[Samba] Debian 10 Samba 4.14.4 No acces to SYSVOL and NETLOGON from Windows 10
L.P.H. van Belle
belle at bazuin.nl
Fri May 28 09:39:33 UTC 2021
This : C:\users\administrator.PLK.001
Is a windows problem, in general, but your also missing packages.
So need fix samba config/server setup first.
Nsswitch missing winbind, can be, just not recommended
Also : mdns4_minimal [NOTFOUND=return] better move it after word dns
Remove the left overs like : rc krb5-admin-server
With : dpkg --remove --purge
Then : apt install samba-vfs-modules
Lets start here, and reboot server.
Let us know if it works now.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Mueller [mailto:mueller at tropenklinik.de]
> Verzonden: vrijdag 28 mei 2021 11:28
> Aan: 'L.P.H. van Belle'
> Onderwerp: AW: [Samba] Debian 10 Samba 4.14.4 No acces to
> SYSVOL and NETLOGON from Windows 10
>
> I did run the scripts
> root at dom:~/samba# ./samba-check-set-sysvol.sh
> INFO 2021-05-28 11:07:28,733 pid:2025
> /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96:
> Loaded smb
> config files from /etc/samba/smb.conf
> INFO 2021-05-28 11:07:28,734 pid:2025
> /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97:
> Loaded services
> file OK.
> Review the file : default-rights-sysvol.acl, these contains
> the defaults for
> sysvol.
> The sysvol ACLS info.....
>
> Please check your share rights for sysvol from within windows.
> If these are incorrect, correct them and run this script again.
> Set your sysvol SHARE permissions as followed.
> EVERYONE: READ
> Authenticated Users: FULL CONTROL
> (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> User/Group system is added compaired to a win2008R2 sysvol,
> you need this
> for some GPO settings.
>
> Set your sysvol FOLDER permissions as followed.
> Authenticated Users: Read & Exec, Show folder content, Read
> (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
>
> Did set it
> Shares
> Everyone read
> Authenticated User read write change (full)
> System full
> Domain Admins (PLK) full
> Administrators (PLK) full
>
> Security
> Authenticated User read/exec list directory read
> System full
> Administrator full
> Domain Admins full
> Administrators full
>
>
>
> Result the same (restartet samba systemctl restart samba, did start
> windows10 client and logged on)
>
> My win10 client is loged on with a temp-profile:
> C:\users\administrator.PLK.001
>
> root at dom:~/samba# ./samba-collect-debug-info.sh
> Please wait, collecting debug info.
>
> Passwort für Administrator at PLK.LOC:
> ./samba-collect-debug-info.sh: Zeile 220: samba: Kommando
> nicht gefunden.
> grep: : Datei oder Verzeichnis nicht gefunden
> INFO 2021-05-28 11:13:14,501 pid:2145
> /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96:
> Loaded smb
> config files from /etc/samba/smb.conf
> INFO 2021-05-28 11:13:14,501 pid:2145
> /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97:
> Loaded services
> file OK.
> grep: : Datei oder Verzeichnis nicht gefunden
> The debug info about your system can be found in this file:
> /tmp/samba-debug-info.txt
> Please check this and if required, sanitise it.
> Then copy & paste it into an email to the samba list
> Do not attach it to the email, the Samba mailing list strips
> attachments.
>
> Collected config --- 2021-05-28-11:13 -----------
>
> Hostname: dom
> DNS Domain: plk.loc
> FQDN: dom.plk.loc
> ipaddress: 192.168.135.134
>
> -----------
>
> Kerberos SRV _kerberos._tcp.plk.loc record verified ok,
> sample output:
> Server: 192.168.135.134
> Address: 192.168.135.134#53
>
> _kerberos._tcp.plk.loc service = 0 100 88 dom.plk.loc.
> Samba is running as an AD DC
>
> -----------
> Checking file: /etc/os-release
>
> PRETTY_NAME="Debian GNU/Linux 10 (buster)"
> NAME="Debian GNU/Linux"
> VERSION_ID="10"
> VERSION="10 (buster)"
> VERSION_CODENAME=buster
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
> -----------
>
>
> This computer is running Debian 10.9 x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
> UNKNOWN group
> default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 2: enp1s0f0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500
> qdisc mq state
> DOWN group default qlen 1000
> link/ether 00:25:90:38:7f:f4 brd ff:ff:ff:ff:ff:ff
> 3: enp1s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> mq state UP
> group default qlen 1000
> link/ether 00:25:90:38:7f:f5 brd ff:ff:ff:ff:ff:ff
> inet 192.168.135.134/24 brd 192.168.135.255 scope global
> noprefixroute
> enp1s0f1
> inet6 fe80::225:90ff:fe38:7ff5/64 scope link noprefixroute
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 192.168.135.134 dom.plk.loc dom
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> # Generated by NetworkManager
> nameserver 192.168.135.134
> nameserver 192.168.135.230
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = PLK.LOC
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
>
> [realms]
> PLK.LOC = {
> default_domain = plk.loc
> kdc = dom.PLK.LOC 192.168.135.134
> admin_server = dom.PLK.LOC 192.168.135.134
> }
>
> [domain_realm]
> dom = PLK.LOC
> .plk.loc = PLK.LOC
> plk.loc = PLK.LOC
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files systemd
> group: files systemd
> shadow: files
> gshadow: files
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> -----------
>
> Warning, does not exist
>
> -----------
>
> BIND_DLZ not detected in smb.conf
>
> -----------
>
> Installed packages:
> ii acl 2.2.53-4
> amd64 access control list - utilities
> ii attr 1:2.4.48-4
> amd64 utilities for manipulating filesystem extended attributes
> ii fonts-quicksand 0.2016-2
> all sans-serif font with round attributes
> rc krb5-admin-server 1.17-3+deb10u1
> amd64 MIT Kerberos master server (kadmind)
> ii krb5-config 2.6
> all Configuration files for Kerberos Version 5
> rc krb5-kdc 1.17-3+deb10u1
> amd64 MIT Kerberos key server (KDC)
> ii krb5-locales 1.17-3+deb10u1
> all internationalization support for MIT Kerberos
> ii krb5-multidev:amd64 1.17-3+deb10u1
> amd64 development files for MIT Kerberos without
> Heimdal conflict
> ii krb5-user 1.17-3+deb10u1
> amd64 basic programs to authenticate using MIT Kerberos
> ii libacl1:amd64 2.2.53-4
> amd64 access control list - shared library
> ii libacl1-dev:amd64 2.2.53-4
> amd64 access control list - static libraries and headers
> ii libattr1:amd64 1:2.4.48-4
> amd64 extended attribute handling - shared library
> ii libattr1-dev:amd64 1:2.4.48-4
> amd64 extended attributes handling - static libraries
> and headers
> ii libgssapi-krb5-2:amd64 1.17-3+deb10u1
> amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-3
> amd64 Heimdal Kerberos - libraries
> ii libkrb5-3:amd64 1.17-3+deb10u1
> amd64 MIT Kerberos runtime libraries
> ii libkrb5-dev:amd64 1.17-3+deb10u1
> amd64 headers and development libraries for MIT Kerberos
> ii libkrb5support0:amd64 1.17-3+deb10u1
> amd64 MIT Kerberos runtime libraries - Support library
> ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1
> amd64 shared library for communication with SMB/CIFS servers
> ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1
> amd64 Samba winbind client library
> ii python-samba 2:4.9.5+dfsg-5+deb10u1
> amd64 Python bindings for Samba
> ii samba-common 2:4.9.5+dfsg-5+deb10u1
> all common files used by both the Samba server and client
> ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1
> amd64 Samba common files used by both the server and the client
> ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1
> amd64 Samba Directory Services Database
> ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1
> amd64 Samba core libraries
> ii spice-client-glib-usb-acl-helper 0.35-2
> amd64 Helper tool to validate usb ACLs
> ii winbind 2:4.9.5+dfsg-5+deb10u1
> amd64 service to resolve user and group information
> from Windows NT
> servers
>
> -----------
>
>
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: L.P.H. van Belle via samba [mailto:samba at lists.samba.org]
> Gesendet: Freitag, 28. Mai 2021 10:10
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Debian 10 Samba 4.14.4 No acces to
> SYSVOL and NETLOGON
> from Windows 10
>
> Get this script.
>
> Run it and set sysvol as shown.
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
> heck-set-sysvo
> l.sh
>
> Then try again and let us know the result.
> IF it still isnt working.
>
> Run :
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
> ollect-debug-i
> nfo.sh
> And post the output..
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Mueller via
> > samba
> > Verzonden: vrijdag 28 mei 2021 9:51
> > Aan: samba samba
> > Onderwerp: [Samba] Debian 10 Samba 4.14.4 No acces to SYSVOL and
> > NETLOGON from Windows 10
> >
> > Dear all,
> > after a lot of learning I succeded with debian 10 and samba
> 4.14.4 ntp
> > and bind9_dlz is working, The only issue is "SYSVOL" and "NETLOGON"
> > When I try to logon from my Windows 10 domainmembers to
> both shares I
> > get no connection Only logon from within my debian 10 host works:
> >
> > SYSVOL
> > root at dom:/var/lib/samba/private# smbclient //dom.plk.loc/sysvol
> > -UAdministrator Enter PLK\Administrator's password:
> > Try "help" to get a list of possible commands.
> > smb: \>
> > root at dom:/var/lib/samba/private# smbclient //localhost/sysvol
> > -UAdministrator Enter PLK\Administrator's password:
> > Try "help" to get a list of possible commands.
> > smb: \>
> >
> > NETLOGON
> > root at dom:/var/lib/samba/private# smbclient //localhost/netlogon
> > -UAdministrator Enter PLK\Administrator's password:
> > Try "help" to get a list of possible commands.
> > smb: \>
> >
> > root at dom:/var/lib/samba# getfacl /var/lib/samba/sysvol
> > getfacl: Entferne führende '/' von absoluten Pfadnamen # file:
> > var/lib/samba/sysvol # owner: root # group: 3000000 user::rwx
> > user:root:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx
> > user:3000003:r-x user:3000004:rwx group::rwx group:3000000:rwx
> > group:3000001:r-x group:3000002:rwx group:3000003:r-x
> > group:3000004:rwx mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:user:3000000:rwx
> > default:user:3000001:r-x
> > default:user:3000002:rwx
> > default:user:3000003:r-x
> > default:user:3000004:rwx
> > default:group::---
> > default:group:3000000:rwx
> > default:group:3000001:r-x
> > default:group:3000002:rwx
> > default:group:3000003:r-x
> > default:group:3000004:rwx
> > default:mask::rwx
> > default:other::---
> >
> > root at dom:/var/lib/samba# getfacl
> > /var/lib/samba/sysvol/plk.loc/scripts
> > getfacl: Entferne führende '/' von absoluten Pfadnamen # file:
> > var/lib/samba/sysvol/plk.loc/scripts
> > # owner: root
> > # group: 3000000
> > user::rwx
> > user:root:rwx
> > user:3000000:rwx
> > user:3000001:r-x
> > user:3000002:rwx
> > user:3000003:r-x
> > group::rwx
> > group:3000000:rwx
> > group:3000001:r-x
> > group:3000002:rwx
> > group:3000003:r-x
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:user:3000000:rwx
> > default:user:3000001:r-x
> > default:user:3000002:rwx
> > default:user:3000003:r-x
> > default:group::---
> > default:group:3000000:rwx
> > default:group:3000001:r-x
> > default:group:3000002:rwx
> > default:group:3000003:r-x
> > default:mask::rwx
> > default:other::---
> >
> >
> > How can I fix this?
> >
> > Greetings
> > Daniel
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list