samba - Apr 2015 - samba 4.2 RDP problem (solved)

Hi,

i did some tests wit samba 4.2 as a ADS DC on arch linux. On a Win8.1 client i
can do local logins as every user, i can login via RDP as local user, but i am
not able to login as a domain user via RDP.
After the loginscreen, appears  "Welcome" and the mousepointer
continues to spinn....

Same issue on Ubuntu 14.04, samba 4.2 installed from source.

On Ubuntu and samba 4.1.17 (installed also from source) all works fine.


Is this a bug on the 4.2 version of samba?


Regards,
heinz

./configure --with-ads --with-ads --with-winbind --enable-cups --with-pam
--with-pam_smbpass --with-quotas --with-acl-support --with-dnsupdate
--with-syslog --with-aio-support --with-regedit --with-systemd
--prefix=/opt/samba

samba-tool domain provision --use-rfc2307 --use-xattrs=yes --domain=${DOMAIN}
--dns-backend=BIND9_DLZ --server-role=dc --function-level=2008_R2
--realm=${REALM} --adminpass=xxxxxxxxxxx

Hello Heinz,

Am 13.03.2015 um 18:26 schrieb Heinz H?lzl:
> i did some tests wit samba 4.2 as a ADS DC on arch linux.
> On a Win8.1 client i can do local logins as every user,
> i can login via RDP as local user, but i am not able to
> login as a domain user via RDP.
> After the loginscreen, appears  "Welcome" and the
> mousepointer continues to spinn....
> 
> Same issue on Ubuntu 14.04, samba 4.2 installed from source.
> 
> On Ubuntu and samba 4.1.17 (installed also from source) all works fine.
I don't have 4.2 in production at work. But I tried in my test
environment here at home (2 DCs - both 4.2.0):

RDP
Win10 -> Win81: OK
Win10 -> Win7: OK
Win81 -> Win7: OK
Win7 -> Win81: OK

For testing I created a new user (no home drive, no logonscript, no
server base profile, etc.) in AD and allowed the domain group "domain
users" to login via RDP on all three machines.

I can't see a problem here.

* What does the Windows event log says?
* Any interesting messages on your DC logfile?
* Can you temporary disable logonscript, connection of home drive, etc.)?


Regards,
Marc

> Hello Heinz,
> 
> Am 13.03.2015 um 18:26 schrieb Heinz H?lzl:
> > i did some tests wit samba 4.2 as a ADS DC on arch linux.
> > On a Win8.1 client i can do local logins as every user,
> > i can login via RDP as local user, but i am not able to
> > login as a domain user via RDP.
> > After the loginscreen, appears  "Welcome" and the
> > mousepointer continues to spinn....
> > 
> > Same issue on Ubuntu 14.04, samba 4.2 installed from source.
> > 
> > On Ubuntu and samba 4.1.17 (installed also from source) all works
fine.
> 
> I don't have 4.2 in production at work. But I tried in my test
> environment here at home (2 DCs - both 4.2.0):
> 
> RDP
> Win10 -> Win81: OK
> Win10 -> Win7: OK
> Win81 -> Win7: OK
> Win7 -> Win81: OK
> 
> For testing I created a new user (no home drive, no logonscript, no
> server base profile, etc.) in AD and allowed the domain group "domain
> users" to login via RDP on all three machines.
> 
> I can't see a problem here.
> 
> * What does the Windows event log says?
> * Any interesting messages on your DC logfile?
> * Can you temporary disable logonscript, connection of home drive, etc.)?
> 
> 
> Regards,
> Marc
 
hi,

i see nothing in the eventviewer, and no errors in the samba logs.

With samba 4.1.17 i can see a lot of rpc commands:
...

100.1.254.101 (ipv4:100.1.254.101:56215) connect to service IPC$ initially as
user KLINGONS\PRAXIS$ (uid=3000017, gid=3000018) (pid 3787)
  api_pipe_bind_req: winreg -> winreg rpc service
  check_bind_req for \winreg
  check_bind_req: winreg -> winreg rpc service
  ldb_wrap open of secrets.ldb
  check_bind_req for \winreg
  check_bind_req: winreg -> winreg rpc service
  ldb_wrap open of privilege.ldb
  api_rpcTNP: rpc command: WINREG_OPENHKLM
  api_pipe_bind_req: winreg -> winreg rpc service
  check_bind_req for \winreg
  check_bind_req: winreg -> winreg rpc service
  api_rpcTNP: rpc command: WINREG_OPENHKLM
  api_rpcTNP: rpc command: WINREG_GETVERSION
  api_rpcTNP: rpc command: WINREG_OPENKEY
  api_rpcTNP: rpc command: WINREG_QUERYVALUE
  api_rpcTNP: rpc command: WINREG_QUERYVALUE
  api_rpcTNP: rpc command: WINREG_QUERYVALUE
  api_rpcTNP: rpc command: WINREG_QUERYVALUE
.....


on samba 4.2.0 there is olnly the first rpc command:
...
100.1.254.101 (ipv4:100.1.254.101:56203) connect to service IPC$ initially as
user KLINGONS\PRAXIS$ (uid=3000017, gid=3000018) (pid 6341)
  api_pipe_bind_req: winreg -> winreg rpc service
  check_bind_req for winreg
  check_bind_req: winreg -> winreg rpc service
  ldb_wrap open of secrets.ldb
  check_bind_req for winreg
  check_bind_req: winreg -> winreg rpc service
  ldb_wrap open of privilege.ldb
  api_rpcTNP: rpc command: WINREG_OPENHKLM

and here the login hangs...




If the login via RDP hangs, after a restart of the samba services the login
works fine.
Then after a reboot of die client machne the problem returns and i can not login
via RDP as Domain user.


This is a test environment, and i am testing with a fresh-new user wihtout
logonscripts, homedrive mappings ecc..

The smb.conf if the original generated from the "samba-tool domain
provision"
 

Regards,
heinz

Hai, 

Same issue with sernet-samba 4.2.1 and windows 7 64bit. 
On debian wheezy. 

Do you need any more info on this subject? 

Greetz, 

Louis



On Thu, 2015-04-16 at 13:48 +0200, Heinz H?lzl wrote:
> Thanx for your answer!
> 
> Do you need additional informations? logs, tests, ecc.. ? 
As much detail as you can get me would be very handy.

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

sorry for the noise.. 

I missed the solution in my mail. just saw it online.. 

The working version for rdp login.. 
I can confirm also that after adding these to the smb.conf 

dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc,
spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver,
remote, winreg, srvsvc
auth methods = sam, winbind, ntdomain, ntdomain:winbind

I was able to login with RDP also. 
sernet samba 4.2.1 - Windows 7 64bit. 


Louis


 
>-----Oorspronkelijk bericht-----
>Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org] 
>Namens L.P.H. van Belle
>Verzonden: woensdag 22 april 2015 16:51
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] samba 4.2 RDP problem
>
>Hai, 
>
>Same issue with sernet-samba 4.2.1 and windows 7 64bit. 
>On debian wheezy. 
>
>Do you need any more info on this subject? 
>
>Greetz, 
>
>Louis
>
>
>
>On Thu, 2015-04-16 at 13:48 +0200, Heinz H?lzl wrote:
>> Thanx for your answer!
>> 
>> Do you need additional informations? logs, tests, ecc.. ? 
>
>As much detail as you can get me would be very handy.
>
>-- 
>Andrew Bartlett                       http://samba.org/~abartlet/
>Authentication Developer, Samba Team  http://samba.org
>Samba Developer, Catalyst IT          
>http://catalyst.net.nz/services/samba
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>