samba - Dec 2014 - Runnung samba4 as classic domain controller, win7 thinks it is AD

To: Rowland Penny <rowlandpenny at googlemail.com>

06.12.2014 21:47, Rowland Penny wrote:
[]
> Any chance we can see your smb.conf ?
Sure, here it is.  Somehow I forgot to add it initially, even if planned.
Thank you for looking into this.

/mjt

[global]
 workgroup = TLS
 server string = %h samba server %v
 netbios name = FS
 netbios aliases = PALTUS LINUX SERVER

 acl allow execute always = true

 wins support = yes
 dns proxy = yes

 interfaces = 192.168.177.2/26 127.0.0.1/8
 bind interfaces only = yes
 allow hosts = 192.168.177.0/26 127.0.0.0/8

 log file = /var/log/samba/log.%m
 max log size = 1000
 syslog = 0

 remote browse sync = 192.168.19.1

 security = user
 encrypt passwords = true
 passdb backend = tdbsam:/var/lib/samba/passdb.tdb
 obey pam restrictions = yes
 unix password sync = no
 pam password change = yes
 username map = /etc/samba/username.map
 utmp = yes
 hostname lookups = yes

 # temp for win95
 lanman auth = yes

########## Domains ###########

 preferred master = auto
 domain master = yes
 local master = yes
 domain logons = yes
 os level = 64
# added to try to join a machine to samba4 domain, does not help
 server role = classic primary domain controller

# Location of the user's profile directory
 logon path = \\%L\%U\Profile
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
 logon drive = H:
 logon home = \\%L\%U

 load printers = no
 printing = bsd
;   printcap name = /etc/printcap
 print command = lpr -h -P%p '%s'; rm -f '%s'

 map archive = no
 # map hidden = yes
 # map system = yes
 create mask = 0775
 directory mask = 0775

 host msdfs = yes

 # unix ext and wide links are incompatible. we need wide links.
 unix extensions = no
 wide links = yes

#======================= Share Definitions ======================
[homes]
 comment = Home Directories
 browseable = no

[... other share definitions follow....]

> Rowland
>

On 06/12/14 19:36, Michael Tokarev wrote:
> To: Rowland Penny <rowlandpenny at googlemail.com>
>
> 06.12.2014 21:47, Rowland Penny wrote:
> []
>> Any chance we can see your smb.conf ?
> Sure, here it is.  Somehow I forgot to add it initially, even if planned.
> Thank you for looking into this.
>
> /mjt
>
> [global]
>   workgroup = TLS
>   server string = %h samba server %v
>   netbios name = FS
>   netbios aliases = PALTUS LINUX SERVER
>
>   acl allow execute always = true
>
>   wins support = yes
>   dns proxy = yes
>
>   interfaces = 192.168.177.2/26 127.0.0.1/8
>   bind interfaces only = yes
>   allow hosts = 192.168.177.0/26 127.0.0.0/8
>
>   log file = /var/log/samba/log.%m
>   max log size = 1000
>   syslog = 0
>
>   remote browse sync = 192.168.19.1
>
>   security = user
>   encrypt passwords = true
>   passdb backend = tdbsam:/var/lib/samba/passdb.tdb
>   obey pam restrictions = yes
>   unix password sync = no
>   pam password change = yes
>   username map = /etc/samba/username.map
>   utmp = yes
>   hostname lookups = yes
>
>   # temp for win95
>   lanman auth = yes
>
> ########## Domains ###########
>
>   preferred master = auto
>   domain master = yes
>   local master = yes
>   domain logons = yes
>   os level = 64
> # added to try to join a machine to samba4 domain, does not help
>   server role = classic primary domain controller
>
> # Location of the user's profile directory
>   logon path = \\%L\%U\Profile
> # The following setting only takes effect if 'domain logons' is set
> # It specifies the location of a user's home directory (from the client
> # point of view)
>   logon drive = H:
>   logon home = \\%L\%U
>
>   load printers = no
>   printing = bsd
> ;   printcap name = /etc/printcap
>   print command = lpr -h -P%p '%s'; rm -f '%s'
>
>   map archive = no
>   # map hidden = yes
>   # map system = yes
>   create mask = 0775
>   directory mask = 0775
>
>   host msdfs = yes
>
>   # unix ext and wide links are incompatible. we need wide links.
>   unix extensions = no
>   wide links = yes
>
> #======================= Share Definitions ======================>
> [homes]
>   comment = Home Directories
>   browseable = no
>
> [... other share definitions follow....]
>
>
>> Rowland
>>
OK, I think that 'netbios aliases = PALTUS LINUX SERVER' will give you 
three extra netbios names, try enclosing PALTUS LINUX SERVER in single 
quotes i.e. 'PALTUS LINUX SERVER'

The following should only be used in a share:

acl allow execute always = true
map archive = no
create mask = 0775
directory mask = 0775
wide links = yes

I take it that you realise that '192.168.177.2/26' will only allow 62 
clients

finally, you have this: unix password sync = no
This means that you will not have any connection between the users in 
samba and the underlying Unix machine.

I would suggest that you change your smb.conf and then try again.

Rowland

06.12.2014 23:00, Rowland Penny wrote:
> On 06/12/14 19:36, Michael Tokarev wrote:
[]
> 
> OK, I think that 'netbios aliases = PALTUS LINUX SERVER' will give
you three extra netbios names, try enclosing PALTUS LINUX SERVER in single
quotes i.e. 'PALTUS LINUX SERVER'
Yes, that's 3 extra bios names.  Enclosing them in quotes
will make it a single name, which is wrong.
> The following should only be used in a share:
> 
> acl allow execute always = true
> map archive = no
> create mask = 0775
> directory mask = 0775
> wide links = yes
Yes, these are share-mode parameters.  When used in [global]
section, these changes global defaults and apply to all shares
unless overriden in a share.
> I take it that you realise that '192.168.177.2/26' will only allow
62 clients
Sure.
> finally, you have this: unix password sync = no
> This means that you will not have any connection between the users in samba
and the underlying Unix machine.
Not users but their passwords.  When users (or machines) change their
windows passwords, they're not propagated to unix password databse,
only windows passwords (in tdbsam) are changed.
> I would suggest that you change your smb.conf and then try again.
Change what, exactly?  Unix password sync?  Why?  Unix passwords
are not used by windows.

The problem at hand is that a client is unable to, as it seems,
find the AD domain controller, but there is no AD domain controller,
only NT-style controller...

Thanks,

/mjt