[Samba] Users, home directories and profiles

Rowland penny rpenny at samba.org
Wed Jul 8 14:47:15 UTC 2020


On 08/07/2020 15:09, Enrico Morelli wrote:
> On Wed, 8 Jul 2020 14:43:06 +0100
> Rowland penny via samba <samba at lists.samba.org> wrote:
>
>> On 08/07/2020 14:39, Enrico Morelli wrote:
>>> On Wed, 8 Jul 2020 13:50:06 +0100
>>> Rowland penny via samba <samba at lists.samba.org> wrote:
>>>
>>>> On 08/07/2020 13:28, Enrico Morelli wrote:
>>>>> On Wed, 8 Jul 2020 11:36:50 +0100
>>>>> Rowland penny via samba <samba at lists.samba.org> wrote:
>>>>>    
>>>>>> On 08/07/2020 09:57, Enrico Morelli wrote:
>>>>>>> On Wed, 8 Jul 2020 09:13:37 +0100
>>>>>>> Rowland penny via samba <samba at lists.samba.org> wrote:
>>>>>>>    
>>>>>>>> On 08/07/2020 08:06, Enrico Morelli wrote:
>>>>>>>>> On Wed, 1 Jul 2020 13:03:50 +0100
>>>>>>>>> Rowland penny via samba <samba at lists.samba.org> wrote:
>>>>>>>>>        
>>>>>>>>>> The problem from my point of view is, I cannot recreate the
>>>>>>>>>> crash. My feelings are that the OP hasn't set up the share
>>>>>>>>>> correctly, or hasn't mapped root to Administrator. I am
>>>>>>>>>> testing using a share on a raspberrypi and even if I change
>>>>>>>>>> the directory owner to 'pi', it does not crash Windows
>>>>>>>>>> explorer.
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>        
>>>>>>>>> I followed the Samba guide to setup everything but a lot of
>>>>>>>>> things doesn't works for me.
>>>>>>>>> Now I'm able to create the share and set permissions (using
>>>>>>>>> the patch) but I'm unable to enter to the Windows client with
>>>>>>>>> new users.
>>>>>>>> Enrico, please do not think I am trying to get at you, perhaps
>>>>>>>> I could have worded that better, but I just dashed off a reply.
>>>>>>>>
>>>>>>>> The problem is that I am not the one who has control  of your
>>>>>>>> network and can only offer advice from a distance. As I said, I
>>>>>>>> cannot get the latest Win10 to crash and Windows has admitted
>>>>>>>> that this is their problem if it does crash.
>>>>>>> For the moment as I wrote more times, the problem isn't the
>>>>>>> crash (that I solved with the patch) but the impossibility to
>>>>>>> login in the Windows client with new user created on Samba
>>>>>>> server.
>>>>>>>> Can you please download this:
>>>>>>>> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
>>>>>>>>
>>>>>>>> Run it on the Samba machine that you are trying to connect
>>>>>>>> Windows to and the post the output, do not attach it to the
>>>>>>>> post, this list strips attachments.
>>>>>>>>
>>>>>>>> Perhaps you have some small setting wrong :-(
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>
>>>>>>>>    
>>>>>>> This is the output of the script:
>>>>>>>
>>>>>>> Collected config  --- 2020-07-08-10:53 -----------
>>>>>>>
>>>>>>> Hostname: fiorgen7
>>>>>>> DNS Domain: cerm.unifi.it
>>>>>>> FQDN: fiorgen7.cerm.unifi.it
>>>>>>> ipaddress: 150.217.146.76 2001:760:2c05:146:222:64ff:feb9:9a88
>>>>>>>
>>>>>>> -----------
>>>>>>>
>>>>>>> WARNING: kinit Administrator will fail and this needs to be
>>>>>>> fixed first. unable to verify DNS kerberos._tcp SRV records
>>>>>>>      
>>>>>>> Server:		150.217.1.32
>>>>>>> Address:	150.217.1.32#53
>>>>>>>
>>>>>>> ** server can't find _kerberos._tcp.cerm.unifi.it: NXDOMAIN
>>>>>> That looks like a dns problem, try my attached version of the
>>>>>> script, it reports the above and carries on.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>>>    
>>>>> I don't know, the DNS works fine. I'm able to resolve hostname and
>>>>> the reverse.
>>>> Please run the script I supplied, it will help to prove it, one way
>>>> or another ;-)
>>>>
>>>> Rowland
>>>>
>>> The output of the script I downloaded from github is what you see
>>> after Collect config.
>>>
>>> I hadn't find other scripts :-(
>>>
>>>
>> Strange, I attached it to an email to you, lets try again ;-)
>>
>> Rowland
>>
>>
> Config collected --- 2020-07-08-16:08 -----------
>
> Hostname:   fiorgen7
> DNS Domain: cerm.unifi.it
> Realm:      CERM.UNIFI.IT
> FQDN:       fiorgen7.cerm.unifi.it
> ipaddress:  150.217.146.76 2001:760:2c05:146:222:64ff:feb9:9a88
>
> -----------
>
> This computer is running Debian 10.4 x86_64
>
> -----------
>
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000 link/loopback 00:00:00:00:00:00 brd
> 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo
>      inet6 ::1/128 scope host
> 2: enp63s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state
> UP group default qlen 1000 link/ether 00:22:64:b9:9a:88 brd
> ff:ff:ff:ff:ff:ff inet 150.217.146.76/24 brd 150.217.146.255 scope
> global enp63s0 inet6 2001:760:2c05:146:222:64ff:feb9:9a88/64 scope
> global dynamic mngtmpaddr valid_lft 2591994sec preferred_lft 604794sec
>      inet6 fe80::222:64ff:feb9:9a88/64 scope link
>
> -----------
>
> Checking file: /etc/hosts
>
> 127.0.0.1	localhost
> 127.0.1.1	fiorgen7.cerm.unifi.it	fiorgen7
>
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> search cerm.unifi.it
> domain cerm.unifi.it
> nameserver 150.217.1.32
> nameserver 150.217.1.135
>
> -----------
>
> WARNING: 'kinit Administrator' will fail, you need to fix this.
> Unable to verify DNS kerberos._tcp SRV records
>
> -----------
>
> 'kinit Administrator' checked successfully.
>
> -----------
>
> Samba is running as an AD DC
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> 	default_realm = CERM.UNIFI.IT
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
> [realms]
> 	CERM.UNIFI.IT = {
> 		kdc = fiorgen7.cerm.unifi.it
> 		admin_server = fiorgen7.cerm.unifi.it
> 	}
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed,
> try: # `info libc "Name Service Switch"' for information about this
> file.
>
> passwd:         files systemd
> group:          files systemd
> shadow:         files
> gshadow:        files
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
> -----------
>
> Warning,  does not exist
>
> -----------
>
> This DC is not being used as a fileserver
>
>
> BIND_DLZ not detected in smb.conf
>
> -----------
>
>
> Time on the DC with PDC Emulator role is: 2020-07-08T16:08:27
>
>
> Time on this computer is:                 2020-07-08T16:08:29
>
>
> Time verified ok, within the allowed 300sec margin.
> Time offset is currently : 0 seconds
>
> -----------
>
> Installed packages:
> ii  acl
> 2.2.53-4                            amd64        access control list -
> utilities ii  attr
> 1:2.4.48-4                          amd64        utilities for
> manipulating filesystem extended attribute s ii
> krb5-config                        2.6
> all          Configuration files for Kerberos Version 5 ii
> krb5-user                          1.17-3
> amd64        basic programs to authenticate using MIT Kerberos ii
> libacl1:amd64                      2.2.53-4
> amd64        access control list - shared library ii
> libattr1:amd64                     1:2.4.48-4
> amd64        extended attribute handling - shared library ii
> libgssapi-krb5-2:amd64             1.17-3
> amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii  libkrb5-3:amd64
> 1.17-3                              amd64        MIT Kerberos runtime
> libraries ii  libkrb5support0:amd64
> 1.17-3                              amd64        MIT Kerberos runtime
> libraries - Support library ii  libnss-winbind:amd64
> 2:4.9.5+dfsg-5+deb10u1.1            amd64        Samba nameservice
> integration plugins ii  libnss-winbind-dbgsym:amd64
> 2:4.9.5+dfsg-5+deb10u1.1            amd64        debug symbols for
> libnss-winbind ii  libpam-winbind:amd64
> 2:4.9.5+dfsg-5+deb10u1.1            amd64        Windows domain
> authentication integration plugin ii
> libpam-winbind-dbgsym:amd64        2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for libpam-winbind ii
> libsmbclient:amd64                 2:4.9.5+dfsg-5+deb10u1.1
> amd64        shared library for communication with SMB/CIFS servers ii
> libsmbclient-dbgsym:amd64          2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for libsmbclient ii
> libsmbclient-dev:amd64             2:4.9.5+dfsg-5+deb10u1.1
> amd64        development files for libsmbclient ii
> libwbclient-dev:amd64              2:4.9.5+dfsg-5+deb10u1.1
> amd64        Samba winbind client library - development files ii
> libwbclient0:amd64                 2:4.9.5+dfsg-5+deb10u1.1
> amd64        Samba winbind client library ii
> python-samba                       2:4.9.5+dfsg-5+deb10u1.1
> amd64        Python bindings for Samba ii
> python-samba-dbgsym                2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for python-samba ii
> python3-attr                       18.2.0-1
> all          Attributes without boilerplate (Python 3) ii
> python3-xattr                      0.9.6-1
> amd64        module for manipulating filesystem extended attributes -
> Python 3 ii  samba
> 2:4.9.5+dfsg-5+deb10u1.1            amd64        SMB/CIFS file, print,
> and login server for Unix ii  samba-common
> 2:4.9.5+dfsg-5+deb10u1.1            all          common files used by
> both the Samba server and client ii  samba-common-bin
> 2:4.9.5+dfsg-5+deb10u1.1            amd64        Samba common files
> used by both the server and the clien t ii
> samba-common-bin-dbgsym            2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for samba-common-bin ii
> samba-dbgsym                       2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for samba ii
> samba-dev:amd64                    2:4.9.5+dfsg-5+deb10u1.1
> amd64        tools for extending Samba ii
> samba-dsdb-modules:amd64           2:4.9.5+dfsg-5+deb10u1.1
> amd64        Samba Directory Services Database ii
> samba-dsdb-modules-dbgsym:amd64    2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for samba-dsdb-modules ii
> samba-libs:amd64                   2:4.9.5+dfsg-5+deb10u1.1
> amd64        Samba core libraries ii
> samba-libs-dbgsym:amd64            2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for samba-libs ii
> samba-testsuite                    2:4.9.5+dfsg-5+deb10u1.1
> amd64        test suite from Samba ii
> samba-testsuite-dbgsym             2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for samba-testsuite ii
> samba-vfs-modules:amd64            2:4.9.5+dfsg-5+deb10u1.1
> amd64        Samba Virtual FileSystem plugins ii
> samba-vfs-modules-dbgsym:amd64     2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for samba-vfs-modules ii
> smbclient                          2:4.9.5+dfsg-5+deb10u1.1
> amd64        command-line SMB/CIFS clients for Unix ii
> smbclient-dbgsym                   2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for smbclient ii
> winbind                            2:4.9.5+dfsg-5+deb10u1.1
> amd64        service to resolve user and group information from Windo
> ws NT servers ii  winbind-dbgsym
> 2:4.9.5+dfsg-5+deb10u1.1            amd64        debug symbols for
> winbind ii  xattr
> 0.9.6-1                             amd64        tool for manipulating
> filesystem extended attributes
>
> -----------
>
>
Enrico, your dns appears to be borked, you are running Samba 4.9.5 as an 
AD DC with what appears to an IP of '150.217.146.76', but your 
/etc/hosts contains this:

127.0.0.1    localhost
127.0.1.1    fiorgen7.cerm.unifi.it    fiorgen7

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

This may be okay but I personally would turn off whatever requires the 
'127.0.1,1' and then replace it with '150.217.146.76'

This is your /etc/resolv.conf:

search cerm.unifi.it
domain cerm.unifi.it
nameserver 150.217.1.32
nameserver 150.217.1.135

Remove the 'domain' line and replace '150.217.1.32' with 
'150.217.146.76' (the DC's own ipaddress)

Remove these lines from /etc/krb5.conf:

[realms]
      CERM.UNIFI.IT = {
         kdc = fiorgen7.cerm.unifi.it
          admin_server = fiorgen7.cerm.unifi.it
     }

The script could not find your smb.conf, can you please post its 
contents and tell us where it is.

Rowland





More information about the samba mailing list