L.P.H. van Belle
2015-May-01 13:23 UTC
[Samba] After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
Hello Mario , what if you try these : dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, remote, winreg, srvsvc auth methods = sam, winbind, ntdomain, ntdomain:winbind !! these are only for helping in debugging and should not be used in production. !! see all the e-mails with subject : Re: [Samba] samba 4.2 RDP problem (solved) !! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett so if you want to help debuggen, that would be nice. see bug-id in subject. In my case ( debian wheezy, sernet samba 4.2.1, only default GPO ) auth methods = sam, winbind is sufficient to login with rdp. so if we can find what we need to get GPO workin also, that might help the developers. I'll set some GPOs in my test and try again also. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >Verzonden: vrijdag 1 mei 2015 15:08 >Aan: L.P.H. van Belle >CC: samba at lists.samba.org >Onderwerp: RE: [Samba] After the classicupgrade from samba3 to >sernet-samba-4.2.1 , users are not able to remote desktop anymore > >Thanks Luis > >I've changed the smb.conf as you said, now it looks like this: > > >root at ccdc-samba4:~# cat /etc/samba/smb.conf ># Global parameters >[global] > workgroup = CCDC > realm = CCDC.LAN > netbios name = CCDC-SAMBA4 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 9.0.138.50 > auth methods = sam, winbind > >[netlogon] > path = /var/lib/samba/sysvol/ccdc.lan/scripts > read only = No > >[sysvol] > path = /var/lib/samba/sysvol > read only = No >root at ccdc-samba4:~# > > >however from the windows machine when i try to update the >group policies, I >am now getting this errors: > > > >Microsoft Windows [Version 6.1.7601] >Copyright (c) 2009 Microsoft Corporation. All rights reserved. > >C:\Users\Administrator.CCDC>gpupdate /force >Updating Policy... > >User policy could not be updated successfully. The following >errors were >encount >ered: > >The processing of Group Policy failed. Windows attempted to >read the file >\\ccdc >.lan\sysvol\ccdc.lan\Policies >\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >m a domain controller and was not successful. Group Policy >settings may not >be a >pplied until this event is resolved. This issue may be >transient and could >be ca >used by one or more of the following: >a) Name Resolution/Network Connectivity to the current domain >controller. >b) File Replication Service Latency (a file created on another domain >controller > has not replicated to the current domain controller). >c) The Distributed File System (DFS) client has been disabled. >Computer policy could not be updated successfully. The following errors >were enc >ountered: > >The processing of Group Policy failed. Windows attempted to >read the file >\\ccdc >.lan\sysvol\ccdc.lan\Policies >\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >m a domain controller and was not successful. Group Policy >settings may not >be a >pplied until this event is resolved. This issue may be >transient and could >be ca >used by one or more of the following: >a) Name Resolution/Network Connectivity to the current domain >controller. >b) File Replication Service Latency (a file created on another domain >controller > has not replicated to the current domain controller). >c) The Distributed File System (DFS) client has been disabled. > >To diagnose the failure, review the event log or run GPRESULT /H >GPReport.html f >rom the command line to access information about Group Policy results. > >C:\Users\Administrator.CCDC> > > > > > >I'm still unable to login with normal users via RDP > > >_______________________________________________________________ >____________________________ > >Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >FAX: +353 1 >815 2236, eMail: mariopiorusso at ie.ibm.com >IBM Ireland Product Distribution Limited registered in Ireland >with number >92815. Registered Office: IBM House, Shelbourne Road, >Ballsbridge, Dublin 4 > >(Embedded image moved to file: pic60454.gif) > > > >From: "L.P.H. van Belle" <belle at bazuin.nl> >To: "samba at lists.samba.org" <samba at lists.samba.org> >Cc: Mario Pio Russo/Ireland/IBM at IBMIE >Date: 01/05/2015 13:55 >Subject: RE: [Samba] After the classicupgrade from samba3 to > sernet-samba-4.2.1 , users are not able to remote desktop > anymore > > > >correct. > >bug still exists, just tested also on latest git master. >see : https://bugzilla.samba.org/show_bug.cgi?id=11061 > > >temp solution. > >try adding : >auth methods = sam, winbind >to smb.conf on the dc and restart the DC. > > >Greetz, > >Louis > > >>-----Oorspronkelijk bericht----- >>Van: mariopiorusso at ie.ibm.com >>[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo >>Verzonden: vrijdag 1 mei 2015 14:51 >>Aan: samba at lists.samba.org >>Onderwerp: [Samba] After the classicupgrade from samba3 to >>sernet-samba-4.2.1 , users are not able to remote desktop anymore >> >> >>Good Day All >> >>I have a current working configuration of sernet-samba-4.2.1, >>created by >>upgrading from a samba3 PDC using the classic upgrade. >> >>Now, I have added a windows 2008 machine to the domain and I'm >>using the AD >>snap in tools in order to browse the domain. >> >>I can see all the users and groups and they have been imported >>correctly. >>However I am able to remote desktop to the domain machines >>only with the >>user "Administrator at ccdc.lan"; no other user is able to RDP. >>Furthermore I am able to add machines to the domain only form >the users >>Administrator, and not from any other user. I have been using >the Group >>Policy Manager from the window administrative tool in order >>to grant logon >>rights to all the users belonging to the Domain User group; >>furthermore I >>have added the users to the group Remote Desktop users, but >>still I have no >>success at all. at the moment the group policies looks like this: >> >>root at ccdc-samba4:/# samba-tool gpo listall >>GPO : {31B2F340-016D-11D2-945F-00C04FB984F9} >>display name : Default Domain Policy >>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>\{31B2F340-016D-11D2-945F-00C04FB984F9} >>dn : CN>>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>=ccdc,DC=lan >>version : 3 >>flags : NONE >> >>GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9} >>display name : Default Domain Controllers Policy >>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>\{6AC1786C-016F-11D2-945F-00C04FB984F9} >>dn : CN>>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>=ccdc,DC=lan >>version : 7 >>flags : NONE >> >> >>while from the GPM looks like this: >> >>(Embedded image moved to file: pic08924.gif) >> >> >> >>I have also run gpupdate /force from he windows machine and If I do >>samba-tool gpo fetch <Domain Policy> I am able to see the >>changes I have >>done from the windows snap in >> >> >>I am unsure now where the problem lies, are the GPO I have >>modified being >>applied correctly on samba 4 OR is the GPO itself that is not >>configured >>correctly in order to allow RDP (and add machine to domain)? >>Or any other >>issue? >> >>Note that all this was working correctly when I did the same >>test upgrade >>from samba 3 to samba 4.1.6 >> >>also I am able to login to every machine in the domain using >>my domain user >>when logging in locally. >> >>Any idea / suggestion? >> >> >>thanks! >> >>_______________________________________________________________ >>____________________________ >> >>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>FAX: +353 1 >>815 2236, eMail: mariopiorusso at ie.ibm.com >>IBM Ireland Product Distribution Limited registered in Ireland >>with number >>92815. Registered Office: IBM House, Shelbourne Road, >>Ballsbridge, Dublin 4 >> >>(Embedded image moved to file: pic19418.gif)-- >>To unsubscribe from this list go to the following URL and read the >>instructions: https://lists.samba.org/mailman/options/samba >> > > >
Mario Pio Russo
2015-May-01 13:34 UTC
[Samba] After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
ok this is my smb.conf file now
# Global parameters
[global]
workgroup = CCDC
realm = CCDC.LAN
netbios name = CCDC-SAMBA4
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
dns forwarder = 9.0.138.50
##For debugging
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver, remote, winreg, srvsvc
auth methods = sam, winbind, ntdomain, ntdomain:winbind
[netlogon]
path = /var/lib/samba/sysvol/ccdc.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
still same error on the windows machine
It looks like that the GPO are now applied when we do not define the
directive
"auth methods = sam, winbind, ntdomain, ntdomain:winbind"
let me know if you need any other debugging info, I'm happy to hel (and get
this sorted :D)
thanks
___________________________________________________________________________________________
Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
(Embedded image moved to file: pic32512.gif)
From: "L.P.H. van Belle" <belle at bazuin.nl>
To: "samba at lists.samba.org" <samba at lists.samba.org>
Cc: Mario Pio Russo/Ireland/IBM at IBMIE
Date: 01/05/2015 14:24
Subject: Re: [Samba] After the classicupgrade from samba3
tosernet-samba-4.2.1 , users are not able to remote desktop
anymore ( bug11061 )
Sent by: samba-bounces at lists.samba.org
Hello Mario ,
what if you try these :
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey,
dnsserver, remote, winreg, srvsvc
auth methods = sam, winbind, ntdomain, ntdomain:winbind
!! these are only for helping in debugging and should not be used in
production.
!! see all the e-mails with subject : Re: [Samba] samba 4.2 RDP problem
(solved)
!! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett
so if you want to help debuggen, that would be nice. see bug-id in subject.
In my case ( debian wheezy, sernet samba 4.2.1, only default GPO )
auth methods = sam, winbind is sufficient to login with rdp.
so if we can find what we need to get GPO workin also, that might help the
developers.
I'll set some GPOs in my test and try again also.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>Verzonden: vrijdag 1 mei 2015 15:08
>Aan: L.P.H. van Belle
>CC: samba at lists.samba.org
>Onderwerp: RE: [Samba] After the classicupgrade from samba3 to
>sernet-samba-4.2.1 , users are not able to remote desktop anymore
>
>Thanks Luis
>
>I've changed the smb.conf as you said, now it looks like this:
>
>
>root at ccdc-samba4:~# cat /etc/samba/smb.conf
># Global parameters
>[global]
> workgroup = CCDC
> realm = CCDC.LAN
> netbios name = CCDC-SAMBA4
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> dns forwarder = 9.0.138.50
> auth methods = sam, winbind
>
>[netlogon]
> path = /var/lib/samba/sysvol/ccdc.lan/scripts
> read only = No
>
>[sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>root at ccdc-samba4:~#
>
>
>however from the windows machine when i try to update the
>group policies, I
>am now getting this errors:
>
>
>
>Microsoft Windows [Version 6.1.7601]
>Copyright (c) 2009 Microsoft Corporation. All rights reserved.
>
>C:\Users\Administrator.CCDC>gpupdate /force
>Updating Policy...
>
>User policy could not be updated successfully. The following
>errors were
>encount
>ered:
>
>The processing of Group Policy failed. Windows attempted to
>read the file
>\\ccdc
>.lan\sysvol\ccdc.lan\Policies
>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>m a domain controller and was not successful. Group Policy
>settings may not
>be a
>pplied until this event is resolved. This issue may be
>transient and could
>be ca
>used by one or more of the following:
>a) Name Resolution/Network Connectivity to the current domain
>controller.
>b) File Replication Service Latency (a file created on another domain
>controller
> has not replicated to the current domain controller).
>c) The Distributed File System (DFS) client has been disabled.
>Computer policy could not be updated successfully. The following errors
>were enc
>ountered:
>
>The processing of Group Policy failed. Windows attempted to
>read the file
>\\ccdc
>.lan\sysvol\ccdc.lan\Policies
>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>m a domain controller and was not successful. Group Policy
>settings may not
>be a
>pplied until this event is resolved. This issue may be
>transient and could
>be ca
>used by one or more of the following:
>a) Name Resolution/Network Connectivity to the current domain
>controller.
>b) File Replication Service Latency (a file created on another domain
>controller
> has not replicated to the current domain controller).
>c) The Distributed File System (DFS) client has been disabled.
>
>To diagnose the failure, review the event log or run GPRESULT /H
>GPReport.html f
>rom the command line to access information about Group Policy results.
>
>C:\Users\Administrator.CCDC>
>
>
>
>
>
>I'm still unable to login with normal users via RDP
>
>
>_______________________________________________________________
>____________________________
>
>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>FAX: +353 1
>815 2236, eMail: mariopiorusso at ie.ibm.com
>IBM Ireland Product Distribution Limited registered in Ireland
>with number
>92815. Registered Office: IBM House, Shelbourne Road,
>Ballsbridge, Dublin 4
>
>(Embedded image moved to file: pic60454.gif)
>
>
>
>From: "L.P.H. van Belle" <belle at bazuin.nl>
>To: "samba at lists.samba.org" <samba at lists.samba.org>
>Cc: Mario Pio Russo/Ireland/IBM at IBMIE
>Date: 01/05/2015 13:55
>Subject: RE: [Samba] After the classicupgrade from samba3 to
> sernet-samba-4.2.1 , users are not able to remote desktop
> anymore
>
>
>
>correct.
>
>bug still exists, just tested also on latest git master.
>see : https://bugzilla.samba.org/show_bug.cgi?id=11061
>
>
>temp solution.
>
>try adding :
>auth methods = sam, winbind
>to smb.conf on the dc and restart the DC.
>
>
>Greetz,
>
>Louis
>
>
>>-----Oorspronkelijk bericht-----
>>Van: mariopiorusso at ie.ibm.com
>>[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo
>>Verzonden: vrijdag 1 mei 2015 14:51
>>Aan: samba at lists.samba.org
>>Onderwerp: [Samba] After the classicupgrade from samba3 to
>>sernet-samba-4.2.1 , users are not able to remote desktop anymore
>>
>>
>>Good Day All
>>
>>I have a current working configuration of sernet-samba-4.2.1,
>>created by
>>upgrading from a samba3 PDC using the classic upgrade.
>>
>>Now, I have added a windows 2008 machine to the domain and I'm
>>using the AD
>>snap in tools in order to browse the domain.
>>
>>I can see all the users and groups and they have been imported
>>correctly.
>>However I am able to remote desktop to the domain machines
>>only with the
>>user "Administrator at ccdc.lan"; no other user is able to
RDP.
>>Furthermore I am able to add machines to the domain only form
>the users
>>Administrator, and not from any other user. I have been using
>the Group
>>Policy Manager from the window administrative tool in order
>>to grant logon
>>rights to all the users belonging to the Domain User group;
>>furthermore I
>>have added the users to the group Remote Desktop users, but
>>still I have no
>>success at all. at the moment the group policies looks like this:
>>
>>root at ccdc-samba4:/# samba-tool gpo listall
>>GPO : {31B2F340-016D-11D2-945F-00C04FB984F9}
>>display name : Default Domain Policy
>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>\{31B2F340-016D-11D2-945F-00C04FB984F9}
>>dn :
CN>>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>=ccdc,DC=lan
>>version : 3
>>flags : NONE
>>
>>GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9}
>>display name : Default Domain Controllers Policy
>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>\{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>dn :
CN>>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>=ccdc,DC=lan
>>version : 7
>>flags : NONE
>>
>>
>>while from the GPM looks like this:
>>
>>(Embedded image moved to file: pic08924.gif)
>>
>>
>>
>>I have also run gpupdate /force from he windows machine and If I do
>>samba-tool gpo fetch <Domain Policy> I am able to see the
>>changes I have
>>done from the windows snap in
>>
>>
>>I am unsure now where the problem lies, are the GPO I have
>>modified being
>>applied correctly on samba 4 OR is the GPO itself that is not
>>configured
>>correctly in order to allow RDP (and add machine to domain)?
>>Or any other
>>issue?
>>
>>Note that all this was working correctly when I did the same
>>test upgrade
>>from samba 3 to samba 4.1.6
>>
>>also I am able to login to every machine in the domain using
>>my domain user
>>when logging in locally.
>>
>>Any idea / suggestion?
>>
>>
>>thanks!
>>
>>_______________________________________________________________
>>____________________________
>>
>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>FAX: +353 1
>>815 2236, eMail: mariopiorusso at ie.ibm.com
>>IBM Ireland Product Distribution Limited registered in Ireland
>>with number
>>92815. Registered Office: IBM House, Shelbourne Road,
>>Ballsbridge, Dublin 4
>>
>>(Embedded image moved to file: pic19418.gif)--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2015-May-01 13:40 UTC
[Samba] After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
Great is you would help also in debugging this. and just a notice.. You do know that .lan is reserved by apples mDNS. (zeroconf) --------------------------------------------------- ( copy of Andrew's tekst.. ) Please re-try with git master, as I understand patches to fix this have been committed. If that doesn't help, can you get a level 10 debug with this, and with the default configuration, and put it on bug https://bugzilla.samba.org/show_bug.cgi?id=11061 I need specifically the time that the hang happens. As a developer I still don't see how this area of code changes with a change to the auth methods, so I'm most curious but even more so, most puzzled . Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba --------------------------------------------------->-----Oorspronkelijk bericht----- >Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >Verzonden: vrijdag 1 mei 2015 15:35 >Aan: L.P.H. van Belle >CC: samba at lists.samba.org; samba-bounces at lists.samba.org >Onderwerp: Re: [Samba] After the classicupgrade from samba3 >tosernet-samba-4.2.1 , users are not able to remote desktop >anymore ( bug11061 ) > >ok this is my smb.conf file now > > ># Global parameters >[global] > workgroup = CCDC > realm = CCDC.LAN > netbios name = CCDC-SAMBA4 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 9.0.138.50 > ##For debugging > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, >netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, >browser, eventlog6, >backupkey, dnsserver, remote, winreg, srvsvc > auth methods = sam, winbind, ntdomain, ntdomain:winbind > >[netlogon] > path = /var/lib/samba/sysvol/ccdc.lan/scripts > read only = No > >[sysvol] > path = /var/lib/samba/sysvol > read only = No > > >still same error on the windows machine > >It looks like that the GPO are now applied when we do not define the >directive > >"auth methods = sam, winbind, ntdomain, ntdomain:winbind" > >let me know if you need any other debugging info, I'm happy to >hel (and get >this sorted :D) > >thanks > >_______________________________________________________________ >____________________________ > >Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >FAX: +353 1 >815 2236, eMail: mariopiorusso at ie.ibm.com >IBM Ireland Product Distribution Limited registered in Ireland >with number >92815. Registered Office: IBM House, Shelbourne Road, >Ballsbridge, Dublin 4 > >(Embedded image moved to file: pic03533.gif) > > > >From: "L.P.H. van Belle" <belle at bazuin.nl> >To: "samba at lists.samba.org" <samba at lists.samba.org> >Cc: Mario Pio Russo/Ireland/IBM at IBMIE >Date: 01/05/2015 14:24 >Subject: Re: [Samba] After the classicupgrade from samba3 > tosernet-samba-4.2.1 , users are not able to >remote desktop > anymore ( bug11061 ) >Sent by: samba-bounces at lists.samba.org > > > >Hello Mario , > >what if you try these : > >dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, >lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, >eventlog6, backupkey, >dnsserver, remote, winreg, srvsvc >auth methods = sam, winbind, ntdomain, ntdomain:winbind > >!! these are only for helping in debugging and should not be used in >production. >!! see all the e-mails with subject : Re: [Samba] samba 4.2 RDP problem >(solved) >!! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett > >so if you want to help debuggen, that would be nice. see >bug-id in subject. > >In my case ( debian wheezy, sernet samba 4.2.1, only default GPO ) >auth methods = sam, winbind is sufficient to login with rdp. >so if we can find what we need to get GPO workin also, that >might help the >developers. > >I'll set some GPOs in my test and try again also. > > >Greetz, > >Louis > > >>-----Oorspronkelijk bericht----- >>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >>Verzonden: vrijdag 1 mei 2015 15:08 >>Aan: L.P.H. van Belle >>CC: samba at lists.samba.org >>Onderwerp: RE: [Samba] After the classicupgrade from samba3 to >>sernet-samba-4.2.1 , users are not able to remote desktop anymore >> >>Thanks Luis >> >>I've changed the smb.conf as you said, now it looks like this: >> >> >>root at ccdc-samba4:~# cat /etc/samba/smb.conf >># Global parameters >>[global] >> workgroup = CCDC >> realm = CCDC.LAN >> netbios name = CCDC-SAMBA4 >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> dns forwarder = 9.0.138.50 >> auth methods = sam, winbind >> >>[netlogon] >> path = /var/lib/samba/sysvol/ccdc.lan/scripts >> read only = No >> >>[sysvol] >> path = /var/lib/samba/sysvol >> read only = No >>root at ccdc-samba4:~# >> >> >>however from the windows machine when i try to update the >>group policies, I >>am now getting this errors: >> >> >> >>Microsoft Windows [Version 6.1.7601] >>Copyright (c) 2009 Microsoft Corporation. All rights reserved. >> >>C:\Users\Administrator.CCDC>gpupdate /force >>Updating Policy... >> >>User policy could not be updated successfully. The following >>errors were >>encount >>ered: >> >>The processing of Group Policy failed. Windows attempted to >>read the file >>\\ccdc >>.lan\sysvol\ccdc.lan\Policies >>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >>m a domain controller and was not successful. Group Policy >>settings may not >>be a >>pplied until this event is resolved. This issue may be >>transient and could >>be ca >>used by one or more of the following: >>a) Name Resolution/Network Connectivity to the current domain >>controller. >>b) File Replication Service Latency (a file created on another domain >>controller >> has not replicated to the current domain controller). >>c) The Distributed File System (DFS) client has been disabled. >>Computer policy could not be updated successfully. The >following errors >>were enc >>ountered: >> >>The processing of Group Policy failed. Windows attempted to >>read the file >>\\ccdc >>.lan\sysvol\ccdc.lan\Policies >>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >>m a domain controller and was not successful. Group Policy >>settings may not >>be a >>pplied until this event is resolved. This issue may be >>transient and could >>be ca >>used by one or more of the following: >>a) Name Resolution/Network Connectivity to the current domain >>controller. >>b) File Replication Service Latency (a file created on another domain >>controller >> has not replicated to the current domain controller). >>c) The Distributed File System (DFS) client has been disabled. >> >>To diagnose the failure, review the event log or run GPRESULT /H >>GPReport.html f >>rom the command line to access information about Group Policy results. >> >>C:\Users\Administrator.CCDC> >> >> >> >> >> >>I'm still unable to login with normal users via RDP >> >> >>_______________________________________________________________ >>____________________________ >> >>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>FAX: +353 1 >>815 2236, eMail: mariopiorusso at ie.ibm.com >>IBM Ireland Product Distribution Limited registered in Ireland >>with number >>92815. Registered Office: IBM House, Shelbourne Road, >>Ballsbridge, Dublin 4 >> >>(Embedded image moved to file: pic60454.gif) >> >> >> >>From: "L.P.H. van Belle" <belle at bazuin.nl> >>To: "samba at lists.samba.org" <samba at lists.samba.org> >>Cc: Mario Pio Russo/Ireland/IBM at IBMIE >>Date: 01/05/2015 13:55 >>Subject: RE: [Samba] After the classicupgrade >from samba3 to >> sernet-samba-4.2.1 , users are not able to remote desktop >> anymore >> >> >> >>correct. >> >>bug still exists, just tested also on latest git master. >>see : https://bugzilla.samba.org/show_bug.cgi?id=11061 >> >> >>temp solution. >> >>try adding : >>auth methods = sam, winbind >>to smb.conf on the dc and restart the DC. >> >> >>Greetz, >> >>Louis >> >> >>>-----Oorspronkelijk bericht----- >>>Van: mariopiorusso at ie.ibm.com >>>[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo >>>Verzonden: vrijdag 1 mei 2015 14:51 >>>Aan: samba at lists.samba.org >>>Onderwerp: [Samba] After the classicupgrade from samba3 to >>>sernet-samba-4.2.1 , users are not able to remote desktop anymore >>> >>> >>>Good Day All >>> >>>I have a current working configuration of sernet-samba-4.2.1, >>>created by >>>upgrading from a samba3 PDC using the classic upgrade. >>> >>>Now, I have added a windows 2008 machine to the domain and I'm >>>using the AD >>>snap in tools in order to browse the domain. >>> >>>I can see all the users and groups and they have been imported >>>correctly. >>>However I am able to remote desktop to the domain machines >>>only with the >>>user "Administrator at ccdc.lan"; no other user is able to RDP. >>>Furthermore I am able to add machines to the domain only form >>the users >>>Administrator, and not from any other user. I have been using >>the Group >>>Policy Manager from the window administrative tool in order >>>to grant logon >>>rights to all the users belonging to the Domain User group; >>>furthermore I >>>have added the users to the group Remote Desktop users, but >>>still I have no >>>success at all. at the moment the group policies looks like this: >>> >>>root at ccdc-samba4:/# samba-tool gpo listall >>>GPO : {31B2F340-016D-11D2-945F-00C04FB984F9} >>>display name : Default Domain Policy >>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>>\{31B2F340-016D-11D2-945F-00C04FB984F9} >>>dn : CN>>>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>>=ccdc,DC=lan >>>version : 3 >>>flags : NONE >>> >>>GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9} >>>display name : Default Domain Controllers Policy >>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>>\{6AC1786C-016F-11D2-945F-00C04FB984F9} >>>dn : CN>>>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>>=ccdc,DC=lan >>>version : 7 >>>flags : NONE >>> >>> >>>while from the GPM looks like this: >>> >>>(Embedded image moved to file: pic08924.gif) >>> >>> >>> >>>I have also run gpupdate /force from he windows machine and If I do >>>samba-tool gpo fetch <Domain Policy> I am able to see the >>>changes I have >>>done from the windows snap in >>> >>> >>>I am unsure now where the problem lies, are the GPO I have >>>modified being >>>applied correctly on samba 4 OR is the GPO itself that is not >>>configured >>>correctly in order to allow RDP (and add machine to domain)? >>>Or any other >>>issue? >>> >>>Note that all this was working correctly when I did the same >>>test upgrade >>>from samba 3 to samba 4.1.6 >>> >>>also I am able to login to every machine in the domain using >>>my domain user >>>when logging in locally. >>> >>>Any idea / suggestion? >>> >>> >>>thanks! >>> >>>_______________________________________________________________ >>>____________________________ >>> >>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>>FAX: +353 1 >>>815 2236, eMail: mariopiorusso at ie.ibm.com >>>IBM Ireland Product Distribution Limited registered in Ireland >>>with number >>>92815. Registered Office: IBM House, Shelbourne Road, >>>Ballsbridge, Dublin 4 >>> >>>(Embedded image moved to file: pic19418.gif)-- >>>To unsubscribe from this list go to the following URL and read the >>>instructions: https://lists.samba.org/mailman/options/samba >>> >> >> >> > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > > >
L.P.H. van Belle
2015-May-01 13:49 UTC
[Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
while im reading.. im seeing : getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol # owner: root # group: 544 your using : idmap_ldb:use rfc2307 = yes but i dont see a complete smb.conf for a rfc2307 setup. please also read : https://wiki.samba.org/index.php/RFC2307_backend so im puzzel what your backend is set to (AD or RID) and what the ranges are. Greetz, louis>-----Oorspronkelijk bericht----- >Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >Verzonden: vrijdag 1 mei 2015 15:35 >Aan: L.P.H. van Belle >CC: samba at lists.samba.org; samba-bounces at lists.samba.org >Onderwerp: Re: [Samba] After the classicupgrade from samba3 >tosernet-samba-4.2.1 , users are not able to remote desktop >anymore ( bug11061 ) > >ok this is my smb.conf file now > > ># Global parameters >[global] > workgroup = CCDC > realm = CCDC.LAN > netbios name = CCDC-SAMBA4 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 9.0.138.50 > ##For debugging > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, >netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, >browser, eventlog6, >backupkey, dnsserver, remote, winreg, srvsvc > auth methods = sam, winbind, ntdomain, ntdomain:winbind > >[netlogon] > path = /var/lib/samba/sysvol/ccdc.lan/scripts > read only = No > >[sysvol] > path = /var/lib/samba/sysvol > read only = No > > >still same error on the windows machine > >It looks like that the GPO are now applied when we do not define the >directive > >"auth methods = sam, winbind, ntdomain, ntdomain:winbind" > >let me know if you need any other debugging info, I'm happy to >hel (and get >this sorted :D) > >thanks > >_______________________________________________________________ >____________________________ > >Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >FAX: +353 1 >815 2236, eMail: mariopiorusso at ie.ibm.com >IBM Ireland Product Distribution Limited registered in Ireland >with number >92815. Registered Office: IBM House, Shelbourne Road, >Ballsbridge, Dublin 4 > >(Embedded image moved to file: pic03533.gif) > > > >From: "L.P.H. van Belle" <belle at bazuin.nl> >To: "samba at lists.samba.org" <samba at lists.samba.org> >Cc: Mario Pio Russo/Ireland/IBM at IBMIE >Date: 01/05/2015 14:24 >Subject: Re: [Samba] After the classicupgrade from samba3 > tosernet-samba-4.2.1 , users are not able to >remote desktop > anymore ( bug11061 ) >Sent by: samba-bounces at lists.samba.org > > > >Hello Mario , > >what if you try these : > >dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, >lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, >eventlog6, backupkey, >dnsserver, remote, winreg, srvsvc >auth methods = sam, winbind, ntdomain, ntdomain:winbind > >!! these are only for helping in debugging and should not be used in >production. >!! see all the e-mails with subject : Re: [Samba] samba 4.2 RDP problem >(solved) >!! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett > >so if you want to help debuggen, that would be nice. see >bug-id in subject. > >In my case ( debian wheezy, sernet samba 4.2.1, only default GPO ) >auth methods = sam, winbind is sufficient to login with rdp. >so if we can find what we need to get GPO workin also, that >might help the >developers. > >I'll set some GPOs in my test and try again also. > > >Greetz, > >Louis > > >>-----Oorspronkelijk bericht----- >>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >>Verzonden: vrijdag 1 mei 2015 15:08 >>Aan: L.P.H. van Belle >>CC: samba at lists.samba.org >>Onderwerp: RE: [Samba] After the classicupgrade from samba3 to >>sernet-samba-4.2.1 , users are not able to remote desktop anymore >> >>Thanks Luis >> >>I've changed the smb.conf as you said, now it looks like this: >> >> >>root at ccdc-samba4:~# cat /etc/samba/smb.conf >># Global parameters >>[global] >> workgroup = CCDC >> realm = CCDC.LAN >> netbios name = CCDC-SAMBA4 >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> dns forwarder = 9.0.138.50 >> auth methods = sam, winbind >> >>[netlogon] >> path = /var/lib/samba/sysvol/ccdc.lan/scripts >> read only = No >> >>[sysvol] >> path = /var/lib/samba/sysvol >> read only = No >>root at ccdc-samba4:~# >> >> >>however from the windows machine when i try to update the >>group policies, I >>am now getting this errors: >> >> >> >>Microsoft Windows [Version 6.1.7601] >>Copyright (c) 2009 Microsoft Corporation. All rights reserved. >> >>C:\Users\Administrator.CCDC>gpupdate /force >>Updating Policy... >> >>User policy could not be updated successfully. The following >>errors were >>encount >>ered: >> >>The processing of Group Policy failed. Windows attempted to >>read the file >>\\ccdc >>.lan\sysvol\ccdc.lan\Policies >>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >>m a domain controller and was not successful. Group Policy >>settings may not >>be a >>pplied until this event is resolved. This issue may be >>transient and could >>be ca >>used by one or more of the following: >>a) Name Resolution/Network Connectivity to the current domain >>controller. >>b) File Replication Service Latency (a file created on another domain >>controller >> has not replicated to the current domain controller). >>c) The Distributed File System (DFS) client has been disabled. >>Computer policy could not be updated successfully. The >following errors >>were enc >>ountered: >> >>The processing of Group Policy failed. Windows attempted to >>read the file >>\\ccdc >>.lan\sysvol\ccdc.lan\Policies >>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >>m a domain controller and was not successful. Group Policy >>settings may not >>be a >>pplied until this event is resolved. This issue may be >>transient and could >>be ca >>used by one or more of the following: >>a) Name Resolution/Network Connectivity to the current domain >>controller. >>b) File Replication Service Latency (a file created on another domain >>controller >> has not replicated to the current domain controller). >>c) The Distributed File System (DFS) client has been disabled. >> >>To diagnose the failure, review the event log or run GPRESULT /H >>GPReport.html f >>rom the command line to access information about Group Policy results. >> >>C:\Users\Administrator.CCDC> >> >> >> >> >> >>I'm still unable to login with normal users via RDP >> >> >>_______________________________________________________________ >>____________________________ >> >>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>FAX: +353 1 >>815 2236, eMail: mariopiorusso at ie.ibm.com >>IBM Ireland Product Distribution Limited registered in Ireland >>with number >>92815. Registered Office: IBM House, Shelbourne Road, >>Ballsbridge, Dublin 4 >> >>(Embedded image moved to file: pic60454.gif) >> >> >> >>From: "L.P.H. van Belle" <belle at bazuin.nl> >>To: "samba at lists.samba.org" <samba at lists.samba.org> >>Cc: Mario Pio Russo/Ireland/IBM at IBMIE >>Date: 01/05/2015 13:55 >>Subject: RE: [Samba] After the classicupgrade >from samba3 to >> sernet-samba-4.2.1 , users are not able to remote desktop >> anymore >> >> >> >>correct. >> >>bug still exists, just tested also on latest git master. >>see : https://bugzilla.samba.org/show_bug.cgi?id=11061 >> >> >>temp solution. >> >>try adding : >>auth methods = sam, winbind >>to smb.conf on the dc and restart the DC. >> >> >>Greetz, >> >>Louis >> >> >>>-----Oorspronkelijk bericht----- >>>Van: mariopiorusso at ie.ibm.com >>>[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo >>>Verzonden: vrijdag 1 mei 2015 14:51 >>>Aan: samba at lists.samba.org >>>Onderwerp: [Samba] After the classicupgrade from samba3 to >>>sernet-samba-4.2.1 , users are not able to remote desktop anymore >>> >>> >>>Good Day All >>> >>>I have a current working configuration of sernet-samba-4.2.1, >>>created by >>>upgrading from a samba3 PDC using the classic upgrade. >>> >>>Now, I have added a windows 2008 machine to the domain and I'm >>>using the AD >>>snap in tools in order to browse the domain. >>> >>>I can see all the users and groups and they have been imported >>>correctly. >>>However I am able to remote desktop to the domain machines >>>only with the >>>user "Administrator at ccdc.lan"; no other user is able to RDP. >>>Furthermore I am able to add machines to the domain only form >>the users >>>Administrator, and not from any other user. I have been using >>the Group >>>Policy Manager from the window administrative tool in order >>>to grant logon >>>rights to all the users belonging to the Domain User group; >>>furthermore I >>>have added the users to the group Remote Desktop users, but >>>still I have no >>>success at all. at the moment the group policies looks like this: >>> >>>root at ccdc-samba4:/# samba-tool gpo listall >>>GPO : {31B2F340-016D-11D2-945F-00C04FB984F9} >>>display name : Default Domain Policy >>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>>\{31B2F340-016D-11D2-945F-00C04FB984F9} >>>dn : CN>>>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>>=ccdc,DC=lan >>>version : 3 >>>flags : NONE >>> >>>GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9} >>>display name : Default Domain Controllers Policy >>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>>\{6AC1786C-016F-11D2-945F-00C04FB984F9} >>>dn : CN>>>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>>=ccdc,DC=lan >>>version : 7 >>>flags : NONE >>> >>> >>>while from the GPM looks like this: >>> >>>(Embedded image moved to file: pic08924.gif) >>> >>> >>> >>>I have also run gpupdate /force from he windows machine and If I do >>>samba-tool gpo fetch <Domain Policy> I am able to see the >>>changes I have >>>done from the windows snap in >>> >>> >>>I am unsure now where the problem lies, are the GPO I have >>>modified being >>>applied correctly on samba 4 OR is the GPO itself that is not >>>configured >>>correctly in order to allow RDP (and add machine to domain)? >>>Or any other >>>issue? >>> >>>Note that all this was working correctly when I did the same >>>test upgrade >>>from samba 3 to samba 4.1.6 >>> >>>also I am able to login to every machine in the domain using >>>my domain user >>>when logging in locally. >>> >>>Any idea / suggestion? >>> >>> >>>thanks! >>> >>>_______________________________________________________________ >>>____________________________ >>> >>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>>FAX: +353 1 >>>815 2236, eMail: mariopiorusso at ie.ibm.com >>>IBM Ireland Product Distribution Limited registered in Ireland >>>with number >>>92815. Registered Office: IBM House, Shelbourne Road, >>>Ballsbridge, Dublin 4 >>> >>>(Embedded image moved to file: pic19418.gif)-- >>>To unsubscribe from this list go to the following URL and read the >>>instructions: https://lists.samba.org/mailman/options/samba >>> >> >> >> > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > > >
Steve Ankeny
2015-May-01 14:29 UTC
[Samba] After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
On Samba AD DC most of these enpoint server are already running -- dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, mapiproxy Use samba-tool testparm -v first before adding them to the smb.conf I say this because I could not "join" Windows clients to Samba with these running from smb.conf Rowland indicated these stopped certain other services -- wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey https://lists.samba.org/archive/samba/2015-February/189171.html On 05/01/2015 09:34 AM, Mario Pio Russo wrote:> ok this is my smb.conf file now > > > # Global parameters > [global] > workgroup = CCDC > realm = CCDC.LAN > netbios name = CCDC-SAMBA4 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 9.0.138.50 > ##For debugging > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, > netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, > backupkey, dnsserver, remote, winreg, srvsvc > auth methods = sam, winbind, ntdomain, ntdomain:winbind > > [netlogon] > path = /var/lib/samba/sysvol/ccdc.lan/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > still same error on the windows machine > > It looks like that the GPO are now applied when we do not define the > directive > > "auth methods = sam, winbind, ntdomain, ntdomain:winbind" > > let me know if you need any other debugging info, I'm happy to hel (and get > this sorted :D) > > thanks > > ___________________________________________________________________________________________ > > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland with number > 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 > > (Embedded image moved to file: pic32512.gif) > > > > From: "L.P.H. van Belle" <belle at bazuin.nl> > To: "samba at lists.samba.org" <samba at lists.samba.org> > Cc: Mario Pio Russo/Ireland/IBM at IBMIE > Date: 01/05/2015 14:24 > Subject: Re: [Samba] After the classicupgrade from samba3 > tosernet-samba-4.2.1 , users are not able to remote desktop > anymore ( bug11061 ) > Sent by: samba-bounces at lists.samba.org > > > > Hello Mario , > > what if you try these : > > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, > lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, > dnsserver, remote, winreg, srvsvc > auth methods = sam, winbind, ntdomain, ntdomain:winbind > > !! these are only for helping in debugging and should not be used in > production. > !! see all the e-mails with subject : Re: [Samba] samba 4.2 RDP problem > (solved) > !! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett > > so if you want to help debuggen, that would be nice. see bug-id in subject. > > In my case ( debian wheezy, sernet samba 4.2.1, only default GPO ) > auth methods = sam, winbind is sufficient to login with rdp. > so if we can find what we need to get GPO workin also, that might help the > developers. > > I'll set some GPOs in my test and try again also. > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >> Verzonden: vrijdag 1 mei 2015 15:08 >> Aan: L.P.H. van Belle >> CC: samba at lists.samba.org >> Onderwerp: RE: [Samba] After the classicupgrade from samba3 to >> sernet-samba-4.2.1 , users are not able to remote desktop anymore >> >> Thanks Luis >> >> I've changed the smb.conf as you said, now it looks like this: >> >> >> root at ccdc-samba4:~# cat /etc/samba/smb.conf >> # Global parameters >> [global] >> workgroup = CCDC >> realm = CCDC.LAN >> netbios name = CCDC-SAMBA4 >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> dns forwarder = 9.0.138.50 >> auth methods = sam, winbind >> >> [netlogon] >> path = /var/lib/samba/sysvol/ccdc.lan/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> root at ccdc-samba4:~# >> >> >> however from the windows machine when i try to update the >> group policies, I >> am now getting this errors: >> >> >> >> Microsoft Windows [Version 6.1.7601] >> Copyright (c) 2009 Microsoft Corporation. All rights reserved. >> >> C:\Users\Administrator.CCDC>gpupdate /force >> Updating Policy... >> >> User policy could not be updated successfully. The following >> errors were >> encount >> ered: >> >> The processing of Group Policy failed. Windows attempted to >> read the file >> \\ccdc >> .lan\sysvol\ccdc.lan\Policies >> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >> m a domain controller and was not successful. Group Policy >> settings may not >> be a >> pplied until this event is resolved. This issue may be >> transient and could >> be ca >> used by one or more of the following: >> a) Name Resolution/Network Connectivity to the current domain >> controller. >> b) File Replication Service Latency (a file created on another domain >> controller >> has not replicated to the current domain controller). >> c) The Distributed File System (DFS) client has been disabled. >> Computer policy could not be updated successfully. The following errors >> were enc >> ountered: >> >> The processing of Group Policy failed. Windows attempted to >> read the file >> \\ccdc >> .lan\sysvol\ccdc.lan\Policies >> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >> m a domain controller and was not successful. Group Policy >> settings may not >> be a >> pplied until this event is resolved. This issue may be >> transient and could >> be ca >> used by one or more of the following: >> a) Name Resolution/Network Connectivity to the current domain >> controller. >> b) File Replication Service Latency (a file created on another domain >> controller >> has not replicated to the current domain controller). >> c) The Distributed File System (DFS) client has been disabled. >> >> To diagnose the failure, review the event log or run GPRESULT /H >> GPReport.html f >> rom the command line to access information about Group Policy results. >> >> C:\Users\Administrator.CCDC> >> >> >> >> >> >> I'm still unable to login with normal users via RDP >> >> >> _______________________________________________________________ >> ____________________________ >> >> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >> FAX: +353 1 >> 815 2236, eMail: mariopiorusso at ie.ibm.com >> IBM Ireland Product Distribution Limited registered in Ireland >> with number >> 92815. Registered Office: IBM House, Shelbourne Road, >> Ballsbridge, Dublin 4 >> >> (Embedded image moved to file: pic60454.gif) >> >> >> >> From: "L.P.H. van Belle" <belle at bazuin.nl> >> To: "samba at lists.samba.org" <samba at lists.samba.org> >> Cc: Mario Pio Russo/Ireland/IBM at IBMIE >> Date: 01/05/2015 13:55 >> Subject: RE: [Samba] After the classicupgrade from samba3 to >> sernet-samba-4.2.1 , users are not able to remote desktop >> anymore >> >> >> >> correct. >> >> bug still exists, just tested also on latest git master. >> see : https://bugzilla.samba.org/show_bug.cgi?id=11061 >> >> >> temp solution. >> >> try adding : >> auth methods = sam, winbind >> to smb.conf on the dc and restart the DC. >> >> >> Greetz, >> >> Louis >> >> >>> -----Oorspronkelijk bericht----- >>> Van: mariopiorusso at ie.ibm.com >>> [mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo >>> Verzonden: vrijdag 1 mei 2015 14:51 >>> Aan: samba at lists.samba.org >>> Onderwerp: [Samba] After the classicupgrade from samba3 to >>> sernet-samba-4.2.1 , users are not able to remote desktop anymore >>> >>> >>> Good Day All >>> >>> I have a current working configuration of sernet-samba-4.2.1, >>> created by >>> upgrading from a samba3 PDC using the classic upgrade. >>> >>> Now, I have added a windows 2008 machine to the domain and I'm >>> using the AD >>> snap in tools in order to browse the domain. >>> >>> I can see all the users and groups and they have been imported >>> correctly. >>> However I am able to remote desktop to the domain machines >>> only with the >>> user "Administrator at ccdc.lan"; no other user is able to RDP. >>> Furthermore I am able to add machines to the domain only form >> the users >>> Administrator, and not from any other user. I have been using >> the Group >>> Policy Manager from the window administrative tool in order >>> to grant logon >>> rights to all the users belonging to the Domain User group; >>> furthermore I >>> have added the users to the group Remote Desktop users, but >>> still I have no >>> success at all. at the moment the group policies looks like this: >>> >>> root at ccdc-samba4:/# samba-tool gpo listall >>> GPO : {31B2F340-016D-11D2-945F-00C04FB984F9} >>> display name : Default Domain Policy >>> path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>> \{31B2F340-016D-11D2-945F-00C04FB984F9} >>> dn : CN>>> {31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>> =ccdc,DC=lan >>> version : 3 >>> flags : NONE >>> >>> GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9} >>> display name : Default Domain Controllers Policy >>> path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>> \{6AC1786C-016F-11D2-945F-00C04FB984F9} >>> dn : CN>>> {6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>> =ccdc,DC=lan >>> version : 7 >>> flags : NONE >>> >>> >>> while from the GPM looks like this: >>> >>> (Embedded image moved to file: pic08924.gif) >>> >>> >>> >>> I have also run gpupdate /force from he windows machine and If I do >>> samba-tool gpo fetch <Domain Policy> I am able to see the >>> changes I have >>> done from the windows snap in >>> >>> >>> I am unsure now where the problem lies, are the GPO I have >>> modified being >>> applied correctly on samba 4 OR is the GPO itself that is not >>> configured >>> correctly in order to allow RDP (and add machine to domain)? >>> Or any other >>> issue? >>> >>> Note that all this was working correctly when I did the same >>> test upgrade >> >from samba 3 to samba 4.1.6 >>> also I am able to login to every machine in the domain using >>> my domain user >>> when logging in locally. >>> >>> Any idea / suggestion? >>> >>> >>> thanks! >>> >>> _______________________________________________________________ >>> ____________________________ >>> >>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>> FAX: +353 1 >>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>> IBM Ireland Product Distribution Limited registered in Ireland >>> with number >>> 92815. Registered Office: IBM House, Shelbourne Road, >>> Ballsbridge, Dublin 4 >>> >>> (Embedded image moved to file: pic19418.gif)-- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > >
Mario Pio Russo
2015-May-01 14:48 UTC
[Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
yeah I'm confused too. I think AD is the backend to be honest. that
parameter was automatically added to the smb.conf when running the
classigupgrade. nothig else has been populated.
I can def try to give it a go with the parameters set on the link you sent
me.
It's a strange behaviour tho, I am still unsure if I have run in bug
https://bugzilla.samba.org/show_bug.cgi?id=11061
or I am still a step behind that bug. neverthless, with the native 4.1.6
all was working fine
___________________________________________________________________________________________
Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
(Embedded image moved to file: pic31983.gif)
From: "L.P.H. van Belle" <belle at bazuin.nl>
To: Mario Pio Russo/Ireland/IBM at IBMIE
Cc: "samba at lists.samba.org" <samba at lists.samba.org>
Date: 01/05/2015 14:50
Subject: RE: [Samba] After the classicupgrade from samba3 to
sernet-samba-4.2.1 , users are not able to remote desktop
anymore ( bug11061 )
while im reading..
im seeing :
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
# owner: root
# group: 544
your using :
idmap_ldb:use rfc2307 = yes
but i dont see a complete smb.conf for a rfc2307 setup.
please also read : https://wiki.samba.org/index.php/RFC2307_backend
so im puzzel what your backend is set to (AD or RID) and what the ranges
are.
Greetz,
louis
>-----Oorspronkelijk bericht-----
>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>Verzonden: vrijdag 1 mei 2015 15:35
>Aan: L.P.H. van Belle
>CC: samba at lists.samba.org; samba-bounces at lists.samba.org
>Onderwerp: Re: [Samba] After the classicupgrade from samba3
>tosernet-samba-4.2.1 , users are not able to remote desktop
>anymore ( bug11061 )
>
>ok this is my smb.conf file now
>
>
># Global parameters
>[global]
> workgroup = CCDC
> realm = CCDC.LAN
> netbios name = CCDC-SAMBA4
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> dns forwarder = 9.0.138.50
> ##For debugging
> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo,
>browser, eventlog6,
>backupkey, dnsserver, remote, winreg, srvsvc
> auth methods = sam, winbind, ntdomain, ntdomain:winbind
>
>[netlogon]
> path = /var/lib/samba/sysvol/ccdc.lan/scripts
> read only = No
>
>[sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
>still same error on the windows machine
>
>It looks like that the GPO are now applied when we do not define the
>directive
>
>"auth methods = sam, winbind, ntdomain, ntdomain:winbind"
>
>let me know if you need any other debugging info, I'm happy to
>hel (and get
>this sorted :D)
>
>thanks
>
>_______________________________________________________________
>____________________________
>
>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>FAX: +353 1
>815 2236, eMail: mariopiorusso at ie.ibm.com
>IBM Ireland Product Distribution Limited registered in Ireland
>with number
>92815. Registered Office: IBM House, Shelbourne Road,
>Ballsbridge, Dublin 4
>
>(Embedded image moved to file: pic03533.gif)
>
>
>
>From: "L.P.H. van Belle" <belle at bazuin.nl>
>To: "samba at lists.samba.org" <samba at lists.samba.org>
>Cc: Mario Pio Russo/Ireland/IBM at IBMIE
>Date: 01/05/2015 14:24
>Subject: Re: [Samba] After the classicupgrade from samba3
> tosernet-samba-4.2.1 , users are not able to
>remote desktop
> anymore ( bug11061 )
>Sent by: samba-bounces at lists.samba.org
>
>
>
>Hello Mario ,
>
>what if you try these :
>
>dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
>lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
>eventlog6, backupkey,
>dnsserver, remote, winreg, srvsvc
>auth methods = sam, winbind, ntdomain, ntdomain:winbind
>
>!! these are only for helping in debugging and should not be used in
>production.
>!! see all the e-mails with subject : Re: [Samba] samba 4.2 RDP problem
>(solved)
>!! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett
>
>so if you want to help debuggen, that would be nice. see
>bug-id in subject.
>
>In my case ( debian wheezy, sernet samba 4.2.1, only default GPO )
>auth methods = sam, winbind is sufficient to login with rdp.
>so if we can find what we need to get GPO workin also, that
>might help the
>developers.
>
>I'll set some GPOs in my test and try again also.
>
>
>Greetz,
>
>Louis
>
>
>>-----Oorspronkelijk bericht-----
>>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>>Verzonden: vrijdag 1 mei 2015 15:08
>>Aan: L.P.H. van Belle
>>CC: samba at lists.samba.org
>>Onderwerp: RE: [Samba] After the classicupgrade from samba3 to
>>sernet-samba-4.2.1 , users are not able to remote desktop anymore
>>
>>Thanks Luis
>>
>>I've changed the smb.conf as you said, now it looks like this:
>>
>>
>>root at ccdc-samba4:~# cat /etc/samba/smb.conf
>># Global parameters
>>[global]
>> workgroup = CCDC
>> realm = CCDC.LAN
>> netbios name = CCDC-SAMBA4
>> server role = active directory domain controller
>> idmap_ldb:use rfc2307 = yes
>> dns forwarder = 9.0.138.50
>> auth methods = sam, winbind
>>
>>[netlogon]
>> path = /var/lib/samba/sysvol/ccdc.lan/scripts
>> read only = No
>>
>>[sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>root at ccdc-samba4:~#
>>
>>
>>however from the windows machine when i try to update the
>>group policies, I
>>am now getting this errors:
>>
>>
>>
>>Microsoft Windows [Version 6.1.7601]
>>Copyright (c) 2009 Microsoft Corporation. All rights reserved.
>>
>>C:\Users\Administrator.CCDC>gpupdate /force
>>Updating Policy...
>>
>>User policy could not be updated successfully. The following
>>errors were
>>encount
>>ered:
>>
>>The processing of Group Policy failed. Windows attempted to
>>read the file
>>\\ccdc
>>.lan\sysvol\ccdc.lan\Policies
>>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>>m a domain controller and was not successful. Group Policy
>>settings may not
>>be a
>>pplied until this event is resolved. This issue may be
>>transient and could
>>be ca
>>used by one or more of the following:
>>a) Name Resolution/Network Connectivity to the current domain
>>controller.
>>b) File Replication Service Latency (a file created on another domain
>>controller
>> has not replicated to the current domain controller).
>>c) The Distributed File System (DFS) client has been disabled.
>>Computer policy could not be updated successfully. The
>following errors
>>were enc
>>ountered:
>>
>>The processing of Group Policy failed. Windows attempted to
>>read the file
>>\\ccdc
>>.lan\sysvol\ccdc.lan\Policies
>>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>>m a domain controller and was not successful. Group Policy
>>settings may not
>>be a
>>pplied until this event is resolved. This issue may be
>>transient and could
>>be ca
>>used by one or more of the following:
>>a) Name Resolution/Network Connectivity to the current domain
>>controller.
>>b) File Replication Service Latency (a file created on another domain
>>controller
>> has not replicated to the current domain controller).
>>c) The Distributed File System (DFS) client has been disabled.
>>
>>To diagnose the failure, review the event log or run GPRESULT /H
>>GPReport.html f
>>rom the command line to access information about Group Policy results.
>>
>>C:\Users\Administrator.CCDC>
>>
>>
>>
>>
>>
>>I'm still unable to login with normal users via RDP
>>
>>
>>_______________________________________________________________
>>____________________________
>>
>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>FAX: +353 1
>>815 2236, eMail: mariopiorusso at ie.ibm.com
>>IBM Ireland Product Distribution Limited registered in Ireland
>>with number
>>92815. Registered Office: IBM House, Shelbourne Road,
>>Ballsbridge, Dublin 4
>>
>>(Embedded image moved to file: pic60454.gif)
>>
>>
>>
>>From: "L.P.H. van Belle" <belle at bazuin.nl>
>>To: "samba at lists.samba.org" <samba at
lists.samba.org>
>>Cc: Mario Pio Russo/Ireland/IBM at IBMIE
>>Date: 01/05/2015 13:55
>>Subject: RE: [Samba] After the classicupgrade
>from samba3 to
>> sernet-samba-4.2.1 , users are not able to remote desktop
>> anymore
>>
>>
>>
>>correct.
>>
>>bug still exists, just tested also on latest git master.
>>see : https://bugzilla.samba.org/show_bug.cgi?id=11061
>>
>>
>>temp solution.
>>
>>try adding :
>>auth methods = sam, winbind
>>to smb.conf on the dc and restart the DC.
>>
>>
>>Greetz,
>>
>>Louis
>>
>>
>>>-----Oorspronkelijk bericht-----
>>>Van: mariopiorusso at ie.ibm.com
>>>[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo
>>>Verzonden: vrijdag 1 mei 2015 14:51
>>>Aan: samba at lists.samba.org
>>>Onderwerp: [Samba] After the classicupgrade from samba3 to
>>>sernet-samba-4.2.1 , users are not able to remote desktop anymore
>>>
>>>
>>>Good Day All
>>>
>>>I have a current working configuration of sernet-samba-4.2.1,
>>>created by
>>>upgrading from a samba3 PDC using the classic upgrade.
>>>
>>>Now, I have added a windows 2008 machine to the domain and I'm
>>>using the AD
>>>snap in tools in order to browse the domain.
>>>
>>>I can see all the users and groups and they have been imported
>>>correctly.
>>>However I am able to remote desktop to the domain machines
>>>only with the
>>>user "Administrator at ccdc.lan"; no other user is able to
RDP.
>>>Furthermore I am able to add machines to the domain only form
>>the users
>>>Administrator, and not from any other user. I have been using
>>the Group
>>>Policy Manager from the window administrative tool in order
>>>to grant logon
>>>rights to all the users belonging to the Domain User group;
>>>furthermore I
>>>have added the users to the group Remote Desktop users, but
>>>still I have no
>>>success at all. at the moment the group policies looks like this:
>>>
>>>root at ccdc-samba4:/# samba-tool gpo listall
>>>GPO : {31B2F340-016D-11D2-945F-00C04FB984F9}
>>>display name : Default Domain Policy
>>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>>\{31B2F340-016D-11D2-945F-00C04FB984F9}
>>>dn :
CN>>>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>>=ccdc,DC=lan
>>>version : 3
>>>flags : NONE
>>>
>>>GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>display name : Default Domain Controllers Policy
>>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>>\{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>dn :
CN>>>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>>=ccdc,DC=lan
>>>version : 7
>>>flags : NONE
>>>
>>>
>>>while from the GPM looks like this:
>>>
>>>(Embedded image moved to file: pic08924.gif)
>>>
>>>
>>>
>>>I have also run gpupdate /force from he windows machine and If I do
>>>samba-tool gpo fetch <Domain Policy> I am able to see the
>>>changes I have
>>>done from the windows snap in
>>>
>>>
>>>I am unsure now where the problem lies, are the GPO I have
>>>modified being
>>>applied correctly on samba 4 OR is the GPO itself that is not
>>>configured
>>>correctly in order to allow RDP (and add machine to domain)?
>>>Or any other
>>>issue?
>>>
>>>Note that all this was working correctly when I did the same
>>>test upgrade
>>>from samba 3 to samba 4.1.6
>>>
>>>also I am able to login to every machine in the domain using
>>>my domain user
>>>when logging in locally.
>>>
>>>Any idea / suggestion?
>>>
>>>
>>>thanks!
>>>
>>>_______________________________________________________________
>>>____________________________
>>>
>>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>>FAX: +353 1
>>>815 2236, eMail: mariopiorusso at ie.ibm.com
>>>IBM Ireland Product Distribution Limited registered in Ireland
>>>with number
>>>92815. Registered Office: IBM House, Shelbourne Road,
>>>Ballsbridge, Dublin 4
>>>
>>>(Embedded image moved to file: pic19418.gif)--
>>>To unsubscribe from this list go to the following URL and read the
>>>instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
>
Mario Pio Russo
2015-Jun-04 13:57 UTC
[Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
guys sorry to take this thread onboard once more, but I still can't get
this sorted.
I have compiled the latest tarball from samba, 4.2.2 . compilation works
fine and after that I am able to upgrade from samba 3 with the following
command:
samba-tool domain classicupgrade --dbdir=/var/lib/samba-ccdc1/dbdir/
--use-xattrs=yes --realm=ccdc.lan /etc/samba/smb-ccdc1.conf 2>&1 | tee
upgrade.log
the upgrade works fine as far as I can see, samba starts and I am able to
RDP using my domain admin rights. however I am not able to RDP using any
other user.
the error i get is:
"The connection is denied because the user account is not authorized for
remote login"
however the user I am testing is member of the BUILTIN/REMOTE DESKTOP USERS
dn: CN=mariopio,CN=Users,DC=ccdc,DC=lan
cn: mariopio
instanceType: 4
whenCreated: 20150604120049.0Z
whenChanged: 20150604120049.0Z
uSNCreated: 6165
name: mariopio
objectGUID:: cBOr+Abs90yYT6r612524Q=badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAANxKzmMQKGuPHWLf6VCAAAA=logonCount: 0
sAMAccountName: mariopio
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ccdc,DC=lan
pwdLastSet: 130746879650000000
displayName: Mario Pio Russo/Ireland/IBM
scriptPath: logon.bat
accountExpires: 137919572470000000
lastLogoff: 137919572470000000
logonHours:: ////////////////////////////
userAccountControl: 512
description: mariopiorusso at ie.ibm.com
uidNumber: 3638
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
unixHomeDirectory: /home/mariopio
loginShell: /bin/bash
gidNumber: 513
msSFU30NisDomain: ccdc
uSNChanged: 6169
memberOf: CN=DomainUsers,CN=Users,DC=ccdc,DC=lan
memberOf: CN=Remote Desktop Users,CN=Builtin,DC=ccdc,DC=lan
distinguishedName: CN=mariopio,CN=Users,DC=ccdc,DC=lan
This is my smb.conf
cat /etc/samba/smb.conf
# Global parameters
[global]
workgroup = CCDC
realm = ccdc.lan
netbios name = CCDC-SAMBA4
server role = active directory domain controller
server services = -winbindd +winbind
auth methods = winbind, sam
idmap_ldb:use rfc2307 = yes
dns forwarder = 9.0.138.50
idmap config CCDC:backend = ad
idmap config CCDC:schema_mode = rfc2307
idmap config CCDC:range = 10000-40000
# Store UIDs/GIDs for all other domains (including local
# accounts/groups of this server) in a tdb file
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# Use home directory and shell information from AD
winbind nss info = rfc2307
[netlogon]
path = /var/lib/samba/sysvol/ccdc.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
any suggestion?
___________________________________________________________________________________________
Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
(Embedded image moved to file: pic18258.gif)
From: "L.P.H. van Belle" <belle at bazuin.nl>
To: Mario Pio Russo/Ireland/IBM at IBMIE
Date: 01/05/2015 16:00
Subject: RE: [Samba] After the classicupgrade from samba3 to
sernet-samba-4.2.1 , users are not able to remote desktop
anymore ( bug11061 )
yes, you did hit that bug, like lots of us..
4.1.x was ok yes.
you can also try this one. ( remove the others ) for the 4.2.1 samba
server services = -winbindd +winbind
and use the old winbind behavoir.
and you should get my scripts, change it for ubuntu. ( mail me the
changes ;-) )
and you have a clean and quick setup.
look here.
https://secure.bazuin.nl/scripts/
read the 0-README-FIRST.TXT file
I think most wil work for ubuntu.
Get this one for the ad install 4-sernet-samba-addc-debian-wheezy.sh
Have a nice weekend..
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>Verzonden: vrijdag 1 mei 2015 16:49
>Aan: L.P.H. van Belle
>CC: samba at lists.samba.org
>Onderwerp: RE: [Samba] After the classicupgrade from samba3 to
>sernet-samba-4.2.1 , users are not able to remote desktop
>anymore ( bug11061 )
>
>yeah I'm confused too. I think AD is the backend to be honest. that
>parameter was automatically added to the smb.conf when running the
>classigupgrade. nothig else has been populated.
>
>I can def try to give it a go with the parameters set on the
>link you sent
>me.
>
>It's a strange behaviour tho, I am still unsure if I have run in bug
>https://bugzilla.samba.org/show_bug.cgi?id=11061
>
>or I am still a step behind that bug. neverthless, with the
>native 4.1.6
>all was working fine
>_______________________________________________________________
>____________________________
>
>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>FAX: +353 1
>815 2236, eMail: mariopiorusso at ie.ibm.com
>IBM Ireland Product Distribution Limited registered in Ireland
>with number
>92815. Registered Office: IBM House, Shelbourne Road,
>Ballsbridge, Dublin 4
>
>(Embedded image moved to file: pic57978.gif)
>
>
>
>From: "L.P.H. van Belle" <belle at bazuin.nl>
>To: Mario Pio Russo/Ireland/IBM at IBMIE
>Cc: "samba at lists.samba.org" <samba at lists.samba.org>
>Date: 01/05/2015 14:50
>Subject: RE: [Samba] After the classicupgrade from samba3 to
> sernet-samba-4.2.1 , users are not able to remote desktop
> anymore ( bug11061 )
>
>
>
>while im reading..
>
>im seeing :
>getfacl: Removing leading '/' from absolute path names
># file: var/lib/samba/sysvol
># owner: root
># group: 544
>
>
>your using :
>idmap_ldb:use rfc2307 = yes
>but i dont see a complete smb.conf for a rfc2307 setup.
>
>please also read : https://wiki.samba.org/index.php/RFC2307_backend
>
>so im puzzel what your backend is set to (AD or RID) and what
>the ranges
>are.
>
>
>
>Greetz,
>
>louis
>
>>-----Oorspronkelijk bericht-----
>>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>>Verzonden: vrijdag 1 mei 2015 15:35
>>Aan: L.P.H. van Belle
>>CC: samba at lists.samba.org; samba-bounces at lists.samba.org
>>Onderwerp: Re: [Samba] After the classicupgrade from samba3
>>tosernet-samba-4.2.1 , users are not able to remote desktop
>>anymore ( bug11061 )
>>
>>ok this is my smb.conf file now
>>
>>
>># Global parameters
>>[global]
>> workgroup = CCDC
>> realm = CCDC.LAN
>> netbios name = CCDC-SAMBA4
>> server role = active directory domain controller
>> idmap_ldb:use rfc2307 = yes
>> dns forwarder = 9.0.138.50
>> ##For debugging
>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
>>netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo,
>>browser, eventlog6,
>>backupkey, dnsserver, remote, winreg, srvsvc
>> auth methods = sam, winbind, ntdomain, ntdomain:winbind
>>
>>[netlogon]
>> path = /var/lib/samba/sysvol/ccdc.lan/scripts
>> read only = No
>>
>>[sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>>
>>still same error on the windows machine
>>
>>It looks like that the GPO are now applied when we do not define the
>>directive
>>
>>"auth methods = sam, winbind, ntdomain, ntdomain:winbind"
>>
>>let me know if you need any other debugging info, I'm happy to
>>hel (and get
>>this sorted :D)
>>
>>thanks
>>
>>_______________________________________________________________
>>____________________________
>>
>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>FAX: +353 1
>>815 2236, eMail: mariopiorusso at ie.ibm.com
>>IBM Ireland Product Distribution Limited registered in Ireland
>>with number
>>92815. Registered Office: IBM House, Shelbourne Road,
>>Ballsbridge, Dublin 4
>>
>>(Embedded image moved to file: pic03533.gif)
>>
>>
>>
>>From: "L.P.H. van Belle" <belle at bazuin.nl>
>>To: "samba at lists.samba.org" <samba at
lists.samba.org>
>>Cc: Mario Pio Russo/Ireland/IBM at IBMIE
>>Date: 01/05/2015 14:24
>>Subject: Re: [Samba] After the classicupgrade
>from samba3
>> tosernet-samba-4.2.1 , users are not
able to>>remote desktop
>> anymore ( bug11061 )
>>Sent by: samba-bounces at lists.samba.org
>>
>>
>>
>>Hello Mario ,
>>
>>what if you try these :
>>
>>dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
>>lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
>>eventlog6, backupkey,
>>dnsserver, remote, winreg, srvsvc
>>auth methods = sam, winbind, ntdomain, ntdomain:winbind
>>
>>!! these are only for helping in debugging and should not be used in
>>production.
>>!! see all the e-mails with subject : Re: [Samba] samba 4.2
>RDP problem
>>(solved)
>>!! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett
>>
>>so if you want to help debuggen, that would be nice. see
>>bug-id in subject.
>>
>>In my case ( debian wheezy, sernet samba 4.2.1, only default GPO )
>>auth methods = sam, winbind is sufficient to login with rdp.
>>so if we can find what we need to get GPO workin also, that
>>might help the
>>developers.
>>
>>I'll set some GPOs in my test and try again also.
>>
>>
>>Greetz,
>>
>>Louis
>>
>>
>>>-----Oorspronkelijk bericht-----
>>>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com]
>>>Verzonden: vrijdag 1 mei 2015 15:08
>>>Aan: L.P.H. van Belle
>>>CC: samba at lists.samba.org
>>>Onderwerp: RE: [Samba] After the classicupgrade from samba3 to
>>>sernet-samba-4.2.1 , users are not able to remote desktop anymore
>>>
>>>Thanks Luis
>>>
>>>I've changed the smb.conf as you said, now it looks like this:
>>>
>>>
>>>root at ccdc-samba4:~# cat /etc/samba/smb.conf
>>># Global parameters
>>>[global]
>>> workgroup = CCDC
>>> realm = CCDC.LAN
>>> netbios name = CCDC-SAMBA4
>>> server role = active directory domain controller
>>> idmap_ldb:use rfc2307 = yes
>>> dns forwarder = 9.0.138.50
>>> auth methods = sam, winbind
>>>
>>>[netlogon]
>>> path = /var/lib/samba/sysvol/ccdc.lan/scripts
>>> read only = No
>>>
>>>[sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>>root at ccdc-samba4:~#
>>>
>>>
>>>however from the windows machine when i try to update the
>>>group policies, I
>>>am now getting this errors:
>>>
>>>
>>>
>>>Microsoft Windows [Version 6.1.7601]
>>>Copyright (c) 2009 Microsoft Corporation. All rights reserved.
>>>
>>>C:\Users\Administrator.CCDC>gpupdate /force
>>>Updating Policy...
>>>
>>>User policy could not be updated successfully. The following
>>>errors were
>>>encount
>>>ered:
>>>
>>>The processing of Group Policy failed. Windows attempted to
>>>read the file
>>>\\ccdc
>>>.lan\sysvol\ccdc.lan\Policies
>>>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>>>m a domain controller and was not successful. Group Policy
>>>settings may not
>>>be a
>>>pplied until this event is resolved. This issue may be
>>>transient and could
>>>be ca
>>>used by one or more of the following:
>>>a) Name Resolution/Network Connectivity to the current domain
>>>controller.
>>>b) File Replication Service Latency (a file created on another
domain
>>>controller
>>> has not replicated to the current domain controller).
>>>c) The Distributed File System (DFS) client has been disabled.
>>>Computer policy could not be updated successfully. The
>>following errors
>>>were enc
>>>ountered:
>>>
>>>The processing of Group Policy failed. Windows attempted to
>>>read the file
>>>\\ccdc
>>>.lan\sysvol\ccdc.lan\Policies
>>>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro
>>>m a domain controller and was not successful. Group Policy
>>>settings may not
>>>be a
>>>pplied until this event is resolved. This issue may be
>>>transient and could
>>>be ca
>>>used by one or more of the following:
>>>a) Name Resolution/Network Connectivity to the current domain
>>>controller.
>>>b) File Replication Service Latency (a file created on another
domain
>>>controller
>>> has not replicated to the current domain controller).
>>>c) The Distributed File System (DFS) client has been disabled.
>>>
>>>To diagnose the failure, review the event log or run GPRESULT /H
>>>GPReport.html f
>>>rom the command line to access information about Group
>Policy results.
>>>
>>>C:\Users\Administrator.CCDC>
>>>
>>>
>>>
>>>
>>>
>>>I'm still unable to login with normal users via RDP
>>>
>>>
>>>_______________________________________________________________
>>>____________________________
>>>
>>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
>>>FAX: +353 1
>>>815 2236, eMail: mariopiorusso at ie.ibm.com
>>>IBM Ireland Product Distribution Limited registered in Ireland
>>>with number
>>>92815. Registered Office: IBM House, Shelbourne Road,
>>>Ballsbridge, Dublin 4
>>>
>>>(Embedded image moved to file: pic60454.gif)
>>>
>>>
>>>
>>>From: "L.P.H. van Belle"
><belle at bazuin.nl>
>>>To:
"samba at lists.samba.org"><samba at lists.samba.org>
>>>Cc: Mario Pio
Russo/Ireland/IBM at IBMIE>>>Date: 01/05/2015 13:55
>>>Subject: RE: [Samba] After
the>classicupgrade
>>from samba3 to
>>> sernet-samba-4.2.1 , users are not able to remote
desktop
>>> anymore
>>>
>>>
>>>
>>>correct.
>>>
>>>bug still exists, just tested also on latest git master.
>>>see : https://bugzilla.samba.org/show_bug.cgi?id=11061
>>>
>>>
>>>temp solution.
>>>
>>>try adding :
>>>auth methods = sam, winbind
>>>to smb.conf on the dc and restart the DC.
>>>
>>>
>>>Greetz,
>>>
>>>Louis
>>>
>>>
>>>>-----Oorspronkelijk bericht-----
>>>>Van: mariopiorusso at ie.ibm.com
>>>>[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo
>>>>Verzonden: vrijdag 1 mei 2015 14:51
>>>>Aan: samba at lists.samba.org
>>>>Onderwerp: [Samba] After the classicupgrade from samba3 to
>>>>sernet-samba-4.2.1 , users are not able to remote desktop
anymore
>>>>
>>>>
>>>>Good Day All
>>>>
>>>>I have a current working configuration of sernet-samba-4.2.1,
>>>>created by
>>>>upgrading from a samba3 PDC using the classic upgrade.
>>>>
>>>>Now, I have added a windows 2008 machine to the domain and
I'm
>>>>using the AD
>>>>snap in tools in order to browse the domain.
>>>>
>>>>I can see all the users and groups and they have been imported
>>>>correctly.
>>>>However I am able to remote desktop to the domain machines
>>>>only with the
>>>>user "Administrator at ccdc.lan"; no other user is
able to RDP.
>>>>Furthermore I am able to add machines to the domain only form
>>>the users
>>>>Administrator, and not from any other user. I have been using
>>>the Group
>>>>Policy Manager from the window administrative tool in order
>>>>to grant logon
>>>>rights to all the users belonging to the Domain User group;
>>>>furthermore I
>>>>have added the users to the group Remote Desktop users, but
>>>>still I have no
>>>>success at all. at the moment the group policies looks like
this:
>>>>
>>>>root at ccdc-samba4:/# samba-tool gpo listall
>>>>GPO : {31B2F340-016D-11D2-945F-00C04FB984F9}
>>>>display name : Default Domain Policy
>>>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>>>\{31B2F340-016D-11D2-945F-00C04FB984F9}
>>>>dn :
CN>>>>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>>>=ccdc,DC=lan
>>>>version : 3
>>>>flags : NONE
>>>>
>>>>GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>>display name : Default Domain Controllers Policy
>>>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies
>>>>\{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>>dn :
CN>>>>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC
>>>>=ccdc,DC=lan
>>>>version : 7
>>>>flags : NONE
>>>>
>>>>
>>>>while from the GPM looks like this:
>>>>
>>>>(Embedded image moved to file: pic08924.gif)
>>>>
>>>>
>>>>
>>>>I have also run gpupdate /force from he windows machine and If I
do
>>>>samba-tool gpo fetch <Domain Policy> I am able to see the
>>>>changes I have
>>>>done from the windows snap in
>>>>
>>>>
>>>>I am unsure now where the problem lies, are the GPO I have
>>>>modified being
>>>>applied correctly on samba 4 OR is the GPO itself that is not
>>>>configured
>>>>correctly in order to allow RDP (and add machine to domain)?
>>>>Or any other
>>>>issue?
>>>>
>>>>Note that all this was working correctly when I did the same
>>>>test upgrade
>>>>from samba 3 to samba 4.1.6
>>>>
>>>>also I am able to login to every machine in the domain using
>>>>my domain user
>>>>when logging in locally.
>>>>
>>>>Any idea / suggestion?
>>>>
>>>>
>>>>thanks!
>>>>
>>>>_______________________________________________________________
>>>>____________________________
>>>>
>>>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone
&
>>>>FAX: +353 1
>>>>815 2236, eMail: mariopiorusso at ie.ibm.com
>>>>IBM Ireland Product Distribution Limited registered in Ireland
>>>>with number
>>>>92815. Registered Office: IBM House, Shelbourne Road,
>>>>Ballsbridge, Dublin 4
>>>>
>>>>(Embedded image moved to file: pic19418.gif)--
>>>>To unsubscribe from this list go to the following URL and read
the
>>>>instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>>
>>>
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>
>
>
James
2015-Jun-04 14:57 UTC
[Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
On 6/4/2015 9:57 AM, Mario Pio Russo wrote:> guys sorry to take this thread onboard once more, but I still can't get > this sorted. > > I have compiled the latest tarball from samba, 4.2.2 . compilation works > fine and after that I am able to upgrade from samba 3 with the following > command: > > samba-tool domain classicupgrade --dbdir=/var/lib/samba-ccdc1/dbdir/ > --use-xattrs=yes --realm=ccdc.lan /etc/samba/smb-ccdc1.conf 2>&1 | tee > upgrade.log > > the upgrade works fine as far as I can see, samba starts and I am able to > RDP using my domain admin rights. however I am not able to RDP using any > other user. > > the error i get is: > > "The connection is denied because the user account is not authorized for > remote login" > > however the user I am testing is member of the BUILTIN/REMOTE DESKTOP USERS > > dn: CN=mariopio,CN=Users,DC=ccdc,DC=lan > cn: mariopio > instanceType: 4 > whenCreated: 20150604120049.0Z > whenChanged: 20150604120049.0Z > uSNCreated: 6165 > name: mariopio > objectGUID:: cBOr+Abs90yYT6r612524Q=> badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogon: 0 > primaryGroupID: 513 > objectSid:: AQUAAAAAAAUVAAAANxKzmMQKGuPHWLf6VCAAAA=> logonCount: 0 > sAMAccountName: mariopio > sAMAccountType: 805306368 > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ccdc,DC=lan > pwdLastSet: 130746879650000000 > displayName: Mario Pio Russo/Ireland/IBM > scriptPath: logon.bat > accountExpires: 137919572470000000 > lastLogoff: 137919572470000000 > logonHours:: //////////////////////////// > userAccountControl: 512 > description: mariopiorusso at ie.ibm.com > uidNumber: 3638 > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > unixHomeDirectory: /home/mariopio > loginShell: /bin/bash > gidNumber: 513 > msSFU30NisDomain: ccdc > uSNChanged: 6169 > memberOf: CN=DomainUsers,CN=Users,DC=ccdc,DC=lan > memberOf: CN=Remote Desktop Users,CN=Builtin,DC=ccdc,DC=lan > distinguishedName: CN=mariopio,CN=Users,DC=ccdc,DC=lan > > This is my smb.conf > > cat /etc/samba/smb.conf > # Global parameters > [global] > workgroup = CCDC > realm = ccdc.lan > netbios name = CCDC-SAMBA4 > server role = active directory domain controller > server services = -winbindd +winbind > auth methods = winbind, sam > idmap_ldb:use rfc2307 = yes > dns forwarder = 9.0.138.50 > idmap config CCDC:backend = ad > idmap config CCDC:schema_mode = rfc2307 > idmap config CCDC:range = 10000-40000 > > # Store UIDs/GIDs for all other domains (including local > # accounts/groups of this server) in a tdb file > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # Use home directory and shell information from AD > winbind nss info = rfc2307 > > [netlogon] > path = /var/lib/samba/sysvol/ccdc.lan/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > > any suggestion? > > ___________________________________________________________________________________________ > > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland with number > 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 > > (Embedded image moved to file: pic18258.gif) > > > > From: "L.P.H. van Belle" <belle at bazuin.nl> > To: Mario Pio Russo/Ireland/IBM at IBMIE > Date: 01/05/2015 16:00 > Subject: RE: [Samba] After the classicupgrade from samba3 to > sernet-samba-4.2.1 , users are not able to remote desktop > anymore ( bug11061 ) > > > > yes, you did hit that bug, like lots of us.. > > 4.1.x was ok yes. > > you can also try this one. ( remove the others ) for the 4.2.1 samba > server services = -winbindd +winbind > > and use the old winbind behavoir. > > and you should get my scripts, change it for ubuntu. ( mail me the > changes ;-) ) > and you have a clean and quick setup. > > look here. > https://secure.bazuin.nl/scripts/ > read the 0-README-FIRST.TXT file > > I think most wil work for ubuntu. > Get this one for the ad install 4-sernet-samba-addc-debian-wheezy.sh > > Have a nice weekend.. > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >> Verzonden: vrijdag 1 mei 2015 16:49 >> Aan: L.P.H. van Belle >> CC: samba at lists.samba.org >> Onderwerp: RE: [Samba] After the classicupgrade from samba3 to >> sernet-samba-4.2.1 , users are not able to remote desktop >> anymore ( bug11061 ) >> >> yeah I'm confused too. I think AD is the backend to be honest. that >> parameter was automatically added to the smb.conf when running the >> classigupgrade. nothig else has been populated. >> >> I can def try to give it a go with the parameters set on the >> link you sent >> me. >> >> It's a strange behaviour tho, I am still unsure if I have run in bug >> https://bugzilla.samba.org/show_bug.cgi?id=11061 >> >> or I am still a step behind that bug. neverthless, with the >> native 4.1.6 >> all was working fine >> _______________________________________________________________ >> ____________________________ >> >> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >> FAX: +353 1 >> 815 2236, eMail: mariopiorusso at ie.ibm.com >> IBM Ireland Product Distribution Limited registered in Ireland >> with number >> 92815. Registered Office: IBM House, Shelbourne Road, >> Ballsbridge, Dublin 4 >> >> (Embedded image moved to file: pic57978.gif) >> >> >> >> From: "L.P.H. van Belle" <belle at bazuin.nl> >> To: Mario Pio Russo/Ireland/IBM at IBMIE >> Cc: "samba at lists.samba.org" <samba at lists.samba.org> >> Date: 01/05/2015 14:50 >> Subject: RE: [Samba] After the classicupgrade from samba3 to >> sernet-samba-4.2.1 , users are not able to remote desktop >> anymore ( bug11061 ) >> >> >> >> while im reading.. >> >> im seeing : >> getfacl: Removing leading '/' from absolute path names >> # file: var/lib/samba/sysvol >> # owner: root >> # group: 544 >> >> >> your using : >> idmap_ldb:use rfc2307 = yes >> but i dont see a complete smb.conf for a rfc2307 setup. >> >> please also read : https://wiki.samba.org/index.php/RFC2307_backend >> >> so im puzzel what your backend is set to (AD or RID) and what >> the ranges >> are. >> >> >> >> Greetz, >> >> louis >> >>> -----Oorspronkelijk bericht----- >>> Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >>> Verzonden: vrijdag 1 mei 2015 15:35 >>> Aan: L.P.H. van Belle >>> CC: samba at lists.samba.org; samba-bounces at lists.samba.org >>> Onderwerp: Re: [Samba] After the classicupgrade from samba3 >>> tosernet-samba-4.2.1 , users are not able to remote desktop >>> anymore ( bug11061 ) >>> >>> ok this is my smb.conf file now >>> >>> >>> # Global parameters >>> [global] >>> workgroup = CCDC >>> realm = CCDC.LAN >>> netbios name = CCDC-SAMBA4 >>> server role = active directory domain controller >>> idmap_ldb:use rfc2307 = yes >>> dns forwarder = 9.0.138.50 >>> ##For debugging >>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, >>> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, >>> browser, eventlog6, >>> backupkey, dnsserver, remote, winreg, srvsvc >>> auth methods = sam, winbind, ntdomain, ntdomain:winbind >>> >>> [netlogon] >>> path = /var/lib/samba/sysvol/ccdc.lan/scripts >>> read only = No >>> >>> [sysvol] >>> path = /var/lib/samba/sysvol >>> read only = No >>> >>> >>> still same error on the windows machine >>> >>> It looks like that the GPO are now applied when we do not define the >>> directive >>> >>> "auth methods = sam, winbind, ntdomain, ntdomain:winbind" >>> >>> let me know if you need any other debugging info, I'm happy to >>> hel (and get >>> this sorted :D) >>> >>> thanks >>> >>> _______________________________________________________________ >>> ____________________________ >>> >>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>> FAX: +353 1 >>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>> IBM Ireland Product Distribution Limited registered in Ireland >>> with number >>> 92815. Registered Office: IBM House, Shelbourne Road, >>> Ballsbridge, Dublin 4 >>> >>> (Embedded image moved to file: pic03533.gif) >>> >>> >>> >>> From: "L.P.H. van Belle" <belle at bazuin.nl> >>> To: "samba at lists.samba.org" <samba at lists.samba.org> >>> Cc: Mario Pio Russo/Ireland/IBM at IBMIE >>> Date: 01/05/2015 14:24 >>> Subject: Re: [Samba] After the classicupgrade > >from samba3 >>> tosernet-samba-4.2.1 , users are not > able to >>> remote desktop >>> anymore ( bug11061 ) >>> Sent by: samba-bounces at lists.samba.org >>> >>> >>> >>> Hello Mario , >>> >>> what if you try these : >>> >>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, >>> lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, >>> eventlog6, backupkey, >>> dnsserver, remote, winreg, srvsvc >>> auth methods = sam, winbind, ntdomain, ntdomain:winbind >>> >>> !! these are only for helping in debugging and should not be used in >>> production. >>> !! see all the e-mails with subject : Re: [Samba] samba 4.2 >> RDP problem >>> (solved) >>> !! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett >>> >>> so if you want to help debuggen, that would be nice. see >>> bug-id in subject. >>> >>> In my case ( debian wheezy, sernet samba 4.2.1, only default GPO ) >>> auth methods = sam, winbind is sufficient to login with rdp. >>> so if we can find what we need to get GPO workin also, that >>> might help the >>> developers. >>> >>> I'll set some GPOs in my test and try again also. >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >>>> Verzonden: vrijdag 1 mei 2015 15:08 >>>> Aan: L.P.H. van Belle >>>> CC: samba at lists.samba.org >>>> Onderwerp: RE: [Samba] After the classicupgrade from samba3 to >>>> sernet-samba-4.2.1 , users are not able to remote desktop anymore >>>> >>>> Thanks Luis >>>> >>>> I've changed the smb.conf as you said, now it looks like this: >>>> >>>> >>>> root at ccdc-samba4:~# cat /etc/samba/smb.conf >>>> # Global parameters >>>> [global] >>>> workgroup = CCDC >>>> realm = CCDC.LAN >>>> netbios name = CCDC-SAMBA4 >>>> server role = active directory domain controller >>>> idmap_ldb:use rfc2307 = yes >>>> dns forwarder = 9.0.138.50 >>>> auth methods = sam, winbind >>>> >>>> [netlogon] >>>> path = /var/lib/samba/sysvol/ccdc.lan/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /var/lib/samba/sysvol >>>> read only = No >>>> root at ccdc-samba4:~# >>>> >>>> >>>> however from the windows machine when i try to update the >>>> group policies, I >>>> am now getting this errors: >>>> >>>> >>>> >>>> Microsoft Windows [Version 6.1.7601] >>>> Copyright (c) 2009 Microsoft Corporation. All rights reserved. >>>> >>>> C:\Users\Administrator.CCDC>gpupdate /force >>>> Updating Policy... >>>> >>>> User policy could not be updated successfully. The following >>>> errors were >>>> encount >>>> ered: >>>> >>>> The processing of Group Policy failed. Windows attempted to >>>> read the file >>>> \\ccdc >>>> .lan\sysvol\ccdc.lan\Policies >>>> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >>>> m a domain controller and was not successful. Group Policy >>>> settings may not >>>> be a >>>> pplied until this event is resolved. This issue may be >>>> transient and could >>>> be ca >>>> used by one or more of the following: >>>> a) Name Resolution/Network Connectivity to the current domain >>>> controller. >>>> b) File Replication Service Latency (a file created on another domain >>>> controller >>>> has not replicated to the current domain controller). >>>> c) The Distributed File System (DFS) client has been disabled. >>>> Computer policy could not be updated successfully. The >>> following errors >>>> were enc >>>> ountered: >>>> >>>> The processing of Group Policy failed. Windows attempted to >>>> read the file >>>> \\ccdc >>>> .lan\sysvol\ccdc.lan\Policies >>>> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >>>> m a domain controller and was not successful. Group Policy >>>> settings may not >>>> be a >>>> pplied until this event is resolved. This issue may be >>>> transient and could >>>> be ca >>>> used by one or more of the following: >>>> a) Name Resolution/Network Connectivity to the current domain >>>> controller. >>>> b) File Replication Service Latency (a file created on another domain >>>> controller >>>> has not replicated to the current domain controller). >>>> c) The Distributed File System (DFS) client has been disabled. >>>> >>>> To diagnose the failure, review the event log or run GPRESULT /H >>>> GPReport.html f >>>> rom the command line to access information about Group >> Policy results. >>>> C:\Users\Administrator.CCDC> >>>> >>>> >>>> >>>> >>>> >>>> I'm still unable to login with normal users via RDP >>>> >>>> >>>> _______________________________________________________________ >>>> ____________________________ >>>> >>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>>> FAX: +353 1 >>>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>>> IBM Ireland Product Distribution Limited registered in Ireland >>>> with number >>>> 92815. Registered Office: IBM House, Shelbourne Road, >>>> Ballsbridge, Dublin 4 >>>> >>>> (Embedded image moved to file: pic60454.gif) >>>> >>>> >>>> >>>> From: "L.P.H. van Belle" >> <belle at bazuin.nl> >>>> To: > "samba at lists.samba.org" >> <samba at lists.samba.org> >>>> Cc: Mario Pio > Russo/Ireland/IBM at IBMIE >>>> Date: 01/05/2015 13:55 >>>> Subject: RE: [Samba] After > the >> classicupgrade >> >from samba3 to >>>> sernet-samba-4.2.1 , users are not able to remote desktop >>>> anymore >>>> >>>> >>>> >>>> correct. >>>> >>>> bug still exists, just tested also on latest git master. >>>> see : https://bugzilla.samba.org/show_bug.cgi?id=11061 >>>> >>>> >>>> temp solution. >>>> >>>> try adding : >>>> auth methods = sam, winbind >>>> to smb.conf on the dc and restart the DC. >>>> >>>> >>>> Greetz, >>>> >>>> Louis >>>> >>>> >>>>> -----Oorspronkelijk bericht----- >>>>> Van: mariopiorusso at ie.ibm.com >>>>> [mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo >>>>> Verzonden: vrijdag 1 mei 2015 14:51 >>>>> Aan: samba at lists.samba.org >>>>> Onderwerp: [Samba] After the classicupgrade from samba3 to >>>>> sernet-samba-4.2.1 , users are not able to remote desktop anymore >>>>> >>>>> >>>>> Good Day All >>>>> >>>>> I have a current working configuration of sernet-samba-4.2.1, >>>>> created by >>>>> upgrading from a samba3 PDC using the classic upgrade. >>>>> >>>>> Now, I have added a windows 2008 machine to the domain and I'm >>>>> using the AD >>>>> snap in tools in order to browse the domain. >>>>> >>>>> I can see all the users and groups and they have been imported >>>>> correctly. >>>>> However I am able to remote desktop to the domain machines >>>>> only with the >>>>> user "Administrator at ccdc.lan"; no other user is able to RDP. >>>>> Furthermore I am able to add machines to the domain only form >>>> the users >>>>> Administrator, and not from any other user. I have been using >>>> the Group >>>>> Policy Manager from the window administrative tool in order >>>>> to grant logon >>>>> rights to all the users belonging to the Domain User group; >>>>> furthermore I >>>>> have added the users to the group Remote Desktop users, but >>>>> still I have no >>>>> success at all. at the moment the group policies looks like this: >>>>> >>>>> root at ccdc-samba4:/# samba-tool gpo listall >>>>> GPO : {31B2F340-016D-11D2-945F-00C04FB984F9} >>>>> display name : Default Domain Policy >>>>> path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>>>> \{31B2F340-016D-11D2-945F-00C04FB984F9} >>>>> dn : CN>>>>> {31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>>>> =ccdc,DC=lan >>>>> version : 3 >>>>> flags : NONE >>>>> >>>>> GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9} >>>>> display name : Default Domain Controllers Policy >>>>> path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>>>> \{6AC1786C-016F-11D2-945F-00C04FB984F9} >>>>> dn : CN>>>>> {6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>>>> =ccdc,DC=lan >>>>> version : 7 >>>>> flags : NONE >>>>> >>>>> >>>>> while from the GPM looks like this: >>>>> >>>>> (Embedded image moved to file: pic08924.gif) >>>>> >>>>> >>>>> >>>>> I have also run gpupdate /force from he windows machine and If I do >>>>> samba-tool gpo fetch <Domain Policy> I am able to see the >>>>> changes I have >>>>> done from the windows snap in >>>>> >>>>> >>>>> I am unsure now where the problem lies, are the GPO I have >>>>> modified being >>>>> applied correctly on samba 4 OR is the GPO itself that is not >>>>> configured >>>>> correctly in order to allow RDP (and add machine to domain)? >>>>> Or any other >>>>> issue? >>>>> >>>>> Note that all this was working correctly when I did the same >>>>> test upgrade >>>> >from samba 3 to samba 4.1.6 >>>>> also I am able to login to every machine in the domain using >>>>> my domain user >>>>> when logging in locally. >>>>> >>>>> Any idea / suggestion? >>>>> >>>>> >>>>> thanks! >>>>> >>>>> _______________________________________________________________ >>>>> ____________________________ >>>>> >>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>>>> FAX: +353 1 >>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>>>> IBM Ireland Product Distribution Limited registered in Ireland >>>>> with number >>>>> 92815. Registered Office: IBM House, Shelbourne Road, >>>>> Ballsbridge, Dublin 4 >>>>> >>>>> (Embedded image moved to file: pic19418.gif)-- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>> >>>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >>> >> >> > > >Mario, This guide may help you. http://www.dannyeckes.com/server-2012-enable-remote-desktop-rdp-group-policy-gpo/ -- -James
Maybe Matching Threads
- After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
- After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
- After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
- After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore
- After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )