon:spoolssd = embedded
> rpc_server:spoolss = embedded
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:svcctl = embedded
> rpc_server:default = external
> winbindd:use external pipes = true
> idmap_ldb:use rfc2307 = yes
> idmap config * : backend = tdb
> map archive = No
> vfs objects = dfs_samba4 acl_xattr
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> [netlogon]
> path = /var/lib/samba/sysvol/studiomosca.net/scripts
> read only = No
>
>
Please do not post the output of 'testparm' (which the above appears to
be) or the output of 'samba-tool testparm', just post the output of 'cat
/etc/samba/smb.conf'. They are all different, but the 'cat' is the only
true record.
Try checking that apparmor isn't getting in the way (if it is installed).
Check if a firewall is blocking a port.
Rowland
More information about the samba
mailing list