samba - Mar 2018 - Redirected folders no longer working correctly

I have a new problem. I'm currently running Samba4 4.4.16 as an AD/DC.
I've been running this
AD/DC for several years now. I am using redirected folders. Up to now, domain
users logging
onto any domain member Windows workstation would get their desktop. Recently I
discovered that
users now only get their desktop on their "usual" workstation, and the
Desktop Target is in
fact \\addcserver\Users\username\Desktop, whereas if they log onto some other
domain member
workstations they do not get their desktop and the Desktop target is
C:\Users\username\Desktop.

To my knowledge I have not changed any policies and have not even been into the
Group Policy
editor for well over a year. 

Not only is this preventing useful logins to other workstations it also means I
cannot upgrade
a user's computer. The user is only able to log into his old computer and
get the desktop but if
logging into the upgraded computer, or any other domain computer, he does not
get his desktop.

I upgraded a user about 3 months ago and it worked fine. Something must have
happened between
now and then.

Ideas? I need to fix this!

THX --Mark

Something I forgot to mention.  The Domain Administrator can log into any
workstation, even the
new "upgraded" computer, and get its Desktop.  This is the only Domain
User that can do so.

--Mark

-----Original Message-----
Date: Sat, 24 Mar 2018 03:42:20 -0400
Organization: Ohio Highway Patrol Retirement System
To: samba at lists.samba.org
Subject: [Samba] Redirected folders no longer working correctly

I have a new problem. I'm currently running Samba4 4.4.16 as an AD/DC.
I've been running this
AD/DC for several years now. I am using redirected folders. Up to now, domain
users logging
onto any domain member Windows workstation would get their desktop. Recently I
discovered that
users now only get their desktop on their "usual" workstation, and the
Desktop Target is in
fact \\addcserver\Users\username\Desktop, whereas if they log onto some other
domain member
workstations they do not get their desktop and the Desktop target is
C:\Users\username\Desktop.

To my knowledge I have not changed any policies and have not even been into the
Group Policy
editor for well over a year. 

Not only is this preventing useful logins to other workstations it also means I
cannot upgrade
a user's computer. The user is only able to log into his old computer and
get the desktop but if
logging into the upgraded computer, or any other domain computer, he does not
get his desktop.

I upgraded a user about 3 months ago and it worked fine. Something must have
happened between
now and then.

Ideas? I need to fix this!

THX --Mark

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

As a normal user, I want to change my Domain Password. I've tried:

$ samba-tool user setpassword myuserId --newpassword='mynewpassword'

but get the error:

ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open file
/var/lib/samba/private/sam.ldb: Permission denied

Unable to open tdb '/var/lib/samba/private/sam.ldb': Permission denied
Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with backend
'tdb': Unable to open
tdb '/var/lib/samba/private/sam.ldb': Permission denied
ERROR(ldb): uncaught exception - Unable to open tdb
'/var/lib/samba/private/sam.ldb':
Permission denied
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/user.py", line
602, in run
    credentials=creds, lp=lp)
  File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 57,
in __init__
    options=options)
  File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line
115, in __init__
    self.connect(url, flags, options)
  File "/usr/lib64/python2.7/site-packages/samba/samdb.py", line 72,
in connect
    options=options)

How do I do this?

On Mon, 26 Mar 2018 08:08:53 +0200 Michael Wandel <m.wandel at
t-online.de> wrote:
>
> Am 26.03.2018 um 06:31 schrieb Mark Foley via samba:
> > As a normal user, I want to change my Domain Password. I've tried:
> > 
> > $ samba-tool user setpassword myuserId
--newpassword='mynewpassword'
> > 
> > but get the error:
> > 
> > ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open
file
> > /var/lib/samba/private/sam.ldb: Permission denied
> > 
> > Unable to open tdb '/var/lib/samba/private/sam.ldb':
Permission denied
> > Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb'
with backend 'tdb': Unable to open
> > tdb '/var/lib/samba/private/sam.ldb': Permission denied
> > ERROR(ldb): uncaught exception - Unable to open tdb
'/var/lib/samba/private/sam.ldb':
> > Permission denied
> >   File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
175, in _run
> >     return self.run(*args, **kwargs)
> >   File
"/usr/lib64/python2.7/site-packages/samba/netcmd/user.py", line 602,
in run
> >     credentials=creds, lp=lp)
> >   File "/usr/lib64/python2.7/site-packages/samba/samdb.py",
line 57, in __init__
> >     options=options)
> >   File
"/usr/lib64/python2.7/site-packages/samba/__init__.py", line 115, in
__init__
> >     self.connect(url, flags, options)
> >   File "/usr/lib64/python2.7/site-packages/samba/samdb.py",
line 72, in connect
> >     options=options)
> > 
> > How do I do this?
> > 
>
> I don't think it's a good idea to change your password direct on
the DC
> with a normal user login. You don't have rights to the "holy"
sam.ldb.
>
> I'll refer the way to change the password from a joined linuxclient, by
> example via pam with the normal passwd program or kpasswd (if you have
> kerberos clients progs installed) or from a joined windows client.
>
I'm trying this from a domain member, and from a yad script that run upon
login and checks the
expiration of the password.  It was a script given to me by Roland, but proably
he expected the
change to be done from root. 

I can change the pw using the normal 'passwd', and that does change the
domain crentials, but
as this is done in a script, I need something that will work with stdin. 
I've triled chpasswd,
but that is only permitted by root.  The following did work for me in the yad
script:

passwd <<EOF
$oldpw
$newpw
$newpw
EOF


--Mark

On Tue, 2018-03-27 at 13:38 -0400, Mark Foley via samba
wrote:
> On Mon, 26 Mar 2018 08:08:53 +0200 Michael Wandel <m.wandel at
t-online.de> wrote:
> > 
> > Am 26.03.2018 um 06:31 schrieb Mark Foley via samba:
> > > As a normal user, I want to change my Domain Password. I've
tried:
> > > 
> > > $ samba-tool user setpassword myuserId
--newpassword='mynewpassword'
> > > 
> > > but get the error:
> > > 
> > > ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not
open file
> > > /var/lib/samba/private/sam.ldb: Permission denied
> > > 
> > > Unable to open tdb '/var/lib/samba/private/sam.ldb':
Permission denied
> > > Failed to connect to
'tdb:///var/lib/samba/private/sam.ldb' with backend 'tdb':
Unable to open
> > > tdb '/var/lib/samba/private/sam.ldb': Permission denied
> > > ERROR(ldb): uncaught exception - Unable to open tdb
'/var/lib/samba/private/sam.ldb':
> > > Permission denied
> > >   File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
175, in _run
> > >     return self.run(*args, **kwargs)
> > >   File
"/usr/lib64/python2.7/site-packages/samba/netcmd/user.py", line 602,
in run
> > >     credentials=creds, lp=lp)
> > >   File
"/usr/lib64/python2.7/site-packages/samba/samdb.py", line 57, in
__init__
> > >     options=options)
> > >   File
"/usr/lib64/python2.7/site-packages/samba/__init__.py", line 115, in
__init__
> > >     self.connect(url, flags, options)
> > >   File
"/usr/lib64/python2.7/site-packages/samba/samdb.py", line 72, in
connect
> > >     options=options)
> > > 
> > > How do I do this?
> > > 
> > 
> > I don't think it's a good idea to change your password direct
on the DC
> > with a normal user login. You don't have rights to the
"holy" sam.ldb.
> > 
> > I'll refer the way to change the password from a joined
linuxclient, by
> > example via pam with the normal passwd program or kpasswd (if you have
> > kerberos clients progs installed) or from a joined windows client.
> > 
> 
> I'm trying this from a domain member, and from a yad script that run
upon login and checks the
> expiration of the password.  It was a script given to me by Roland, but
proably he expected the
> change to be done from root. 
> 
> I can change the pw using the normal 'passwd', and that does change
the domain crentials, but
> as this is done in a script, I need something that will work with stdin. 
I've triled chpasswd,
> but that is only permitted by root.  The following did work for me in the
yad script:
> 
> passwd <<EOF
> $oldpw
> $newpw
> $newpw
> EOF
Also see the other thread, but tools like smbpasswd are for this, as is
 'samba-tool user password'.  Both do a remote password change, which
is what you want.  The mentions of kpasswd above are also correct.

There are many ways to skin this cat :-)

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Tue, 27 Mar 2018 13:38:56 -0400 Mark Foley wrote:
>
> On Mon, 26 Mar 2018 08:08:53 +0200 Michael Wandel <m.wandel at
t-online.de> wrote:
> >
> > Am 26.03.2018 um 06:31 schrieb Mark Foley via samba:
> > > As a normal user, I want to change my Domain Password. I've
tried:
> > > 
> > > $ samba-tool user setpassword myuserId
--newpassword='mynewpassword'
> > > 
> > > but get the error:
> > > 
> > > ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not
open file
> > > /var/lib/samba/private/sam.ldb: Permission denied
> > > 
> > > Unable to open tdb '/var/lib/samba/private/sam.ldb':
Permission denied
> > > Failed to connect to
'tdb:///var/lib/samba/private/sam.ldb' with backend 'tdb':
Unable to open
> > > tdb '/var/lib/samba/private/sam.ldb': Permission denied
> > > ERROR(ldb): uncaught exception - Unable to open tdb
'/var/lib/samba/private/sam.ldb':
> > > Permission denied
> > >   File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
175, in _run
> > >     return self.run(*args, **kwargs)
> > >   File
"/usr/lib64/python2.7/site-packages/samba/netcmd/user.py", line 602,
in run
> > >     credentials=creds, lp=lp)
> > >   File
"/usr/lib64/python2.7/site-packages/samba/samdb.py", line 57, in
__init__
> > >     options=options)
> > >   File
"/usr/lib64/python2.7/site-packages/samba/__init__.py", line 115, in
__init__
> > >     self.connect(url, flags, options)
> > >   File
"/usr/lib64/python2.7/site-packages/samba/samdb.py", line 72, in
connect
> > >     options=options)
> > > 
> > > How do I do this?
> > > 
> >
> > I don't think it's a good idea to change your password direct
on the DC
> > with a normal user login. You don't have rights to the
"holy" sam.ldb.
> >
> > I'll refer the way to change the password from a joined
linuxclient, by
> > example via pam with the normal passwd program or kpasswd (if you have
> > kerberos clients progs installed) or from a joined windows client.
> >
>
> I'm trying this from a domain member, and from a yad script that run
upon login and checks the
> expiration of the password.  It was a script given to me by Roland, but
proably he expected the
> change to be done from root. 
>
> I can change the pw using the normal 'passwd', and that does change
the domain crentials, but
> as this is done in a script, I need something that will work with stdin. 
I've triled chpasswd,
> but that is only permitted by root.  The following did work for me in the
yad script:
>
> passwd <<EOF
> $oldpw
> $newpw
> $newpw
> EOF
>
Actually, that didn't quite work. It did change the domain password, but
didn't reset the
expiration days. So today, when the previous password was set to expire. My
account was locked
out. I had to log onto the AD/DC as the Domain Administrator and do
'samba-tool user setpassword'.

Suggestions on how I can get the expiration back to the 'Maximum password
age' value?