samba - Sep 2019 - access to share with dns alias hostname

Hi, below the required files:

smb.conf of ucs master:

[global]
        logging         = file
        max log size    = 0
        netbios name    = ucs
        server role     = active directory domain controller
        name resolve order      = wins host bcast
        server string   = Univention Corporate Server
        server services = -dns -smb +s3fs -nbt
        server role check:inhibit = yes
        # use nmbd; to disable set samba4/service/nmb to s4
        nmbd_proxy_logon:cldap_server=127.0.0.1
        workgroup       = LAN
        realm           = LAN.CORP
        tls enabled     = yes
        tls keyfile     = /etc/univention/ssl/
ucsdc.comune.padova.it/private.key
        tls certfile    = /etc/univention/ssl/
ucsdc.comune.padova.it/cert.pem
        tls cafile      = /etc/univention/ssl/ucsCA/CAcert.pem
        tls verify peer = ca_and_name
        ldap server require strong auth = no
        dsdb:schema update allowed = no
        max open files = 32808
        ntlm auth       = yes
        machine password timeout        = 0
        acl allow execute always = True
        # ignore interfaces in samba/register/exclude/interfaces
        bind interfaces only = yes
        interfaces = lo eth0
        kccsrv:samba_kcc = False
        debug hirestimestamp = yes
        debug pid = yes
        winbind separator = +
        template shell = /bin/bash
        template homedir = /home/%D-%U
        idmap config * : backend = tdb
        idmap config * : range = 300000-400000

        passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n
*password*changed*

        obey pam restrictions = yes
        encrypt passwords = yes

        spoolss: architecture = Windows x64

        ; domain service lookup related settings
        preferred master = yes
        local master = yes
        domain master = yes
        wins support = yes

        ; miscellaneous settings, mostly for file services
        oplocks = yes
        large readwrite = yes
        read raw = yes
        write raw = yes
        max xmit = 65535
        acl:search = no
        host msdfs = yes
        kernel oplocks = yes
        deadtime = 15
        getwd cache = yes
        wide links = no
        store dos attributes = yes
        logon home = \\ucs\%U
        logon drive = I:
        logon path = \\ucs\%U\windows-profiles\%a
        preserve case = yes
        short preserve case = yes
        guest account = nobody
        map to guest = Bad User
        admin users = administrator join-backup
        usershare max shares = 0


smb.conf of new member server:

[global]
  workgroup = LAN
  realm = lan.corp
  netbios name = fs1
  netbios aliases = oldsamba3
  security = ADS

  logging = file
  log level = 1 auth_audit:3
  log file = /var/log/samba/%m.log

  idmap config *:backend = tdb
  idmap config *:range = 300000-400000

  idmap config LAN:backend  = rid
  idmap config LAN:range  = 500000-700000

  vfs objects = acl_xattr full_audit
  map acl inherit = Yes
  store dos attributes = Yes

  winbind separator = +
  winbind use default domain = yes
  winbind offline logon = yes
  winbind cache time = 3600
  winbind enum groups = yes
  winbind enum users = yes

  template homedir = /home/%U
  usershare allow guests = yes
  usershare path 
  username map = /etc/samba/user.map



Il giorno gio 26 set 2019 alle ore 13:05 Rowland penny via samba <
samba at lists.samba.org> ha scritto:
> On 26/09/2019 11:44, banda bassotti wrote:
> > Hi, no it doesn't work:
> >
> > [2019/09/26 12:06:18.715651,  1]
> > ../../source3/librpc/crypto/gse.c:660(gse_get_server_auth_token)
> >   gss_accept_sec_context failed with [ Miscellaneous failure (see
> > text): Failed to find cifs/oldsamba at lan.corp(kvno 107) in keytab
> > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
> >
> > rowland, you are right we have before migrated the old samba3 domain
> > to a new UCS (univention).
>
> Then a question:
>
> Are you paying UCS anything ?
>
> If so, get them to sort it out for you, that is what you are paying for.
>
> If not, then post the smb.conf from the UCS machine and the smb.conf
> from the old machine.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 26/09/2019 15:19, banda bassotti wrote:
> Hi, below the required files:
>
> smb.conf of ucs master:
>
> [global]
> ? ? ? ? logging ? ? ? ? = file
> ? ? ? ? max log size ? ?= 0
> ? ? ? ? netbios name ? ?= ucs
> ? ? ? ? server role ? ? = active directory domain controller
> ? ? ? ? name resolve order ? ? ?= wins host bcast
> ? ? ? ? server string ? = Univention Corporate Server
> ? ? ? ? server services = -dns -smb +s3fs -nbt
> ? ? ? ? server role check:inhibit = yes
> ? ? ? ? # use nmbd; to disable set samba4/service/nmb to s4
> ? ? ? ? nmbd_proxy_logon:cldap_server=127.0.0.1
> ? ? ? ? workgroup ? ? ? = LAN
> ? ? ? ? realm ? ? ? ? ? = LAN.CORP
> ? ? ? ? tls enabled ? ? = yes
> ? ? ? ? tls keyfile ? ? = 
> /etc/univention/ssl/ucsdc.comune.padova.it/private.key 
> <http://ucsdc.comune.padova.it/private.key>
> ? ? ? ? tls certfile ? ?= 
> /etc/univention/ssl/ucsdc.comune.padova.it/cert.pem 
> <http://ucsdc.comune.padova.it/cert.pem>
> ? ? ? ? tls cafile ? ? ?= /etc/univention/ssl/ucsCA/CAcert.pem
> ? ? ? ? tls verify peer = ca_and_name
> ? ? ? ? ldap server require strong auth = no
> ? ? ? ? dsdb:schema update allowed = no
> ? ? ? ? max open files = 32808
> ? ? ? ? ntlm auth ? ? ? = yes
> ? ? ? ? machine password timeout ? ? ? ?= 0
> ? ? ? ? acl allow execute always = True
> ? ? ? ? # ignore interfaces in samba/register/exclude/interfaces
> ? ? ? ? bind interfaces only = yes
> ? ? ? ? interfaces = lo eth0
> ? ? ? ? kccsrv:samba_kcc = False
> ? ? ? ? debug hirestimestamp = yes
> ? ? ? ? debug pid = yes
> ? ? ? ? winbind separator = +
> ? ? ? ? template shell = /bin/bash
> ? ? ? ? template homedir = /home/%D-%U
> ? ? ? ? idmap config * : backend = tdb
> ? ? ? ? idmap config * : range = 300000-400000
>
> ? ? ? ? passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n 
> *password*changed*
>
> ? ? ? ? obey pam restrictions = yes
> ? ? ? ? encrypt passwords = yes
>
> ? ? ? ? spoolss: architecture = Windows x64
>
> ? ? ? ? ; domain service lookup related settings
> ? ? ? ? preferred master = yes
> ? ? ? ? local master = yes
> ? ? ? ? domain master = yes
> ? ? ? ? wins support = yes
>
> ? ? ? ? ; miscellaneous settings, mostly for file services
> ? ? ? ? oplocks = yes
> ? ? ? ? large readwrite = yes
> ? ? ? ? read raw = yes
> ? ? ? ? write raw = yes
> ? ? ? ? max xmit = 65535
> ? ? ? ? acl:search = no
> ? ? ? ? host msdfs = yes
> ? ? ? ? kernel oplocks = yes
> ? ? ? ? deadtime = 15
> ? ? ? ? getwd cache = yes
> ? ? ? ? wide links = no
> ? ? ? ? store dos attributes = yes
> ? ? ? ? logon home = \\ucs\%U
> ? ? ? ? logon drive = I:
> ? ? ? ? logon path = \\ucs\%U\windows-profiles\%a
> ? ? ? ? preserve case = yes
> ? ? ? ? short preserve case = yes
> ? ? ? ? guest account = nobody
> ? ? ? ? map to guest = Bad User
> ? ? ? ? admin users = administrator join-backup
> ? ? ? ? usershare max shares = 0
two quick questions, what is the Samba version (samba -V will give you 
this) and have you altered the new UCS DC smb.conf in any way ?

Rowland

two quick questions, what is the Samba version (samba -V will give you 
this) and have you altered the new UCS DC smb.conf in any way ?

Rowland

On 26/09/2019 15:26, Rowland penny via samba wrote:
> On 26/09/2019 15:19, banda bassotti wrote:
>> Hi, below the required files:
>>
>> smb.conf of ucs master:
>>
>> [global]
>> ? ? ? ? logging ? ? ? ? = file
>> ? ? ? ? max log size ? ?= 0
>> ? ? ? ? netbios name ? ?= ucs
>> ? ? ? ? server role ? ? = active directory domain controller
>> ? ? ? ? name resolve order ? ? ?= wins host bcast
>> ? ? ? ? server string ? = Univention Corporate Server
>> ? ? ? ? server services = -dns -smb +s3fs -nbt
>> ? ? ? ? server role check:inhibit = yes
>> ? ? ? ? # use nmbd; to disable set samba4/service/nmb to s4
>> ? ? ? ? nmbd_proxy_logon:cldap_server=127.0.0.1
>> ? ? ? ? workgroup ? ? ? = LAN
>> ? ? ? ? realm ? ? ? ? ? = LAN.CORP
>> ? ? ? ? tls enabled ? ? = yes
>> ? ? ? ? tls keyfile ? ? = 
>> /etc/univention/ssl/ucsdc.comune.padova.it/private.key 
>> <http://ucsdc.comune.padova.it/private.key>
>> ? ? ? ? tls certfile ? ?= 
>> /etc/univention/ssl/ucsdc.comune.padova.it/cert.pem 
>> <http://ucsdc.comune.padova.it/cert.pem>
>> ? ? ? ? tls cafile ? ? ?= /etc/univention/ssl/ucsCA/CAcert.pem
>> ? ? ? ? tls verify peer = ca_and_name
>> ? ? ? ? ldap server require strong auth = no
>> ? ? ? ? dsdb:schema update allowed = no
>> ? ? ? ? max open files = 32808
>> ? ? ? ? ntlm auth ? ? ? = yes
>> ? ? ? ? machine password timeout ? ? ? ?= 0
>> ? ? ? ? acl allow execute always = True
>> ? ? ? ? # ignore interfaces in samba/register/exclude/interfaces
>> ? ? ? ? bind interfaces only = yes
>> ? ? ? ? interfaces = lo eth0
>> ? ? ? ? kccsrv:samba_kcc = False
>> ? ? ? ? debug hirestimestamp = yes
>> ? ? ? ? debug pid = yes
>> ? ? ? ? winbind separator = +
>> ? ? ? ? template shell = /bin/bash
>> ? ? ? ? template homedir = /home/%D-%U
>> ? ? ? ? idmap config * : backend = tdb
>> ? ? ? ? idmap config * : range = 300000-400000
>>
>> ? ? ? ? passwd chat = *New*password* %n\n *Re-enter*new*password* 
>> %n\n *password*changed*
>>
>> ? ? ? ? obey pam restrictions = yes
>> ? ? ? ? encrypt passwords = yes
>>
>> ? ? ? ? spoolss: architecture = Windows x64
>>
>> ? ? ? ? ; domain service lookup related settings
>> ? ? ? ? preferred master = yes
>> ? ? ? ? local master = yes
>> ? ? ? ? domain master = yes
>> ? ? ? ? wins support = yes
>>
>> ? ? ? ? ; miscellaneous settings, mostly for file services
>> ? ? ? ? oplocks = yes
>> ? ? ? ? large readwrite = yes
>> ? ? ? ? read raw = yes
>> ? ? ? ? write raw = yes
>> ? ? ? ? max xmit = 65535
>> ? ? ? ? acl:search = no
>> ? ? ? ? host msdfs = yes
>> ? ? ? ? kernel oplocks = yes
>> ? ? ? ? deadtime = 15
>> ? ? ? ? getwd cache = yes
>> ? ? ? ? wide links = no
>> ? ? ? ? store dos attributes = yes
>> ? ? ? ? logon home = \\ucs\%U
>> ? ? ? ? logon drive = I:
>> ? ? ? ? logon path = \\ucs\%U\windows-profiles\%a
>> ? ? ? ? preserve case = yes
>> ? ? ? ? short preserve case = yes
>> ? ? ? ? guest account = nobody
>> ? ? ? ? map to guest = Bad User
>> ? ? ? ? admin users = administrator join-backup
>> ? ? ? ? usershare max shares = 0
>
> two quick questions, what is the Samba version (samba -V will give you 
> this) and have you altered the new UCS DC smb.conf in any way ?
>
> Rowland
>
> two quick questions, what is the Samba version (samba -V will give you 
> this) and have you altered the new UCS DC smb.conf in any way ?
>
> Rowland
>
>
Sorry about seemingly asking the same questions twice, it was once when 
it left here ;-)

No, cut&paste!

ucs# samba -V
Version 4.10.1-Univention

fs# samba -V
Version 4.10.8-Debian


Il giorno gio 26 set 2019 alle ore 16:26 Rowland penny <rpenny at
samba.org>
ha scritto:
> On 26/09/2019 15:19, banda bassotti wrote:
> > Hi, below the required files:
> >
> > smb.conf of ucs master:
> >
> > [global]
> >         logging         = file
> >         max log size    = 0
> >         netbios name    = ucs
> >         server role     = active directory domain controller
> >         name resolve order      = wins host bcast
> >         server string   = Univention Corporate Server
> >         server services = -dns -smb +s3fs -nbt
> >         server role check:inhibit = yes
> >         # use nmbd; to disable set samba4/service/nmb to s4
> >         nmbd_proxy_logon:cldap_server=127.0.0.1
> >         workgroup       = LAN
> >         realm           = LAN.CORP
> >         tls enabled     = yes
> >         tls keyfile     > >
/etc/univention/ssl/ucsdc.comune.padova.it/private.key
> > <http://ucsdc.comune.padova.it/private.key>
> >         tls certfile    > >
/etc/univention/ssl/ucsdc.comune.padova.it/cert.pem
> > <http://ucsdc.comune.padova.it/cert.pem>
> >         tls cafile      = /etc/univention/ssl/ucsCA/CAcert.pem
> >         tls verify peer = ca_and_name
> >         ldap server require strong auth = no
> >         dsdb:schema update allowed = no
> >         max open files = 32808
> >         ntlm auth       = yes
> >         machine password timeout        = 0
> >         acl allow execute always = True
> >         # ignore interfaces in samba/register/exclude/interfaces
> >         bind interfaces only = yes
> >         interfaces = lo eth0
> >         kccsrv:samba_kcc = False
> >         debug hirestimestamp = yes
> >         debug pid = yes
> >         winbind separator = +
> >         template shell = /bin/bash
> >         template homedir = /home/%D-%U
> >         idmap config * : backend = tdb
> >         idmap config * : range = 300000-400000
> >
> >         passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n
> > *password*changed*
> >
> >         obey pam restrictions = yes
> >         encrypt passwords = yes
> >
> >         spoolss: architecture = Windows x64
> >
> >         ; domain service lookup related settings
> >         preferred master = yes
> >         local master = yes
> >         domain master = yes
> >         wins support = yes
> >
> >         ; miscellaneous settings, mostly for file services
> >         oplocks = yes
> >         large readwrite = yes
> >         read raw = yes
> >         write raw = yes
> >         max xmit = 65535
> >         acl:search = no
> >         host msdfs = yes
> >         kernel oplocks = yes
> >         deadtime = 15
> >         getwd cache = yes
> >         wide links = no
> >         store dos attributes = yes
> >         logon home = \\ucs\%U
> >         logon drive = I:
> >         logon path = \\ucs\%U\windows-profiles\%a
> >         preserve case = yes
> >         short preserve case = yes
> >         guest account = nobody
> >         map to guest = Bad User
> >         admin users = administrator join-backup
> >         usershare max shares = 0
>
> two quick questions, what is the Samba version (samba -V will give you
> this) and have you altered the new UCS DC smb.conf in any way ?
>
> Rowland
>
> two quick questions, what is the Samba version (samba -V will give you
> this) and have you altered the new UCS DC smb.conf in any way ?
>
> Rowland
>
>