[Samba] netlogon does not run

Mon Jul 10 13:06:23 UTC 2023

Em 05/07/2023 03:24 AM, Rowland Penny via samba escreveu:
> Please see inline notes:
> 
> On 05/07/2023 06:03, Edson Wolf via samba wrote:
>> 
>> smb.conf
>> 
>> # Global parameters
>> [global]
>>      netbios name = DC0
>>      dns forwarder = 192.168.2.4
>>      realm = GRANMARMO.INTRANET
>>      server role = active directory domain controller
>>      workgroup = GRANMARMO
>>      ntlm auth = mschapv2-and-ntlmv2-only
>>      password hash userPassword schemes = CryptSHA256 CryptSHA512
> 
> I take it you are syncing passwords to an external ldap server.

No. Withdrawn

> 
>>      rpc server dynamic port range = 50000-55000
> 
> Can I ask why you are not using the default ports ?

Withdrawn

> 
>>      loglevel = 30 auth:5 winbind:5 passdb:5
>>      time server = yes
> 
> 'time server' is an nmbd thing and is not used on an AD DC.

Withdrawn

> 
>>      security = user
> 
> I would never set 'security = user' on an AD DC, you should rely on the 
> default 'security = auto', which will then force Samba to consult the 
> 'server role' parameter.

Done

> 
>> 
>> ###Numero maximo dec conexões no winbind
>>      winbind max domain connections = 10
> 
> 'winbind max domain connections' should not really be used on an AD DC.

Done

> 
>> 
>> ###Habilitar autenticação offline
>>      winbind offline logon = yes
> 
> I do not see the point of running this on an AD DC, if it goes offline, 
> what is going to connect to it ? It also turns off the 'winbind max 
> domain connections' line above.

Withdrawn

> 
>> 
>>      os level = 34
> 
> 'os level' is another nmbd thing that should not be used on an AD DC.

Withdrawn

> 
>>      logon script = netlogon.bat
> 
> 'logon script' is not used on an AD DC, your Windows clients should 
> find netlogon via ldap (see the 'scriptPath' attribute), or better 
> still, via a GPO.

Withdrawn

> 
>> 
>> [netlogon]
>>      path = /var/lib/samba/sysvol/granmarmo.intranet/scripts
>>      read only = Yes
>>      guest ok = Yes
>>      browseable = No
>> 
>> chmod 700 /var/lib/samba/sysvol/granmarmo.intranet/scripts
> 
> Sorry, but you have just broken the permissions on Sysvol, I suggest 
> you run 'samba-tool ntacl sysvolreset'

Done

> 
> Speaking of Sysvol, what has happened to the '[sysvol]' share ?

I didn't put it here but it's in smb.conf

thanks for all the tips

> 
>> 
>> netlogon.bat
>> 
>> @echo on
>> cls
>> echo Sincronizando a hora ...
>> net time \\dc0 /set /yes
>> 
>> echo Mapeando a rede ...
>> net use * /delete /yes
>> net use p: \\arquivos\Publico
>> 
>> 
> 
> Is that in DOS format ?

Yes

> 
>> \\dc0\netlogon\netlogon.bat
>> 
>> If I double click on netlogon.bat it executes
>> 
> 
> 
> It looks like you are trying to run a Samba AD DC as if it is an old 
> NT4-style PDC. Sorry, but this will not work, you need to run it has an 
> AD DC.

Done

> 
> Rowland

I thought it was possible to use samba without having to use a windows 
station to create the rules. As I will only use access control groups, I 
thought it was possible. Would use everything in logonscript.bat.

Now it's running ok
Thank's

-- 
A persistência é o caminho do êxito.
Charles Chaplin