samba - Feb 2019 - SAmba 4.9 and Win XP Clients

On 2019-02-17 10:17 am, Rowland Penny via samba wrote:
> On Sun, 17 Feb 2019 09:53:56 -0500
> Marco Shmerykowsky <marco at sce-engineers.com> wrote:
> 
>> I tried the NTLM setting.  No change.
>> 
>> When I try to browse the network, I get the following error:
>> 
>> "internal is not accessible.  You might not have permission to
>> use this network resource.  The list of servers for this workgroup
>> is not currently available."
>> 
>> Here is the smb.conf from the AD machine.
>> 
>> [global]
>>          netbios name = MACHINE251
>>          realm = INTERNAL.DOMAIN.COM
>>          workgroup = INTERNAL
>>          dns forwarder = 4.2.2.2
>>          server role = active directory domain controller
>>          idmap_ldb:use rfc2307 = yes
>> 
>> [netlogon]
>>          path = /var/lib/samba/sysvol/internal.domain.com/scripts
>>          read only = No
>> 
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>> 
>> [test-share]
>>          path=/home/test-share
>>          read only = no
>> 
>> On 2019-02-17 9:15 am, Rowland Penny via samba wrote:
>> > On Sun, 17 Feb 2019 09:06:21 -0500
>> > Marco J Shmerykowsky PE <marco at sce-engineers.com> wrote:
>> >
>> >> Thanks. Will check.
>> >>
>> >> I should have added that everything was working fine on the
old
>> >> winNT style samba domain setup.  Its something related to the
new
>> >> samba AD setup
>> >
>> > It might be and it probably is something to do with NTLMv1, but I
am
>> > still guessing, because you still haven't posted your smb.conf
>> >
>> > Rowland
> 
> OK, there doesn't seem to be anything wrong with your DC smb.conf, have
> you set up the libnss-winbind links ?
> 
> You said 'but they can't see any of the machines on the
network'. This
> is normal, there is no network browsing in a Samba AD domain.
> 
> You also said 'I created a stand alone member server', this is a
> contradiction in terms (it is either a standalone server or a Unix
> domain member). You haven't posted the smb.conf for this, can you do 
> so.
> 
> Rowland
Seems I can map a drive from the command line. (Didn't check that
- it was 2:00am and I was tired with fighting this stuff)
  The windows graphical way to map drives isn't working.
I guess no real issue if I can manually map drives.

Server smb.conf file (you helped with this one :) )
It's a domain member.

[global]
         workgroup = SCE-INTERNAL
         security = ADS
         realm = SCE-INTERNAL.SCE-ENGINEERS.COM
         server string = Samba 4 Client %h

         winbind use default domain = yes
         winbind expand groups = 2
         winbind refresh tickets = yes
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab

         ## map ids outside of domain to RDB files
         idmap config *:backend = tdb
         idmap config *:range = 2000-9999

         ## map ids from the domain
         idmap config SCE-INTERNAL : backend = rid
         idmap confog SCE-INTERNAL : range = 10000-999999

         # uncomment next line to allow loging
         # template shell = /bin/bash
         template homedir = /home/%U

         domain master = no
         local master = no
         preferred master = no

         # user Administrator workaround
         username map = /etc/samba/user.map

         # For ACL support on domain member
         vfs objects = acl_xattr
         map acl inherit = yes
         store dos attributes = yes

         # disable printing completely
         # remove these lines to print
         load printers = no
         printing = bsd
         printcap name =  /dev/null
         disable spoolss = yes

         # logging
         # change the number to raise level
         log level = 0
         # map untrusted to domain = yes

[files]
         path = /server/files
         read only = no

On Sun, 17 Feb 2019 10:37:48 -0500
Marco Shmerykowsky <marco at sce-engineers.com> wrote:

> 
> Seems I can map a drive from the command line. (Didn't check that
> - it was 2:00am and I was tired with fighting this stuff)
Time you went to bed ;-)

its 15:45 Sun here.
As I said, there is no netbios browsing in a Samba AD domain, not that
it makes much difference, it is going away in Windows as well. You
have, as you have found out, have to use the shares UNC.
>   The windows graphical way to map drives isn't working.
I don't use Windows much, but I thought it was supposed to work.
> I guess no real issue if I can manually map drives.
Glad you got it working.
> 
> Server smb.conf file (you helped with this one :) )
> It's a domain member.
Sorry, but I cannot remember every smb.conf ;-)

Nothing wrong there LOL

I would suggest you stick to using the Unix domain member as the
fileserver and the DC just for authentication.

Rowland

On 2019-02-17 10:54 am, Rowland Penny via samba wrote:
> On Sun, 17 Feb 2019 10:37:48 -0500
> Marco Shmerykowsky <marco at sce-engineers.com> wrote:
> 
> 
>> 
>> Seems I can map a drive from the command line. (Didn't check that
>> - it was 2:00am and I was tired with fighting this stuff)
> 
> Time you went to bed ;-)
> 
> its 15:45 Sun here.
> As I said, there is no netbios browsing in a Samba AD domain, not that
> it makes much difference, it is going away in Windows as well. You
> have, as you have found out, have to use the shares UNC.
> 
>>   The windows graphical way to map drives isn't working.
> 
> I don't use Windows much, but I thought it was supposed to work.
> 
>> I guess no real issue if I can manually map drives.
> 
> Glad you got it working.
> 
>> 
>> Server smb.conf file (you helped with this one :) )
>> It's a domain member.
> 
> Sorry, but I cannot remember every smb.conf ;-)
> 
> Nothing wrong there LOL
> 
> I would suggest you stick to using the Unix domain member as the
> fileserver and the DC just for authentication.
> 
> Rowland
With this new AD setup, can you still use logon scripts
instead of group policy depending on the OS logging in?

The group policy drive map isn't working on the XP client.