[Samba] Debian 10 Samba 4.14.4 No acces to SYSVOL and NETLOGON from Windows 10
L.P.H. van Belle
belle at bazuin.nl
Fri May 28 10:55:51 UTC 2021
Ah, build from source. Well, remove the old samba versions as Rowland noticed also.
Start there..
> -----Oorspronkelijk bericht-----
> Van: Mueller [mailto:mueller at tropenklinik.de]
> Verzonden: vrijdag 28 mei 2021 12:52
> Aan: 'L.P.H. van Belle'
> Onderwerp: AW: [Samba] Debian 10 Samba 4.14.4 No acces to
> SYSVOL and NETLOGON from Windows 10
>
> I installed samba from source. Are you shure it is missing
> winbind and vfs
> module:
> root at dom:/home/mueller# ls -la /usr/sbin/winbindd
> -rwxr-xr-x 1 root root 1400640 Mai 21 13:07 /usr/sbin/winbindd
> root at dom:/home/mueller# wbinfo -u
> PLK\administrator
> PLK\guest
> PLK\krbtgt
> PLK\dns-dom
>
> root at dom:/home/mueller# wbinfo -g
> PLK\cert publishers
> PLK\ras and ias servers
> PLK\allowed rodc password replication group
> PLK\denied rodc password replication group
> PLK\dnsadmins
> PLK\enterprise read-only domain controllers
> PLK\domain admins
> PLK\domain users
> PLK\domain guests
> PLK\domain computers
> PLK\domain controllers
> PLK\schema admins
> PLK\enterprise admins
> PLK\group policy creator owners
> PLK\read-only domain controllers
> PLK\dnsupdateproxy
>
> Smbd -b results:
> vfs_acl_tdb_init
> vfs_acl_xattr_init
> vfs_aio_fork_init
> vfs_aio_pthread_init
> vfs_audit_init
> vfs_btrfs_init
> vfs_cap_init
> vfs_catia_init
> vfs_ceph_init
> vfs_ceph_snapshots_init
> vfs_commit_init
> vfs_crossrename_init
> vfs_default_quota_init
> vfs_delay_inject_init
> vfs_dirsort_init
> vfs_error_inject_init
> vfs_expand_msdfs_init
> vfs_extd_audit_init
> vfs_fake_acls_init
> vfs_fake_perms_init
> vfs_fileid_init
> vfs_fruit_init
> vfs_full_audit_init
> vfs_glusterfs_fuse_init
> vfs_glusterfs_init
> vfs_gpfs_init
> vfs_linux_xfs_sgid_init
> vfs_media_harmony_init
> vfs_nfs4acl_xattr_init
> vfs_offline_init
> vfs_posix_eadb_init
> vfs_preopen_init
> vfs_readahead_init
> vfs_readonly_init
> vfs_recycle_init
> vfs_shadow_copy2_init
> vfs_shadow_copy_init
> vfs_shell_snap_init
> vfs_snapper_init
> vfs_streams_depot_init
> vfs_streams_xattr_init
> vfs_syncops_init
> vfs_time_audit_init
> vfs_unityed_media_init
> vfs_virusfilter_init
> vfs_widelinks_init
> vfs_worm_init
> vfs_xattr_tdb_init
>
> Cluster support features:
> NONE
>
> Type sizes:
> sizeof(char): 1
> sizeof(int): 4
> sizeof(long): 8
> sizeof(long long): 8
> sizeof(uint8_t): 1
> sizeof(uint16_t): 2
> sizeof(uint32_t): 4
> sizeof(short): 2
> sizeof(void*): 8
> sizeof(size_t): 8
> sizeof(off_t): 8
> sizeof(ino_t): 8
> sizeof(dev_t): 8
>
> Builtin modules:
> vfs_default vfs_not_implemented vfs_posixacl auth_builtin auth_sam
> auth_winbind rpc_mdssvc_m odule pdb_smbpasswd
> pdb_tdbsam auth_unix nss_info_template idmap_tdb idmap_passdb
> idmap_nss pdb
> _samba_dsdb auth_samba4 vfs_dfs_samba4 pdb_ldapsam idmap_ldap
>
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: L.P.H. van Belle [mailto:belle at bazuin.nl]
> Gesendet: Freitag, 28. Mai 2021 11:40
> An: samba at lists.samba.org
> Cc: mueller at tropenklinik.de
> Betreff: RE: [Samba] Debian 10 Samba 4.14.4 No acces to
> SYSVOL and NETLOGON
> from Windows 10
>
> This : C:\users\administrator.PLK.001
>
> Is a windows problem, in general, but your also missing packages.
> So need fix samba config/server setup first.
>
> Nsswitch missing winbind, can be, just not recommended Also :
> mdns4_minimal
> [NOTFOUND=return] better move it after word dns
>
> Remove the left overs like : rc krb5-admin-server
> With : dpkg --remove --purge
>
>
> Then : apt install samba-vfs-modules
>
> Lets start here, and reboot server.
>
> Let us know if it works now.
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: Mueller [mailto:mueller at tropenklinik.de]
> > Verzonden: vrijdag 28 mei 2021 11:28
> > Aan: 'L.P.H. van Belle'
> > Onderwerp: AW: [Samba] Debian 10 Samba 4.14.4 No acces to
> SYSVOL and
> > NETLOGON from Windows 10
> >
> > I did run the scripts
> > root at dom:~/samba# ./samba-check-set-sysvol.sh INFO 2021-05-28
> > 11:07:28,733 pid:2025
> > /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96:
> > Loaded smb
> > config files from /etc/samba/smb.conf
> > INFO 2021-05-28 11:07:28,734 pid:2025
> > /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97:
> > Loaded services
> > file OK.
> > Review the file : default-rights-sysvol.acl, these contains the
> > defaults for sysvol.
> > The sysvol ACLS info.....
> >
> > Please check your share rights for sysvol from within windows.
> > If these are incorrect, correct them and run this script again.
> > Set your sysvol SHARE permissions as followed.
> > EVERYONE: READ
> > Authenticated Users: FULL CONTROL
> > (BUILTIN or NTDOM)\Administrators: FULL CONTROL (BUILTIN or
> > NTDOM)\SYSTEM, FULL CONTROL User/Group system is added
> compaired to a
> > win2008R2 sysvol, you need this for some GPO settings.
> >
> > Set your sysvol FOLDER permissions as followed.
> > Authenticated Users: Read & Exec, Show folder content, Read
> (BUILTIN
> > or NTDOM)\Administrators: FULL CONTROL (BUILTIN or
> NTDOM)\SYSTEM, FULL
> > CONTROL
> >
> > Did set it
> > Shares
> > Everyone read
> > Authenticated User read write change (full) System full
> Domain Admins
> > (PLK) full Administrators (PLK) full
> >
> > Security
> > Authenticated User read/exec list directory read System full
> > Administrator full Domain Admins full Administrators full
> >
> >
> >
> > Result the same (restartet samba systemctl restart samba, did start
> > windows10 client and logged on)
> >
> > My win10 client is loged on with a temp-profile:
> > C:\users\administrator.PLK.001
> >
> > root at dom:~/samba# ./samba-collect-debug-info.sh Please wait,
> > collecting debug info.
> >
> > Passwort für Administrator at PLK.LOC:
> > ./samba-collect-debug-info.sh: Zeile 220: samba: Kommando nicht
> > gefunden.
> > grep: : Datei oder Verzeichnis nicht gefunden INFO 2021-05-28
> > 11:13:14,501 pid:2145
> > /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96:
> > Loaded smb
> > config files from /etc/samba/smb.conf
> > INFO 2021-05-28 11:13:14,501 pid:2145
> > /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97:
> > Loaded services
> > file OK.
> > grep: : Datei oder Verzeichnis nicht gefunden The debug info about
> > your system can be found in this file:
> > /tmp/samba-debug-info.txt
> > Please check this and if required, sanitise it.
> > Then copy & paste it into an email to the samba list Do
> not attach it
> > to the email, the Samba mailing list strips attachments.
> >
> > Collected config --- 2021-05-28-11:13 -----------
> >
> > Hostname: dom
> > DNS Domain: plk.loc
> > FQDN: dom.plk.loc
> > ipaddress: 192.168.135.134
> >
> > -----------
> >
> > Kerberos SRV _kerberos._tcp.plk.loc record verified ok,
> sample output:
> > Server: 192.168.135.134
> > Address: 192.168.135.134#53
> >
> > _kerberos._tcp.plk.loc service = 0 100 88 dom.plk.loc.
> > Samba is running as an AD DC
> >
> > -----------
> > Checking file: /etc/os-release
> >
> > PRETTY_NAME="Debian GNU/Linux 10 (buster)"
> > NAME="Debian GNU/Linux"
> > VERSION_ID="10"
> > VERSION="10 (buster)"
> > VERSION_CODENAME=buster
> > ID=debian
> > HOME_URL="https://www.debian.org/"
> > SUPPORT_URL="https://www.debian.org/support"
> > BUG_REPORT_URL="https://bugs.debian.org/"
> >
> > -----------
> >
> >
> > This computer is running Debian 10.9 x86_64
> >
> > -----------
> > running command : ip a
> > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> > group default qlen 1000
> > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> > inet 127.0.0.1/8 scope host lo
> > inet6 ::1/128 scope host
> > 2: enp1s0f0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq
> > state DOWN group default qlen 1000
> > link/ether 00:25:90:38:7f:f4 brd ff:ff:ff:ff:ff:ff
> > 3: enp1s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
> qdisc mq state
> > UP group default qlen 1000
> > link/ether 00:25:90:38:7f:f5 brd ff:ff:ff:ff:ff:ff
> > inet 192.168.135.134/24 brd 192.168.135.255 scope global
> > noprefixroute
> > enp1s0f1
> > inet6 fe80::225:90ff:fe38:7ff5/64 scope link noprefixroute
> >
> > -----------
> > Checking file: /etc/hosts
> >
> > 127.0.0.1 localhost
> > 192.168.135.134 dom.plk.loc dom
> >
> > # The following lines are desirable for IPv6 capable hosts
> > ::1 localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
> >
> > -----------
> >
> > Checking file: /etc/resolv.conf
> >
> > # Generated by NetworkManager
> > nameserver 192.168.135.134
> > nameserver 192.168.135.230
> >
> > -----------
> >
> > Checking file: /etc/krb5.conf
> >
> > [libdefaults]
> > default_realm = PLK.LOC
> > dns_lookup_realm = true
> > dns_lookup_kdc = true
> > ticket_lifetime = 24h
> > renew_lifetime = 7d
> > forwardable = true
> >
> > [realms]
> > PLK.LOC = {
> > default_domain = plk.loc
> > kdc = dom.PLK.LOC 192.168.135.134
> > admin_server = dom.PLK.LOC 192.168.135.134 }
> >
> > [domain_realm]
> > dom = PLK.LOC
> > .plk.loc = PLK.LOC
> > plk.loc = PLK.LOC
> >
> > -----------
> >
> > Checking file: /etc/nsswitch.conf
> >
> > # /etc/nsswitch.conf
> > #
> > # Example configuration of GNU Name Service Switch functionality.
> > # If you have the `glibc-doc-reference' and `info' packages
> installed,
> > try:
> > # `info libc "Name Service Switch"' for information about this file.
> >
> > passwd: files systemd
> > group: files systemd
> > shadow: files
> > gshadow: files
> >
> > hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
> > networks: files
> >
> > protocols: db files
> > services: db files
> > ethers: db files
> > rpc: db files
> >
> > netgroup: nis
> >
> > -----------
> >
> > Warning, does not exist
> >
> > -----------
> >
> > BIND_DLZ not detected in smb.conf
> >
> > -----------
> >
> > Installed packages:
> > ii acl 2.2.53-4
> > amd64 access control list - utilities
> > ii attr 1:2.4.48-4
> > amd64 utilities for manipulating filesystem extended
> attributes
> > ii fonts-quicksand 0.2016-2
> > all sans-serif font with round attributes
> > rc krb5-admin-server 1.17-3+deb10u1
> > amd64 MIT Kerberos master server (kadmind)
> > ii krb5-config 2.6
> > all Configuration files for Kerberos Version 5
> > rc krb5-kdc 1.17-3+deb10u1
> > amd64 MIT Kerberos key server (KDC)
> > ii krb5-locales 1.17-3+deb10u1
> > all internationalization support for MIT Kerberos
> > ii krb5-multidev:amd64 1.17-3+deb10u1
> > amd64 development files for MIT Kerberos without
> > Heimdal conflict
> > ii krb5-user 1.17-3+deb10u1
> > amd64 basic programs to authenticate using MIT Kerberos
> > ii libacl1:amd64 2.2.53-4
> > amd64 access control list - shared library
> > ii libacl1-dev:amd64 2.2.53-4
> > amd64 access control list - static libraries and headers
> > ii libattr1:amd64 1:2.4.48-4
> > amd64 extended attribute handling - shared library
> > ii libattr1-dev:amd64 1:2.4.48-4
> > amd64 extended attributes handling - static libraries
> > and headers
> > ii libgssapi-krb5-2:amd64 1.17-3+deb10u1
> > amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> > ii libkrb5-26-heimdal:amd64 7.5.0+dfsg-3
> > amd64 Heimdal Kerberos - libraries
> > ii libkrb5-3:amd64 1.17-3+deb10u1
> > amd64 MIT Kerberos runtime libraries
> > ii libkrb5-dev:amd64 1.17-3+deb10u1
> > amd64 headers and development libraries for MIT Kerberos
> > ii libkrb5support0:amd64 1.17-3+deb10u1
> > amd64 MIT Kerberos runtime libraries - Support library
> > ii libsmbclient:amd64 2:4.9.5+dfsg-5+deb10u1
> > amd64 shared library for communication with SMB/CIFS servers
> > ii libwbclient0:amd64 2:4.9.5+dfsg-5+deb10u1
> > amd64 Samba winbind client library
> > ii python-samba 2:4.9.5+dfsg-5+deb10u1
> > amd64 Python bindings for Samba
> > ii samba-common 2:4.9.5+dfsg-5+deb10u1
> > all common files used by both the Samba server and client
> > ii samba-common-bin 2:4.9.5+dfsg-5+deb10u1
> > amd64 Samba common files used by both the server and
> the client
> > ii samba-dsdb-modules:amd64 2:4.9.5+dfsg-5+deb10u1
> > amd64 Samba Directory Services Database
> > ii samba-libs:amd64 2:4.9.5+dfsg-5+deb10u1
> > amd64 Samba core libraries
> > ii spice-client-glib-usb-acl-helper 0.35-2
> > amd64 Helper tool to validate usb ACLs
> > ii winbind 2:4.9.5+dfsg-5+deb10u1
> > amd64 service to resolve user and group information
> > from Windows NT
> > servers
> >
> > -----------
> >
> >
> >
> >
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: L.P.H. van Belle via samba [mailto:samba at lists.samba.org]
> > Gesendet: Freitag, 28. Mai 2021 10:10
> > An: samba at lists.samba.org
> > Betreff: Re: [Samba] Debian 10 Samba 4.14.4 No acces to SYSVOL and
> > NETLOGON from Windows 10
> >
> > Get this script.
> >
> > Run it and set sysvol as shown.
> > https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
> > heck-set-sysvo
> > l.sh
> >
> > Then try again and let us know the result.
> > IF it still isnt working.
> >
> > Run :
> > https://raw.githubusercontent.com/thctlo/samba4/master/samba-c
> > ollect-debug-i
> > nfo.sh
> > And post the output..
> >
> > Greetz,
> >
> > Louis
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Mueller via
> > > samba
> > > Verzonden: vrijdag 28 mei 2021 9:51
> > > Aan: samba samba
> > > Onderwerp: [Samba] Debian 10 Samba 4.14.4 No acces to SYSVOL and
> > > NETLOGON from Windows 10
> > >
> > > Dear all,
> > > after a lot of learning I succeded with debian 10 and samba
> > 4.14.4 ntp
> > > and bind9_dlz is working, The only issue is "SYSVOL" and
> "NETLOGON"
> > > When I try to logon from my Windows 10 domainmembers to
> > both shares I
> > > get no connection Only logon from within my debian 10 host works:
> > >
> > > SYSVOL
> > > root at dom:/var/lib/samba/private# smbclient //dom.plk.loc/sysvol
> > > -UAdministrator Enter PLK\Administrator's password:
> > > Try "help" to get a list of possible commands.
> > > smb: \>
> > > root at dom:/var/lib/samba/private# smbclient //localhost/sysvol
> > > -UAdministrator Enter PLK\Administrator's password:
> > > Try "help" to get a list of possible commands.
> > > smb: \>
> > >
> > > NETLOGON
> > > root at dom:/var/lib/samba/private# smbclient //localhost/netlogon
> > > -UAdministrator Enter PLK\Administrator's password:
> > > Try "help" to get a list of possible commands.
> > > smb: \>
> > >
> > > root at dom:/var/lib/samba# getfacl /var/lib/samba/sysvol
> > > getfacl: Entferne führende '/' von absoluten Pfadnamen # file:
> > > var/lib/samba/sysvol # owner: root # group: 3000000 user::rwx
> > > user:root:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx
> > > user:3000003:r-x user:3000004:rwx group::rwx group:3000000:rwx
> > > group:3000001:r-x group:3000002:rwx group:3000003:r-x
> > > group:3000004:rwx mask::rwx
> > > other::---
> > > default:user::rwx
> > > default:user:root:rwx
> > > default:user:3000000:rwx
> > > default:user:3000001:r-x
> > > default:user:3000002:rwx
> > > default:user:3000003:r-x
> > > default:user:3000004:rwx
> > > default:group::---
> > > default:group:3000000:rwx
> > > default:group:3000001:r-x
> > > default:group:3000002:rwx
> > > default:group:3000003:r-x
> > > default:group:3000004:rwx
> > > default:mask::rwx
> > > default:other::---
> > >
> > > root at dom:/var/lib/samba# getfacl
> > > /var/lib/samba/sysvol/plk.loc/scripts
> > > getfacl: Entferne führende '/' von absoluten Pfadnamen # file:
> > > var/lib/samba/sysvol/plk.loc/scripts
> > > # owner: root
> > > # group: 3000000
> > > user::rwx
> > > user:root:rwx
> > > user:3000000:rwx
> > > user:3000001:r-x
> > > user:3000002:rwx
> > > user:3000003:r-x
> > > group::rwx
> > > group:3000000:rwx
> > > group:3000001:r-x
> > > group:3000002:rwx
> > > group:3000003:r-x
> > > mask::rwx
> > > other::---
> > > default:user::rwx
> > > default:user:root:rwx
> > > default:user:3000000:rwx
> > > default:user:3000001:r-x
> > > default:user:3000002:rwx
> > > default:user:3000003:r-x
> > > default:group::---
> > > default:group:3000000:rwx
> > > default:group:3000001:r-x
> > > default:group:3000002:rwx
> > > default:group:3000003:r-x
> > > default:mask::rwx
> > > default:other::---
> > >
> > >
> > > How can I fix this?
> > >
> > > Greetings
> > > Daniel
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
> > >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
>
More information about the samba
mailing list