samba - Sep 2014 - RPC, DCOM, 1745 and Other Errors

I am evaluating Samba 4 as a replacement for our existing Windows 2003 servers,
as the cost to license 2008 and CALS is not going to be in my companies budget. 
Bear with me, as I have some basic experience with Linux and know a few things,
I am by no means a fully trained Linux or Samba Jedi.

My test environment goal is to have two Active Directory Domain Controllers and
one Member Server with File Shares all running on Samba

So far I have setup one AD Domain Controller (AD1)  I downloaded and compiled
the latest source code doing the git mirror thing, and am running Samba
4.2.0prel-GIT-043585F on CentOS  6.5.  I used this HOWTO to configure the AD DC:
http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller

This process all went smooth, and I was able to join my Windows 7 test machines
to the domain and login successfully and use the RSAT tools successfully.

I then setup the File server and made it a member server and joined it
successfully to the domain, using these instructions here: 
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

This went as expected

I then setup my test share on the file server using the directions here:
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs

I actually partitioned/formatted a second disk with ext4 and put it in
/etc/fstab with the user_xattr,acl support

When I then go to remotely manage the share via a Win7 workstation and I go to
computer manager and open the test file server (FS1) at first it looks good.  I
then click on the "System Tools" section to expand it and I get
"Event Viewer cannot connect to the computer FS1: The error reported is the
RPC Server is unavailable"  I click OK on the error and it then say again
it is connecting to FS1 and expand the section where I can see the Shared
Folders.  As soon as I expand shared folders and click on shared I get the
following "You do not have permissions to see the list of shares for
Windows clients" and I will not let me see the shares.

I then decided to make a share right on the Domain Controller itself, to see if
it was something on the file server or something on the workstation.  When I go
to computer management and connect to the DC (AD1)it connects, but when I expand
System Tools, I get the following error "The Procedure Number is out of
Range(1745)"  However after clicking "OK" on this error I am able
to see and manage the Share and permissions as expected

I have been scouring the net for 2 days to try to find and answer and I am at a
standstill as to what to do next to fix or further troubleshoot the issue.  Any
help or ideas would be greatly appreciated.

Here is the smb.conf on my Domain Controller

#Global parameters
[global]
        workgroup = INCENTA
        realm = INCENTA.LOCAL
        netbios name = AD1
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        vfs objects = acl_xattr
        map acl inherit = Yes
        store dos attributes = Yes

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/incenta.local/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[Demo]
path = /DATA/Demo
read only = no



Here is the smb.conf on my file server

[global]

   netbios name = FS1
   workgroup = INCENTA
   security = ADS
   realm = INCENTA.LOCAL
   encrypt passwords = yes

   idmap config *:backend = tdb
   idmap config *:range = 70001=80000
   idmap config INCENTA:backend = ad
   idmap config INCENTA:schema_mode = rfc2307
   idmap config INCENTA:range = 500-40000

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes

   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes


[Demo]
path = /DATA/Demo
read only = no

Hello Thomas,

     I've only been able to get shares working correctly if I gave the 
file share read,write, execute for all permissions(chmod 777). I then 
use Windows to set the ACL's. Based on the Wiki it's not needed but
I've
never had any luck without using it.

On 9/29/2014 9:32 AM, Thomas Mulkey wrote:
> I am evaluating Samba 4 as a replacement for our existing Windows 2003
servers, as the cost to license 2008 and CALS is not going to be in my companies
budget.  Bear with me, as I have some basic experience with Linux and know a few
things, I am by no means a fully trained Linux or Samba Jedi.
>
> My test environment goal is to have two Active Directory Domain Controllers
and one Member Server with File Shares all running on Samba
>
> So far I have setup one AD Domain Controller (AD1)  I downloaded and
compiled the latest source code doing the git mirror thing, and am running Samba
4.2.0prel-GIT-043585F on CentOS  6.5.  I used this HOWTO to configure the AD DC:
http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
>
> This process all went smooth, and I was able to join my Windows 7 test
machines to the domain and login successfully and use the RSAT tools
successfully.
>
> I then setup the File server and made it a member server and joined it
successfully to the domain, using these instructions here: 
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> This went as expected
>
> I then setup my test share on the file server using the directions here:
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>
> I actually partitioned/formatted a second disk with ext4 and put it in
/etc/fstab with the user_xattr,acl support
>
> When I then go to remotely manage the share via a Win7 workstation and I go
to computer manager and open the test file server (FS1) at first it looks good. 
I then click on the "System Tools" section to expand it and I get
"Event Viewer cannot connect to the computer FS1: The error reported is the
RPC Server is unavailable"  I click OK on the error and it then say again
it is connecting to FS1 and expand the section where I can see the Shared
Folders.  As soon as I expand shared folders and click on shared I get the
following "You do not have permissions to see the list of shares for
Windows clients" and I will not let me see the shares.
>
> I then decided to make a share right on the Domain Controller itself, to
see if it was something on the file server or something on the workstation. 
When I go to computer management and connect to the DC (AD1)it connects, but
when I expand System Tools, I get the following error "The Procedure Number
is out of Range(1745)"  However after clicking "OK" on this error
I am able to see and manage the Share and permissions as expected
>
> I have been scouring the net for 2 days to try to find and answer and I am
at a standstill as to what to do next to fix or further troubleshoot the issue. 
Any help or ideas would be greatly appreciated.
>
> Here is the smb.conf on my Domain Controller
>
> #Global parameters
> [global]
>          workgroup = INCENTA
>          realm = INCENTA.LOCAL
>          netbios name = AD1
>          server role = active directory domain controller
>          dns forwarder = 8.8.8.8
>          vfs objects = acl_xattr
>          map acl inherit = Yes
>          store dos attributes = Yes
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/incenta.local/scripts
>          read only = No
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
>
> [Demo]
> path = /DATA/Demo
> read only = no
>
>
>
> Here is the smb.conf on my file server
>
> [global]
>
>     netbios name = FS1
>     workgroup = INCENTA
>     security = ADS
>     realm = INCENTA.LOCAL
>     encrypt passwords = yes
>
>     idmap config *:backend = tdb
>     idmap config *:range = 70001=80000
>     idmap config INCENTA:backend = ad
>     idmap config INCENTA:schema_mode = rfc2307
>     idmap config INCENTA:range = 500-40000
>
>     winbind nss info = rfc2307
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users = yes
>     winbind enum groups = yes
>
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>
>
> [Demo]
> path = /DATA/Demo
> read only = no
>
>
>
>
>
>
>
>
-- 
-James

Dear Thomas,

You are on the right path.
However there are limitations that you should know. 

1. We cannot add/remove shared drive via RPC yet. (Unless I missed something, do
correct me if I'm wrong I'll be happy if that run)

Adding and removing share on samba require changes on smb.conf. 

You can look on the guide below on how to add them in. 


2. Disks share access control on domain computer. 
Have a look on this guide. 
You will need that additions access 

SeDiskOperatorPrivilege

https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs

Hope these info help and may the source be with you. 


As for your upgrade path. 
You should try this. Since samba Dc is not compatible with 2003.

1. Upgrade both your windows to 2008 no R2 trial.
2. Promoting the whole dc to 2008. 
3. Join samba DC, work on the symbol replication from windows to Linux. 
4. Transfer FSMO
5. Demote your 2 DC or make them your member server/files server. 
6 done. 



Regards, 
Chan Min Wai 
> Thomas Mulkey <tmulkey at incentafcu.org> ? 29 Sep 2014 9:32 PTG ???
> 
> I am evaluating Samba 4 as a replacement for our existing Windows 2003
servers, as the cost to license 2008 and CALS is not going to be in my companies
budget.  Bear with me, as I have some basic experience with Linux and know a few
things, I am by no means a fully trained Linux or Samba Jedi.
> 
> My test environment goal is to have two Active Directory Domain Controllers
and one Member Server with File Shares all running on Samba
> 
> So far I have setup one AD Domain Controller (AD1)  I downloaded and
compiled the latest source code doing the git mirror thing, and am running Samba
4.2.0prel-GIT-043585F on CentOS  6.5.  I used this HOWTO to configure the AD DC:
http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller
> 
> This process all went smooth, and I was able to join my Windows 7 test
machines to the domain and login successfully and use the RSAT tools
successfully.
> 
> I then setup the File server and made it a member server and joined it
successfully to the domain, using these instructions here: 
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> 
> This went as expected
> 
> I then setup my test share on the file server using the directions here:
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
> 
> I actually partitioned/formatted a second disk with ext4 and put it in
/etc/fstab with the user_xattr,acl support
> 
> When I then go to remotely manage the share via a Win7 workstation and I go
to computer manager and open the test file server (FS1) at first it looks good. 
I then click on the "System Tools" section to expand it and I get
"Event Viewer cannot connect to the computer FS1: The error reported is the
RPC Server is unavailable"  I click OK on the error and it then say again
it is connecting to FS1 and expand the section where I can see the Shared
Folders.  As soon as I expand shared folders and click on shared I get the
following "You do not have permissions to see the list of shares for
Windows clients" and I will not let me see the shares.
> 
> I then decided to make a share right on the Domain Controller itself, to
see if it was something on the file server or something on the workstation. 
When I go to computer management and connect to the DC (AD1)it connects, but
when I expand System Tools, I get the following error "The Procedure Number
is out of Range(1745)"  However after clicking "OK" on this error
I am able to see and manage the Share and permissions as expected
> 
> I have been scouring the net for 2 days to try to find and answer and I am
at a standstill as to what to do next to fix or further troubleshoot the issue. 
Any help or ideas would be greatly appreciated.
> 
> Here is the smb.conf on my Domain Controller
> 
> #Global parameters
> [global]
>        workgroup = INCENTA
>        realm = INCENTA.LOCAL
>        netbios name = AD1
>        server role = active directory domain controller
>        dns forwarder = 8.8.8.8
>        vfs objects = acl_xattr
>        map acl inherit = Yes
>        store dos attributes = Yes
> 
> [netlogon]
>        path = /usr/local/samba/var/locks/sysvol/incenta.local/scripts
>        read only = No
> 
> [sysvol]
>        path = /usr/local/samba/var/locks/sysvol
>        read only = No
> 
> [Demo]
> path = /DATA/Demo
> read only = no
> 
> 
> 
> Here is the smb.conf on my file server
> 
> [global]
> 
>   netbios name = FS1
>   workgroup = INCENTA
>   security = ADS
>   realm = INCENTA.LOCAL
>   encrypt passwords = yes
> 
>   idmap config *:backend = tdb
>   idmap config *:range = 70001=80000
>   idmap config INCENTA:backend = ad
>   idmap config INCENTA:schema_mode = rfc2307
>   idmap config INCENTA:range = 500-40000
> 
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users = yes
>   winbind enum groups = yes
> 
>   vfs objects = acl_xattr
>   map acl inherit = Yes
>   store dos attributes = Yes
> 
> 
> [Demo]
> path = /DATA/Demo
> read only = no
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Thomas Mulkey schrieb am 29.09.2014 15:32:
> I downloaded and compiled the latest source code doing 
> the git mirror thing, and am running Samba 
> 4.2.0prel-GIT-043585F on CentOS  6.5.  I used this HOWTO 
> to configure the AD
While this typically doesn't pose any serious concerns, 
it is still not a very good idea. It might be better to 
check out the last tagged version, i.e. 4.1.12 for the 
time being. The head of the git repository is targeted 
towards developers, who are supposed to be able to solve 
any issues, that might occur. Against that the official 
versions are tested better and hence recommened to use. 
Compiling rather than taking the Sernet packages should 
be pretty OK, however. 

Best regards
Peter