Mario Pio Russo
2015-May-01 13:08 UTC
[Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore
Thanks Luis I've changed the smb.conf as you said, now it looks like this: root at ccdc-samba4:~# cat /etc/samba/smb.conf # Global parameters [global] workgroup = CCDC realm = CCDC.LAN netbios name = CCDC-SAMBA4 server role = active directory domain controller idmap_ldb:use rfc2307 = yes dns forwarder = 9.0.138.50 auth methods = sam, winbind [netlogon] path = /var/lib/samba/sysvol/ccdc.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No root at ccdc-samba4:~# however from the windows machine when i try to update the group policies, I am now getting this errors: Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\Administrator.CCDC>gpupdate /force Updating Policy... User policy could not be updated successfully. The following errors were encount ered: The processing of Group Policy failed. Windows attempted to read the file \\ccdc .lan\sysvol\ccdc.lan\Policies \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro m a domain controller and was not successful. Group Policy settings may not be a pplied until this event is resolved. This issue may be transient and could be ca used by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled. Computer policy could not be updated successfully. The following errors were enc ountered: The processing of Group Policy failed. Windows attempted to read the file \\ccdc .lan\sysvol\ccdc.lan\Policies \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro m a domain controller and was not successful. Group Policy settings may not be a pplied until this event is resolved. This issue may be transient and could be ca used by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled. To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f rom the command line to access information about Group Policy results. C:\Users\Administrator.CCDC> I'm still unable to login with normal users via RDP ___________________________________________________________________________________________ Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 815 2236, eMail: mariopiorusso at ie.ibm.com IBM Ireland Product Distribution Limited registered in Ireland with number 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 (Embedded image moved to file: pic16312.gif) From: "L.P.H. van Belle" <belle at bazuin.nl> To: "samba at lists.samba.org" <samba at lists.samba.org> Cc: Mario Pio Russo/Ireland/IBM at IBMIE Date: 01/05/2015 13:55 Subject: RE: [Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore correct. bug still exists, just tested also on latest git master. see : https://bugzilla.samba.org/show_bug.cgi?id=11061 temp solution. try adding : auth methods = sam, winbind to smb.conf on the dc and restart the DC. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: mariopiorusso at ie.ibm.com >[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo >Verzonden: vrijdag 1 mei 2015 14:51 >Aan: samba at lists.samba.org >Onderwerp: [Samba] After the classicupgrade from samba3 to >sernet-samba-4.2.1 , users are not able to remote desktop anymore > > >Good Day All > >I have a current working configuration of sernet-samba-4.2.1, >created by >upgrading from a samba3 PDC using the classic upgrade. > >Now, I have added a windows 2008 machine to the domain and I'm >using the AD >snap in tools in order to browse the domain. > >I can see all the users and groups and they have been imported >correctly. >However I am able to remote desktop to the domain machines >only with the >user "Administrator at ccdc.lan"; no other user is able to RDP. >Furthermore I am able to add machines to the domain only form the users >Administrator, and not from any other user. I have been using the Group >Policy Manager from the window administrative tool in order >to grant logon >rights to all the users belonging to the Domain User group; >furthermore I >have added the users to the group Remote Desktop users, but >still I have no >success at all. at the moment the group policies looks like this: > >root at ccdc-samba4:/# samba-tool gpo listall >GPO : {31B2F340-016D-11D2-945F-00C04FB984F9} >display name : Default Domain Policy >path : \\ccdc.lan\sysvol\ccdc.lan\Policies >\{31B2F340-016D-11D2-945F-00C04FB984F9} >dn : CN>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >=ccdc,DC=lan >version : 3 >flags : NONE > >GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9} >display name : Default Domain Controllers Policy >path : \\ccdc.lan\sysvol\ccdc.lan\Policies >\{6AC1786C-016F-11D2-945F-00C04FB984F9} >dn : CN>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >=ccdc,DC=lan >version : 7 >flags : NONE > > >while from the GPM looks like this: > >(Embedded image moved to file: pic08924.gif) > > > >I have also run gpupdate /force from he windows machine and If I do >samba-tool gpo fetch <Domain Policy> I am able to see the >changes I have >done from the windows snap in > > >I am unsure now where the problem lies, are the GPO I have >modified being >applied correctly on samba 4 OR is the GPO itself that is not >configured >correctly in order to allow RDP (and add machine to domain)? >Or any other >issue? > >Note that all this was working correctly when I did the same >test upgrade >from samba 3 to samba 4.1.6 > >also I am able to login to every machine in the domain using >my domain user >when logging in locally. > >Any idea / suggestion? > > >thanks! > >_______________________________________________________________ >____________________________ > >Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >FAX: +353 1 >815 2236, eMail: mariopiorusso at ie.ibm.com >IBM Ireland Product Distribution Limited registered in Ireland >with number >92815. Registered Office: IBM House, Shelbourne Road, >Ballsbridge, Dublin 4 > >(Embedded image moved to file: pic19418.gif)-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba >
Daniel Carrasco MarĂn
2015-May-01 13:29 UTC
[Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore
2015-05-01 15:08 GMT+02:00 Mario Pio Russo <mariopiorusso at ie.ibm.com>:> Thanks Luis > > I've changed the smb.conf as you said, now it looks like this: > > > root at ccdc-samba4:~# cat /etc/samba/smb.conf > # Global parameters > [global] > workgroup = CCDC > realm = CCDC.LAN > netbios name = CCDC-SAMBA4 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 9.0.138.50 > auth methods = sam, winbind > > [netlogon] > path = /var/lib/samba/sysvol/ccdc.lan/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > root at ccdc-samba4:~# > > > however from the windows machine when i try to update the group policies, I > am now getting this errors: > > > > Microsoft Windows [Version 6.1.7601] > Copyright (c) 2009 Microsoft Corporation. All rights reserved. > > C:\Users\Administrator.CCDC>gpupdate /force > Updating Policy... > > User policy could not be updated successfully. The following errors were > encount > ered: > > The processing of Group Policy failed. Windows attempted to read the file > \\ccdc > .lan\sysvol\ccdc.lan\Policies > \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro > m a domain controller and was not successful. Group Policy settings may not > be a > pplied until this event is resolved. This issue may be transient and could > be ca > used by one or more of the following: > a) Name Resolution/Network Connectivity to the current domain controller. > b) File Replication Service Latency (a file created on another domain > controller > has not replicated to the current domain controller). > c) The Distributed File System (DFS) client has been disabled. > Computer policy could not be updated successfully. The following errors > were enc > ountered: > > The processing of Group Policy failed. Windows attempted to read the file > \\ccdc > .lan\sysvol\ccdc.lan\Policies > \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro > m a domain controller and was not successful. Group Policy settings may not > be a > pplied until this event is resolved. This issue may be transient and could > be ca > used by one or more of the following: > a) Name Resolution/Network Connectivity to the current domain controller. > b) File Replication Service Latency (a file created on another domain > controller > has not replicated to the current domain controller). > c) The Distributed File System (DFS) client has been disabled. > > To diagnose the failure, review the event log or run GPRESULT /H > GPReport.html f > rom the command line to access information about Group Policy results. > > C:\Users\Administrator.CCDC> > > > > > > I'm still unable to login with normal users via RDP > > > > ___________________________________________________________________________________________ > > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland with number > 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 > > (Embedded image moved to file: pic16312.gif) > > > > From: "L.P.H. van Belle" <belle at bazuin.nl> > To: "samba at lists.samba.org" <samba at lists.samba.org> > Cc: Mario Pio Russo/Ireland/IBM at IBMIE > Date: 01/05/2015 13:55 > Subject: RE: [Samba] After the classicupgrade from samba3 to > sernet-samba-4.2.1 , users are not able to remote desktop > anymore > > > > correct. > > bug still exists, just tested also on latest git master. > see : https://bugzilla.samba.org/show_bug.cgi?id=11061 > > > temp solution. > > try adding : > auth methods = sam, winbind > to smb.conf on the dc and restart the DC. > > > Greetz, > > Louis > > > >-----Oorspronkelijk bericht----- > >Van: mariopiorusso at ie.ibm.com > >[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo > >Verzonden: vrijdag 1 mei 2015 14:51 > >Aan: samba at lists.samba.org > >Onderwerp: [Samba] After the classicupgrade from samba3 to > >sernet-samba-4.2.1 , users are not able to remote desktop anymore > > > > > >Good Day All > > > >I have a current working configuration of sernet-samba-4.2.1, > >created by > >upgrading from a samba3 PDC using the classic upgrade. > > > >Now, I have added a windows 2008 machine to the domain and I'm > >using the AD > >snap in tools in order to browse the domain. > > > >I can see all the users and groups and they have been imported > >correctly. > >However I am able to remote desktop to the domain machines > >only with the > >user "Administrator at ccdc.lan"; no other user is able to RDP. > >Furthermore I am able to add machines to the domain only form the users > >Administrator, and not from any other user. I have been using the Group > >Policy Manager from the window administrative tool in order > >to grant logon > >rights to all the users belonging to the Domain User group; > >furthermore I > >have added the users to the group Remote Desktop users, but > >still I have no > >success at all. at the moment the group policies looks like this: > > > >root at ccdc-samba4:/# samba-tool gpo listall > >GPO : {31B2F340-016D-11D2-945F-00C04FB984F9} > >display name : Default Domain Policy > >path : \\ccdc.lan\sysvol\ccdc.lan\Policies > >\{31B2F340-016D-11D2-945F-00C04FB984F9} > >dn : CN> >{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC > >=ccdc,DC=lan > >version : 3 > >flags : NONE > > > >GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9} > >display name : Default Domain Controllers Policy > >path : \\ccdc.lan\sysvol\ccdc.lan\Policies > >\{6AC1786C-016F-11D2-945F-00C04FB984F9} > >dn : CN> >{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC > >=ccdc,DC=lan > >version : 7 > >flags : NONE > > > > > >while from the GPM looks like this: > > > >(Embedded image moved to file: pic08924.gif) > > > > > > > >I have also run gpupdate /force from he windows machine and If I do > >samba-tool gpo fetch <Domain Policy> I am able to see the > >changes I have > >done from the windows snap in > > > > > >I am unsure now where the problem lies, are the GPO I have > >modified being > >applied correctly on samba 4 OR is the GPO itself that is not > >configured > >correctly in order to allow RDP (and add machine to domain)? > >Or any other > >issue? > > > >Note that all this was working correctly when I did the same > >test upgrade > >from samba 3 to samba 4.1.6 > > > >also I am able to login to every machine in the domain using > >my domain user > >when logging in locally. > > > >Any idea / suggestion? > > > > > >thanks! > > > >_______________________________________________________________ > >____________________________ > > > >Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & > >FAX: +353 1 > >815 2236, eMail: mariopiorusso at ie.ibm.com > >IBM Ireland Product Distribution Limited registered in Ireland > >with number > >92815. Registered Office: IBM House, Shelbourne Road, > >Ballsbridge, Dublin 4 > > > >(Embedded image moved to file: pic19418.gif)-- > >To unsubscribe from this list go to the following URL and read the > >instructions: https://lists.samba.org/mailman/options/samba > > > >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >What is the output of "getfacl /var/lib/samba/sysvol"? mine is: # file: sysvol/ # owner: root # group: 3000000 user::rwx user:root:rwx group::rwx group:3000000:rwx group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:3000000:rwx default:group:3000001:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- Greetings!!
Mario Pio Russo
2015-May-01 13:36 UTC
[Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore
Hi daniel here mine: root at ccdc-samba4:~# getfacl /var/lib/samba/sysvol getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol # owner: root # group: 544 user::rwx user:root:rwx user:3000000:r-x user:3000001:rwx user:3000002:r-x group::rwx group:544:rwx group:3000000:r-x group:3000001:rwx group:3000002:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:r-x default:user:3000001:rwx default:user:3000002:r-x default:group::--- default:group:544:rwx default:group:3000000:r-x default:group:3000001:rwx default:group:3000002:r-x default:mask::rwx default:other::--- ___________________________________________________________________________________________ Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 815 2236, eMail: mariopiorusso at ie.ibm.com IBM Ireland Product Distribution Limited registered in Ireland with number 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 (Embedded image moved to file: pic15993.gif) From: Daniel Carrasco Mar?n <danielmadrid19 at gmail.com> To: Mario Pio Russo/Ireland/IBM at IBMIE Cc: "L.P.H. van Belle" <belle at bazuin.nl>, "samba at lists.samba.org" <samba at lists.samba.org> Date: 01/05/2015 14:30 Subject: Re: [Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore 2015-05-01 15:08 GMT+02:00 Mario Pio Russo <mariopiorusso at ie.ibm.com>: Thanks Luis I've changed the smb.conf as you said, now it looks like this: root at ccdc-samba4:~# cat /etc/samba/smb.conf # Global parameters [global] ? ? ? ? workgroup = CCDC ? ? ? ? realm = CCDC.LAN ? ? ? ? netbios name = CCDC-SAMBA4 ? ? ? ? server role = active directory domain controller ? ? ? ? idmap_ldb:use rfc2307 = yes ? ? ? ? dns forwarder = 9.0.138.50 ? ? ? ? auth methods = sam, winbind [netlogon] ? ? ? ? path = /var/lib/samba/sysvol/ccdc.lan/scripts ? ? ? ? read only = No [sysvol] ? ? ? ? path = /var/lib/samba/sysvol ? ? ? ? read only = No root at ccdc-samba4:~# however from the windows machine when i try to update the group policies, I am now getting this errors: Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation.? All rights reserved. C:\Users\Administrator.CCDC>gpupdate /force Updating Policy... User policy could not be updated successfully. The following errors were encount ered: The processing of Group Policy failed. Windows attempted to read the file \\ccdc .lan\sysvol\ccdc.lan\Policies \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro m a domain controller and was not successful. Group Policy settings may not be a pplied until this event is resolved. This issue may be transient and could be ca used by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller ?has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled. Computer policy could not be updated successfully. The following errors were enc ountered: The processing of Group Policy failed. Windows attempted to read the file \\ccdc .lan\sysvol\ccdc.lan\Policies \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro m a domain controller and was not successful. Group Policy settings may not be a pplied until this event is resolved. This issue may be transient and could be ca used by one or more of the following: a) Name Resolution/Network Connectivity to the current domain controller. b) File Replication Service Latency (a file created on another domain controller ?has not replicated to the current domain controller). c) The Distributed File System (DFS) client has been disabled. To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f rom the command line to access information about Group Policy results. C:\Users\Administrator.CCDC> I'm still unable to login with normal users via RDP ___________________________________________________________________________________________ Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 815 2236, eMail: mariopiorusso at ie.ibm.com IBM Ireland Product Distribution Limited registered in Ireland with number 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 (Embedded image moved to file: pic16312.gif) From:? ?"L.P.H. van Belle" <belle at bazuin.nl> To:? ? ?"samba at lists.samba.org" <samba at lists.samba.org> Cc:? ? ?Mario Pio Russo/Ireland/IBM at IBMIE Date:? ?01/05/2015 13:55 Subject:? ? ? ? RE: [Samba] After the classicupgrade from samba3 to ? ? ? ? ? ? sernet-samba-4.2.1 , users are not able to remote desktop ? ? ? ? ? ? anymore correct. bug still exists, just tested also on latest git master. see : https://bugzilla.samba.org/show_bug.cgi?id=11061 temp solution. try adding : auth methods = sam, winbind to smb.conf on the dc and restart the DC. Greetz, Louis >-----Oorspronkelijk bericht----- >Van: mariopiorusso at ie.ibm.com >[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo >Verzonden: vrijdag 1 mei 2015 14:51 >Aan: samba at lists.samba.org >Onderwerp: [Samba] After the classicupgrade from samba3 to >sernet-samba-4.2.1 , users are not able to remote desktop anymore > > >Good Day All > >I have a current working configuration of sernet-samba-4.2.1, >created by >upgrading from a samba3 PDC using the classic upgrade. > >Now, I have added a windows 2008 machine to the domain and I'm >using the AD >snap in tools in order to browse the domain. > >I can see all the users and groups and they have been imported >correctly. >However I am able to remote desktop to the domain machines >only with the >user "Administrator at ccdc.lan"; no other user is able to RDP. >Furthermore I am able to add machines to the domain only form the users >Administrator, and not from any other user. I have been using the Group >Policy Manager from the window? administrative tool in order >to grant logon >rights to all the users belonging to the Domain User group; >furthermore I >have added the users to the group Remote Desktop users, but >still I have no >success at all. at the moment the group policies looks like this: > >root at ccdc-samba4:/# samba-tool gpo listall >GPO? ? ? ? ? : {31B2F340-016D-11D2-945F-00C04FB984F9} >display name : Default Domain Policy >path? ? ? ? ?: \\ccdc.lan\sysvol\ccdc.lan\Policies >\{31B2F340-016D-11D2-945F-00C04FB984F9} >dn? ? ? ? ? ?: CN >{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >=ccdc,DC=lan >version? ? ? : 3 >flags? ? ? ? : NONE > >GPO? ? ? ? ? : {6AC1786C-016F-11D2-945F-00C04FB984F9} >display name : Default Domain Controllers Policy >path? ? ? ? ?: \\ccdc.lan\sysvol\ccdc.lan\Policies >\{6AC1786C-016F-11D2-945F-00C04FB984F9} >dn? ? ? ? ? ?: CN >{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >=ccdc,DC=lan >version? ? ? : 7 >flags? ? ? ? : NONE > > >while from the GPM looks like this: > >(Embedded image moved to file: pic08924.gif) > > > >I have also run gpupdate /force from he windows machine and If I do >samba-tool gpo fetch <Domain Policy> I am able to see the >changes I have >done from the windows snap in > > >I am unsure now where the problem lies, are the GPO I have >modified being >applied correctly on samba 4 OR is the GPO itself that is not >configured >correctly in order to allow RDP (and add machine to domain)? >Or any other >issue? > >Note that all this was working correctly when I did the same >test upgrade >from samba 3 to samba 4.1.6 > >also I am able to login to every machine in the domain using >my domain user >when logging in locally. > >Any idea / suggestion? > > >thanks! > >_______________________________________________________________ >____________________________ > >Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >FAX: +353 1 >815 2236, eMail: mariopiorusso at ie.ibm.com >IBM Ireland Product Distribution Limited registered in Ireland >with number >92815. Registered Office: IBM House, Shelbourne Road, >Ballsbridge, Dublin 4 > >(Embedded image moved to file: pic19418.gif)-- >To unsubscribe from this list go to the following URL and read the >instructions:? https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba What is the output of "getfacl /var/lib/samba/sysvol"? mine is: # file: sysvol/ # owner: root # group: 3000000 user::rwx user:root:rwx group::rwx group:3000000:rwx group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:3000000:rwx default:group:3000001:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- Greetings!!
Reasonably Related Threads
- After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
- After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
- After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
- After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
- After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )