L.P.H. van Belle
2015-Jun-04 14:49 UTC
[Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
Your mixing 2 things here.>the upgrade works fine as far as I can see, samba starts and I >am able to >RDP using my domain admin rights. however I am not able to RDP >using any >other user. > >the error i get is: > >"The connection is denied because the user account is not >authorized for >remote login" > >however the user I am testing is member of the BUILTIN/REMOTE >DESKTOP USERSBUILDIN/REMOTE DESKTOP USERS in the AD, is not the same as BUILDIN/REMOTE DESKTOP USERS on a PC. 2 different groups since these are on differt pc's. so what to do ... Create a GPO for this. ( im translating from dutch ) New Policy, Default Computer, - Windows settings - security settings - Local police / here, Allow local login . with groups. : BUILDIN\Administrator AND DOMAIN\MyRDP_Users add Templates - System/Logon - Policy , Always Wait for network and logon. I hope its a bit clearer now. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: mariopiorusso at ie.ibm.com >[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo >Verzonden: donderdag 4 juni 2015 15:58 >Aan: samba >Onderwerp: Re: [Samba] After the classicupgrade from samba3 to >sernet-samba-4.2.1 , users are not able to remote desktop >anymore ( bug11061 ) > >guys sorry to take this thread onboard once more, but I still can't get >this sorted. > >I have compiled the latest tarball from samba, 4.2.2 . >compilation works >fine and after that I am able to upgrade from samba 3 with the >following >command: > >samba-tool domain classicupgrade --dbdir=/var/lib/samba-ccdc1/dbdir/ >--use-xattrs=yes --realm=ccdc.lan /etc/samba/smb-ccdc1.conf 2>&1 | tee >upgrade.log > >the upgrade works fine as far as I can see, samba starts and I >am able to >RDP using my domain admin rights. however I am not able to RDP >using any >other user. > >the error i get is: > >"The connection is denied because the user account is not >authorized for >remote login" > >however the user I am testing is member of the BUILTIN/REMOTE >DESKTOP USERS > >dn: CN=mariopio,CN=Users,DC=ccdc,DC=lan >cn: mariopio >instanceType: 4 >whenCreated: 20150604120049.0Z >whenChanged: 20150604120049.0Z >uSNCreated: 6165 >name: mariopio >objectGUID:: cBOr+Abs90yYT6r612524Q=>badPwdCount: 0 >codePage: 0 >countryCode: 0 >badPasswordTime: 0 >lastLogon: 0 >primaryGroupID: 513 >objectSid:: AQUAAAAAAAUVAAAANxKzmMQKGuPHWLf6VCAAAA=>logonCount: 0 >sAMAccountName: mariopio >sAMAccountType: 805306368 >objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ccdc,DC=lan >pwdLastSet: 130746879650000000 >displayName: Mario Pio Russo/Ireland/IBM >scriptPath: logon.bat >accountExpires: 137919572470000000 >lastLogoff: 137919572470000000 >logonHours:: //////////////////////////// >userAccountControl: 512 >description: mariopiorusso at ie.ibm.com >uidNumber: 3638 >objectClass: top >objectClass: posixAccount >objectClass: person >objectClass: organizationalPerson >objectClass: user >unixHomeDirectory: /home/mariopio >loginShell: /bin/bash >gidNumber: 513 >msSFU30NisDomain: ccdc >uSNChanged: 6169 >memberOf: CN=DomainUsers,CN=Users,DC=ccdc,DC=lan >memberOf: CN=Remote Desktop Users,CN=Builtin,DC=ccdc,DC=lan >distinguishedName: CN=mariopio,CN=Users,DC=ccdc,DC=lan > >This is my smb.conf > > cat /etc/samba/smb.conf ># Global parameters >[global] > workgroup = CCDC > realm = ccdc.lan > netbios name = CCDC-SAMBA4 > server role = active directory domain controller > server services = -winbindd +winbind > auth methods = winbind, sam > idmap_ldb:use rfc2307 = yes > dns forwarder = 9.0.138.50 > idmap config CCDC:backend = ad > idmap config CCDC:schema_mode = rfc2307 > idmap config CCDC:range = 10000-40000 > > # Store UIDs/GIDs for all other domains (including local > # accounts/groups of this server) in a tdb file > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # Use home directory and shell information from AD > winbind nss info = rfc2307 > >[netlogon] > path = /var/lib/samba/sysvol/ccdc.lan/scripts > read only = No > >[sysvol] > path = /var/lib/samba/sysvol > read only = No > > > >any suggestion? > >_______________________________________________________________ >____________________________ > >Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >FAX: +353 1 >815 2236, eMail: mariopiorusso at ie.ibm.com >IBM Ireland Product Distribution Limited registered in Ireland >with number >92815. Registered Office: IBM House, Shelbourne Road, >Ballsbridge, Dublin 4 > >(Embedded image moved to file: pic18258.gif) > > > >From: "L.P.H. van Belle" <belle at bazuin.nl> >To: Mario Pio Russo/Ireland/IBM at IBMIE >Date: 01/05/2015 16:00 >Subject: RE: [Samba] After the classicupgrade from samba3 to > sernet-samba-4.2.1 , users are not able to remote desktop > anymore ( bug11061 ) > > > >yes, you did hit that bug, like lots of us.. > >4.1.x was ok yes. > >you can also try this one. ( remove the others ) for the 4.2.1 samba >server services = -winbindd +winbind > >and use the old winbind behavoir. > >and you should get my scripts, change it for ubuntu. ( mail me the >changes ;-) ) >and you have a clean and quick setup. > >look here. >https://secure.bazuin.nl/scripts/ >read the 0-README-FIRST.TXT file > >I think most wil work for ubuntu. >Get this one for the ad install 4-sernet-samba-addc-debian-wheezy.sh > >Have a nice weekend.. > >Greetz, > >Louis > > > >>-----Oorspronkelijk bericht----- >>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >>Verzonden: vrijdag 1 mei 2015 16:49 >>Aan: L.P.H. van Belle >>CC: samba at lists.samba.org >>Onderwerp: RE: [Samba] After the classicupgrade from samba3 to >>sernet-samba-4.2.1 , users are not able to remote desktop >>anymore ( bug11061 ) >> >>yeah I'm confused too. I think AD is the backend to be honest. that >>parameter was automatically added to the smb.conf when running the >>classigupgrade. nothig else has been populated. >> >>I can def try to give it a go with the parameters set on the >>link you sent >>me. >> >>It's a strange behaviour tho, I am still unsure if I have run in bug >>https://bugzilla.samba.org/show_bug.cgi?id=11061 >> >>or I am still a step behind that bug. neverthless, with the >>native 4.1.6 >>all was working fine >>_______________________________________________________________ >>____________________________ >> >>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>FAX: +353 1 >>815 2236, eMail: mariopiorusso at ie.ibm.com >>IBM Ireland Product Distribution Limited registered in Ireland >>with number >>92815. Registered Office: IBM House, Shelbourne Road, >>Ballsbridge, Dublin 4 >> >>(Embedded image moved to file: pic57978.gif) >> >> >> >>From: "L.P.H. van Belle" <belle at bazuin.nl> >>To: Mario Pio Russo/Ireland/IBM at IBMIE >>Cc: "samba at lists.samba.org" <samba at lists.samba.org> >>Date: 01/05/2015 14:50 >>Subject: RE: [Samba] After the classicupgrade >from samba3 to >> sernet-samba-4.2.1 , users are not able to remote desktop >> anymore ( bug11061 ) >> >> >> >>while im reading.. >> >>im seeing : >>getfacl: Removing leading '/' from absolute path names >># file: var/lib/samba/sysvol >># owner: root >># group: 544 >> >> >>your using : >>idmap_ldb:use rfc2307 = yes >>but i dont see a complete smb.conf for a rfc2307 setup. >> >>please also read : https://wiki.samba.org/index.php/RFC2307_backend >> >>so im puzzel what your backend is set to (AD or RID) and what >>the ranges >>are. >> >> >> >>Greetz, >> >>louis >> >>>-----Oorspronkelijk bericht----- >>>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >>>Verzonden: vrijdag 1 mei 2015 15:35 >>>Aan: L.P.H. van Belle >>>CC: samba at lists.samba.org; samba-bounces at lists.samba.org >>>Onderwerp: Re: [Samba] After the classicupgrade from samba3 >>>tosernet-samba-4.2.1 , users are not able to remote desktop >>>anymore ( bug11061 ) >>> >>>ok this is my smb.conf file now >>> >>> >>># Global parameters >>>[global] >>> workgroup = CCDC >>> realm = CCDC.LAN >>> netbios name = CCDC-SAMBA4 >>> server role = active directory domain controller >>> idmap_ldb:use rfc2307 = yes >>> dns forwarder = 9.0.138.50 >>> ##For debugging >>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, >>>netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, >>>browser, eventlog6, >>>backupkey, dnsserver, remote, winreg, srvsvc >>> auth methods = sam, winbind, ntdomain, ntdomain:winbind >>> >>>[netlogon] >>> path = /var/lib/samba/sysvol/ccdc.lan/scripts >>> read only = No >>> >>>[sysvol] >>> path = /var/lib/samba/sysvol >>> read only = No >>> >>> >>>still same error on the windows machine >>> >>>It looks like that the GPO are now applied when we do not define the >>>directive >>> >>>"auth methods = sam, winbind, ntdomain, ntdomain:winbind" >>> >>>let me know if you need any other debugging info, I'm happy to >>>hel (and get >>>this sorted :D) >>> >>>thanks >>> >>>_______________________________________________________________ >>>____________________________ >>> >>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>>FAX: +353 1 >>>815 2236, eMail: mariopiorusso at ie.ibm.com >>>IBM Ireland Product Distribution Limited registered in Ireland >>>with number >>>92815. Registered Office: IBM House, Shelbourne Road, >>>Ballsbridge, Dublin 4 >>> >>>(Embedded image moved to file: pic03533.gif) >>> >>> >>> >>>From: "L.P.H. van Belle" ><belle at bazuin.nl> >>>To: "samba at lists.samba.org" ><samba at lists.samba.org> >>>Cc: Mario Pio Russo/Ireland/IBM at IBMIE >>>Date: 01/05/2015 14:24 >>>Subject: Re: [Samba] After the >classicupgrade >>from samba3 >>> tosernet-samba-4.2.1 , > users are not >able to >>>remote desktop >>> anymore ( bug11061 ) >>>Sent by: samba-bounces at lists.samba.org >>> >>> >>> >>>Hello Mario , >>> >>>what if you try these : >>> >>>dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, >>>lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, >>>eventlog6, backupkey, >>>dnsserver, remote, winreg, srvsvc >>>auth methods = sam, winbind, ntdomain, ntdomain:winbind >>> >>>!! these are only for helping in debugging and should not be used in >>>production. >>>!! see all the e-mails with subject : Re: [Samba] samba 4.2 >>RDP problem >>>(solved) >>>!! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett >>> >>>so if you want to help debuggen, that would be nice. see >>>bug-id in subject. >>> >>>In my case ( debian wheezy, sernet samba 4.2.1, only default GPO ) >>>auth methods = sam, winbind is sufficient to login with rdp. >>>so if we can find what we need to get GPO workin also, that >>>might help the >>>developers. >>> >>>I'll set some GPOs in my test and try again also. >>> >>> >>>Greetz, >>> >>>Louis >>> >>> >>>>-----Oorspronkelijk bericht----- >>>>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >>>>Verzonden: vrijdag 1 mei 2015 15:08 >>>>Aan: L.P.H. van Belle >>>>CC: samba at lists.samba.org >>>>Onderwerp: RE: [Samba] After the classicupgrade from samba3 to >>>>sernet-samba-4.2.1 , users are not able to remote desktop anymore >>>> >>>>Thanks Luis >>>> >>>>I've changed the smb.conf as you said, now it looks like this: >>>> >>>> >>>>root at ccdc-samba4:~# cat /etc/samba/smb.conf >>>># Global parameters >>>>[global] >>>> workgroup = CCDC >>>> realm = CCDC.LAN >>>> netbios name = CCDC-SAMBA4 >>>> server role = active directory domain controller >>>> idmap_ldb:use rfc2307 = yes >>>> dns forwarder = 9.0.138.50 >>>> auth methods = sam, winbind >>>> >>>>[netlogon] >>>> path = /var/lib/samba/sysvol/ccdc.lan/scripts >>>> read only = No >>>> >>>>[sysvol] >>>> path = /var/lib/samba/sysvol >>>> read only = No >>>>root at ccdc-samba4:~# >>>> >>>> >>>>however from the windows machine when i try to update the >>>>group policies, I >>>>am now getting this errors: >>>> >>>> >>>> >>>>Microsoft Windows [Version 6.1.7601] >>>>Copyright (c) 2009 Microsoft Corporation. All rights reserved. >>>> >>>>C:\Users\Administrator.CCDC>gpupdate /force >>>>Updating Policy... >>>> >>>>User policy could not be updated successfully. The following >>>>errors were >>>>encount >>>>ered: >>>> >>>>The processing of Group Policy failed. Windows attempted to >>>>read the file >>>>\\ccdc >>>>.lan\sysvol\ccdc.lan\Policies >>>>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >>>>m a domain controller and was not successful. Group Policy >>>>settings may not >>>>be a >>>>pplied until this event is resolved. This issue may be >>>>transient and could >>>>be ca >>>>used by one or more of the following: >>>>a) Name Resolution/Network Connectivity to the current domain >>>>controller. >>>>b) File Replication Service Latency (a file created on >another domain >>>>controller >>>> has not replicated to the current domain controller). >>>>c) The Distributed File System (DFS) client has been disabled. >>>>Computer policy could not be updated successfully. The >>>following errors >>>>were enc >>>>ountered: >>>> >>>>The processing of Group Policy failed. Windows attempted to >>>>read the file >>>>\\ccdc >>>>.lan\sysvol\ccdc.lan\Policies >>>>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >>>>m a domain controller and was not successful. Group Policy >>>>settings may not >>>>be a >>>>pplied until this event is resolved. This issue may be >>>>transient and could >>>>be ca >>>>used by one or more of the following: >>>>a) Name Resolution/Network Connectivity to the current domain >>>>controller. >>>>b) File Replication Service Latency (a file created on >another domain >>>>controller >>>> has not replicated to the current domain controller). >>>>c) The Distributed File System (DFS) client has been disabled. >>>> >>>>To diagnose the failure, review the event log or run GPRESULT /H >>>>GPReport.html f >>>>rom the command line to access information about Group >>Policy results. >>>> >>>>C:\Users\Administrator.CCDC> >>>> >>>> >>>> >>>> >>>> >>>>I'm still unable to login with normal users via RDP >>>> >>>> >>>>_______________________________________________________________ >>>>____________________________ >>>> >>>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>>>FAX: +353 1 >>>>815 2236, eMail: mariopiorusso at ie.ibm.com >>>>IBM Ireland Product Distribution Limited registered in Ireland >>>>with number >>>>92815. Registered Office: IBM House, Shelbourne Road, >>>>Ballsbridge, Dublin 4 >>>> >>>>(Embedded image moved to file: pic60454.gif) >>>> >>>> >>>> >>>>From: > "L.P.H. van Belle" > >><belle at bazuin.nl> >>>>To: >"samba at lists.samba.org" >><samba at lists.samba.org> >>>>Cc: > Mario Pio >Russo/Ireland/IBM at IBMIE >>>>Date: > 01/05/2015 13:55 >>>>Subject: > RE: [Samba] After >the >>classicupgrade >>>from samba3 to >>>> sernet-samba-4.2.1 , users are not able to >remote desktop >>>> anymore >>>> >>>> >>>> >>>>correct. >>>> >>>>bug still exists, just tested also on latest git master. >>>>see : https://bugzilla.samba.org/show_bug.cgi?id=11061 >>>> >>>> >>>>temp solution. >>>> >>>>try adding : >>>>auth methods = sam, winbind >>>>to smb.conf on the dc and restart the DC. >>>> >>>> >>>>Greetz, >>>> >>>>Louis >>>> >>>> >>>>>-----Oorspronkelijk bericht----- >>>>>Van: mariopiorusso at ie.ibm.com >>>>>[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo >>>>>Verzonden: vrijdag 1 mei 2015 14:51 >>>>>Aan: samba at lists.samba.org >>>>>Onderwerp: [Samba] After the classicupgrade from samba3 to >>>>>sernet-samba-4.2.1 , users are not able to remote desktop anymore >>>>> >>>>> >>>>>Good Day All >>>>> >>>>>I have a current working configuration of sernet-samba-4.2.1, >>>>>created by >>>>>upgrading from a samba3 PDC using the classic upgrade. >>>>> >>>>>Now, I have added a windows 2008 machine to the domain and I'm >>>>>using the AD >>>>>snap in tools in order to browse the domain. >>>>> >>>>>I can see all the users and groups and they have been imported >>>>>correctly. >>>>>However I am able to remote desktop to the domain machines >>>>>only with the >>>>>user "Administrator at ccdc.lan"; no other user is able to RDP. >>>>>Furthermore I am able to add machines to the domain only form >>>>the users >>>>>Administrator, and not from any other user. I have been using >>>>the Group >>>>>Policy Manager from the window administrative tool in order >>>>>to grant logon >>>>>rights to all the users belonging to the Domain User group; >>>>>furthermore I >>>>>have added the users to the group Remote Desktop users, but >>>>>still I have no >>>>>success at all. at the moment the group policies looks like this: >>>>> >>>>>root at ccdc-samba4:/# samba-tool gpo listall >>>>>GPO : {31B2F340-016D-11D2-945F-00C04FB984F9} >>>>>display name : Default Domain Policy >>>>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>>>>\{31B2F340-016D-11D2-945F-00C04FB984F9} >>>>>dn : CN>>>>>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>>>>=ccdc,DC=lan >>>>>version : 3 >>>>>flags : NONE >>>>> >>>>>GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9} >>>>>display name : Default Domain Controllers Policy >>>>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>>>>\{6AC1786C-016F-11D2-945F-00C04FB984F9} >>>>>dn : CN>>>>>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>>>>=ccdc,DC=lan >>>>>version : 7 >>>>>flags : NONE >>>>> >>>>> >>>>>while from the GPM looks like this: >>>>> >>>>>(Embedded image moved to file: pic08924.gif) >>>>> >>>>> >>>>> >>>>>I have also run gpupdate /force from he windows machine and If I do >>>>>samba-tool gpo fetch <Domain Policy> I am able to see the >>>>>changes I have >>>>>done from the windows snap in >>>>> >>>>> >>>>>I am unsure now where the problem lies, are the GPO I have >>>>>modified being >>>>>applied correctly on samba 4 OR is the GPO itself that is not >>>>>configured >>>>>correctly in order to allow RDP (and add machine to domain)? >>>>>Or any other >>>>>issue? >>>>> >>>>>Note that all this was working correctly when I did the same >>>>>test upgrade >>>>>from samba 3 to samba 4.1.6 >>>>> >>>>>also I am able to login to every machine in the domain using >>>>>my domain user >>>>>when logging in locally. >>>>> >>>>>Any idea / suggestion? >>>>> >>>>> >>>>>thanks! >>>>> >>>>>_______________________________________________________________ >>>>>____________________________ >>>>> >>>>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>>>>FAX: +353 1 >>>>>815 2236, eMail: mariopiorusso at ie.ibm.com >>>>>IBM Ireland Product Distribution Limited registered in Ireland >>>>>with number >>>>>92815. Registered Office: IBM House, Shelbourne Road, >>>>>Ballsbridge, Dublin 4 >>>>> >>>>>(Embedded image moved to file: pic19418.gif)-- >>>>>To unsubscribe from this list go to the following URL and read the >>>>>instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>> >>>> >>>> >>> >>>-- >>>To unsubscribe from this list go to the following URL and read the >>>instructions: https://lists.samba.org/mailman/options/samba >>> >>> >>> >> >> >> > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba >
Seemingly Similar Threads
- After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
- After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
- After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
- After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
- After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )