L.P.H. van Belle
2015-May-01 13:23 UTC
[Samba] After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
Hello Mario , what if you try these : dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, remote, winreg, srvsvc auth methods = sam, winbind, ntdomain, ntdomain:winbind !! these are only for helping in debugging and should not be used in production. !! see all the e-mails with subject : Re: [Samba] samba 4.2 RDP problem (solved) !! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett so if you want to help debuggen, that would be nice. see bug-id in subject. In my case ( debian wheezy, sernet samba 4.2.1, only default GPO ) auth methods = sam, winbind is sufficient to login with rdp. so if we can find what we need to get GPO workin also, that might help the developers. I'll set some GPOs in my test and try again also. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >Verzonden: vrijdag 1 mei 2015 15:08 >Aan: L.P.H. van Belle >CC: samba at lists.samba.org >Onderwerp: RE: [Samba] After the classicupgrade from samba3 to >sernet-samba-4.2.1 , users are not able to remote desktop anymore > >Thanks Luis > >I've changed the smb.conf as you said, now it looks like this: > > >root at ccdc-samba4:~# cat /etc/samba/smb.conf ># Global parameters >[global] > workgroup = CCDC > realm = CCDC.LAN > netbios name = CCDC-SAMBA4 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 9.0.138.50 > auth methods = sam, winbind > >[netlogon] > path = /var/lib/samba/sysvol/ccdc.lan/scripts > read only = No > >[sysvol] > path = /var/lib/samba/sysvol > read only = No >root at ccdc-samba4:~# > > >however from the windows machine when i try to update the >group policies, I >am now getting this errors: > > > >Microsoft Windows [Version 6.1.7601] >Copyright (c) 2009 Microsoft Corporation. All rights reserved. > >C:\Users\Administrator.CCDC>gpupdate /force >Updating Policy... > >User policy could not be updated successfully. The following >errors were >encount >ered: > >The processing of Group Policy failed. Windows attempted to >read the file >\\ccdc >.lan\sysvol\ccdc.lan\Policies >\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >m a domain controller and was not successful. Group Policy >settings may not >be a >pplied until this event is resolved. This issue may be >transient and could >be ca >used by one or more of the following: >a) Name Resolution/Network Connectivity to the current domain >controller. >b) File Replication Service Latency (a file created on another domain >controller > has not replicated to the current domain controller). >c) The Distributed File System (DFS) client has been disabled. >Computer policy could not be updated successfully. The following errors >were enc >ountered: > >The processing of Group Policy failed. Windows attempted to >read the file >\\ccdc >.lan\sysvol\ccdc.lan\Policies >\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >m a domain controller and was not successful. Group Policy >settings may not >be a >pplied until this event is resolved. This issue may be >transient and could >be ca >used by one or more of the following: >a) Name Resolution/Network Connectivity to the current domain >controller. >b) File Replication Service Latency (a file created on another domain >controller > has not replicated to the current domain controller). >c) The Distributed File System (DFS) client has been disabled. > >To diagnose the failure, review the event log or run GPRESULT /H >GPReport.html f >rom the command line to access information about Group Policy results. > >C:\Users\Administrator.CCDC> > > > > > >I'm still unable to login with normal users via RDP > > >_______________________________________________________________ >____________________________ > >Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >FAX: +353 1 >815 2236, eMail: mariopiorusso at ie.ibm.com >IBM Ireland Product Distribution Limited registered in Ireland >with number >92815. Registered Office: IBM House, Shelbourne Road, >Ballsbridge, Dublin 4 > >(Embedded image moved to file: pic60454.gif) > > > >From: "L.P.H. van Belle" <belle at bazuin.nl> >To: "samba at lists.samba.org" <samba at lists.samba.org> >Cc: Mario Pio Russo/Ireland/IBM at IBMIE >Date: 01/05/2015 13:55 >Subject: RE: [Samba] After the classicupgrade from samba3 to > sernet-samba-4.2.1 , users are not able to remote desktop > anymore > > > >correct. > >bug still exists, just tested also on latest git master. >see : https://bugzilla.samba.org/show_bug.cgi?id=11061 > > >temp solution. > >try adding : >auth methods = sam, winbind >to smb.conf on the dc and restart the DC. > > >Greetz, > >Louis > > >>-----Oorspronkelijk bericht----- >>Van: mariopiorusso at ie.ibm.com >>[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo >>Verzonden: vrijdag 1 mei 2015 14:51 >>Aan: samba at lists.samba.org >>Onderwerp: [Samba] After the classicupgrade from samba3 to >>sernet-samba-4.2.1 , users are not able to remote desktop anymore >> >> >>Good Day All >> >>I have a current working configuration of sernet-samba-4.2.1, >>created by >>upgrading from a samba3 PDC using the classic upgrade. >> >>Now, I have added a windows 2008 machine to the domain and I'm >>using the AD >>snap in tools in order to browse the domain. >> >>I can see all the users and groups and they have been imported >>correctly. >>However I am able to remote desktop to the domain machines >>only with the >>user "Administrator at ccdc.lan"; no other user is able to RDP. >>Furthermore I am able to add machines to the domain only form >the users >>Administrator, and not from any other user. I have been using >the Group >>Policy Manager from the window administrative tool in order >>to grant logon >>rights to all the users belonging to the Domain User group; >>furthermore I >>have added the users to the group Remote Desktop users, but >>still I have no >>success at all. at the moment the group policies looks like this: >> >>root at ccdc-samba4:/# samba-tool gpo listall >>GPO : {31B2F340-016D-11D2-945F-00C04FB984F9} >>display name : Default Domain Policy >>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>\{31B2F340-016D-11D2-945F-00C04FB984F9} >>dn : CN>>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>=ccdc,DC=lan >>version : 3 >>flags : NONE >> >>GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9} >>display name : Default Domain Controllers Policy >>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>\{6AC1786C-016F-11D2-945F-00C04FB984F9} >>dn : CN>>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>=ccdc,DC=lan >>version : 7 >>flags : NONE >> >> >>while from the GPM looks like this: >> >>(Embedded image moved to file: pic08924.gif) >> >> >> >>I have also run gpupdate /force from he windows machine and If I do >>samba-tool gpo fetch <Domain Policy> I am able to see the >>changes I have >>done from the windows snap in >> >> >>I am unsure now where the problem lies, are the GPO I have >>modified being >>applied correctly on samba 4 OR is the GPO itself that is not >>configured >>correctly in order to allow RDP (and add machine to domain)? >>Or any other >>issue? >> >>Note that all this was working correctly when I did the same >>test upgrade >>from samba 3 to samba 4.1.6 >> >>also I am able to login to every machine in the domain using >>my domain user >>when logging in locally. >> >>Any idea / suggestion? >> >> >>thanks! >> >>_______________________________________________________________ >>____________________________ >> >>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>FAX: +353 1 >>815 2236, eMail: mariopiorusso at ie.ibm.com >>IBM Ireland Product Distribution Limited registered in Ireland >>with number >>92815. Registered Office: IBM House, Shelbourne Road, >>Ballsbridge, Dublin 4 >> >>(Embedded image moved to file: pic19418.gif)-- >>To unsubscribe from this list go to the following URL and read the >>instructions: https://lists.samba.org/mailman/options/samba >> > > >
Mario Pio Russo
2015-May-01 13:34 UTC
[Samba] After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
ok this is my smb.conf file now # Global parameters [global] workgroup = CCDC realm = CCDC.LAN netbios name = CCDC-SAMBA4 server role = active directory domain controller idmap_ldb:use rfc2307 = yes dns forwarder = 9.0.138.50 ##For debugging dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, remote, winreg, srvsvc auth methods = sam, winbind, ntdomain, ntdomain:winbind [netlogon] path = /var/lib/samba/sysvol/ccdc.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No still same error on the windows machine It looks like that the GPO are now applied when we do not define the directive "auth methods = sam, winbind, ntdomain, ntdomain:winbind" let me know if you need any other debugging info, I'm happy to hel (and get this sorted :D) thanks ___________________________________________________________________________________________ Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 815 2236, eMail: mariopiorusso at ie.ibm.com IBM Ireland Product Distribution Limited registered in Ireland with number 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 (Embedded image moved to file: pic32512.gif) From: "L.P.H. van Belle" <belle at bazuin.nl> To: "samba at lists.samba.org" <samba at lists.samba.org> Cc: Mario Pio Russo/Ireland/IBM at IBMIE Date: 01/05/2015 14:24 Subject: Re: [Samba] After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 ) Sent by: samba-bounces at lists.samba.org Hello Mario , what if you try these : dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, remote, winreg, srvsvc auth methods = sam, winbind, ntdomain, ntdomain:winbind !! these are only for helping in debugging and should not be used in production. !! see all the e-mails with subject : Re: [Samba] samba 4.2 RDP problem (solved) !! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett so if you want to help debuggen, that would be nice. see bug-id in subject. In my case ( debian wheezy, sernet samba 4.2.1, only default GPO ) auth methods = sam, winbind is sufficient to login with rdp. so if we can find what we need to get GPO workin also, that might help the developers. I'll set some GPOs in my test and try again also. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >Verzonden: vrijdag 1 mei 2015 15:08 >Aan: L.P.H. van Belle >CC: samba at lists.samba.org >Onderwerp: RE: [Samba] After the classicupgrade from samba3 to >sernet-samba-4.2.1 , users are not able to remote desktop anymore > >Thanks Luis > >I've changed the smb.conf as you said, now it looks like this: > > >root at ccdc-samba4:~# cat /etc/samba/smb.conf ># Global parameters >[global] > workgroup = CCDC > realm = CCDC.LAN > netbios name = CCDC-SAMBA4 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 9.0.138.50 > auth methods = sam, winbind > >[netlogon] > path = /var/lib/samba/sysvol/ccdc.lan/scripts > read only = No > >[sysvol] > path = /var/lib/samba/sysvol > read only = No >root at ccdc-samba4:~# > > >however from the windows machine when i try to update the >group policies, I >am now getting this errors: > > > >Microsoft Windows [Version 6.1.7601] >Copyright (c) 2009 Microsoft Corporation. All rights reserved. > >C:\Users\Administrator.CCDC>gpupdate /force >Updating Policy... > >User policy could not be updated successfully. The following >errors were >encount >ered: > >The processing of Group Policy failed. Windows attempted to >read the file >\\ccdc >.lan\sysvol\ccdc.lan\Policies >\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >m a domain controller and was not successful. Group Policy >settings may not >be a >pplied until this event is resolved. This issue may be >transient and could >be ca >used by one or more of the following: >a) Name Resolution/Network Connectivity to the current domain >controller. >b) File Replication Service Latency (a file created on another domain >controller > has not replicated to the current domain controller). >c) The Distributed File System (DFS) client has been disabled. >Computer policy could not be updated successfully. The following errors >were enc >ountered: > >The processing of Group Policy failed. Windows attempted to >read the file >\\ccdc >.lan\sysvol\ccdc.lan\Policies >\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >m a domain controller and was not successful. Group Policy >settings may not >be a >pplied until this event is resolved. This issue may be >transient and could >be ca >used by one or more of the following: >a) Name Resolution/Network Connectivity to the current domain >controller. >b) File Replication Service Latency (a file created on another domain >controller > has not replicated to the current domain controller). >c) The Distributed File System (DFS) client has been disabled. > >To diagnose the failure, review the event log or run GPRESULT /H >GPReport.html f >rom the command line to access information about Group Policy results. > >C:\Users\Administrator.CCDC> > > > > > >I'm still unable to login with normal users via RDP > > >_______________________________________________________________ >____________________________ > >Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >FAX: +353 1 >815 2236, eMail: mariopiorusso at ie.ibm.com >IBM Ireland Product Distribution Limited registered in Ireland >with number >92815. Registered Office: IBM House, Shelbourne Road, >Ballsbridge, Dublin 4 > >(Embedded image moved to file: pic60454.gif) > > > >From: "L.P.H. van Belle" <belle at bazuin.nl> >To: "samba at lists.samba.org" <samba at lists.samba.org> >Cc: Mario Pio Russo/Ireland/IBM at IBMIE >Date: 01/05/2015 13:55 >Subject: RE: [Samba] After the classicupgrade from samba3 to > sernet-samba-4.2.1 , users are not able to remote desktop > anymore > > > >correct. > >bug still exists, just tested also on latest git master. >see : https://bugzilla.samba.org/show_bug.cgi?id=11061 > > >temp solution. > >try adding : >auth methods = sam, winbind >to smb.conf on the dc and restart the DC. > > >Greetz, > >Louis > > >>-----Oorspronkelijk bericht----- >>Van: mariopiorusso at ie.ibm.com >>[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo >>Verzonden: vrijdag 1 mei 2015 14:51 >>Aan: samba at lists.samba.org >>Onderwerp: [Samba] After the classicupgrade from samba3 to >>sernet-samba-4.2.1 , users are not able to remote desktop anymore >> >> >>Good Day All >> >>I have a current working configuration of sernet-samba-4.2.1, >>created by >>upgrading from a samba3 PDC using the classic upgrade. >> >>Now, I have added a windows 2008 machine to the domain and I'm >>using the AD >>snap in tools in order to browse the domain. >> >>I can see all the users and groups and they have been imported >>correctly. >>However I am able to remote desktop to the domain machines >>only with the >>user "Administrator at ccdc.lan"; no other user is able to RDP. >>Furthermore I am able to add machines to the domain only form >the users >>Administrator, and not from any other user. I have been using >the Group >>Policy Manager from the window administrative tool in order >>to grant logon >>rights to all the users belonging to the Domain User group; >>furthermore I >>have added the users to the group Remote Desktop users, but >>still I have no >>success at all. at the moment the group policies looks like this: >> >>root at ccdc-samba4:/# samba-tool gpo listall >>GPO : {31B2F340-016D-11D2-945F-00C04FB984F9} >>display name : Default Domain Policy >>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>\{31B2F340-016D-11D2-945F-00C04FB984F9} >>dn : CN>>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>=ccdc,DC=lan >>version : 3 >>flags : NONE >> >>GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9} >>display name : Default Domain Controllers Policy >>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>\{6AC1786C-016F-11D2-945F-00C04FB984F9} >>dn : CN>>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>=ccdc,DC=lan >>version : 7 >>flags : NONE >> >> >>while from the GPM looks like this: >> >>(Embedded image moved to file: pic08924.gif) >> >> >> >>I have also run gpupdate /force from he windows machine and If I do >>samba-tool gpo fetch <Domain Policy> I am able to see the >>changes I have >>done from the windows snap in >> >> >>I am unsure now where the problem lies, are the GPO I have >>modified being >>applied correctly on samba 4 OR is the GPO itself that is not >>configured >>correctly in order to allow RDP (and add machine to domain)? >>Or any other >>issue? >> >>Note that all this was working correctly when I did the same >>test upgrade >>from samba 3 to samba 4.1.6 >> >>also I am able to login to every machine in the domain using >>my domain user >>when logging in locally. >> >>Any idea / suggestion? >> >> >>thanks! >> >>_______________________________________________________________ >>____________________________ >> >>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>FAX: +353 1 >>815 2236, eMail: mariopiorusso at ie.ibm.com >>IBM Ireland Product Distribution Limited registered in Ireland >>with number >>92815. Registered Office: IBM House, Shelbourne Road, >>Ballsbridge, Dublin 4 >> >>(Embedded image moved to file: pic19418.gif)-- >>To unsubscribe from this list go to the following URL and read the >>instructions: https://lists.samba.org/mailman/options/samba >> > > >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2015-May-01 13:40 UTC
[Samba] After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
Great is you would help also in debugging this. and just a notice.. You do know that .lan is reserved by apples mDNS. (zeroconf) --------------------------------------------------- ( copy of Andrew's tekst.. ) Please re-try with git master, as I understand patches to fix this have been committed. If that doesn't help, can you get a level 10 debug with this, and with the default configuration, and put it on bug https://bugzilla.samba.org/show_bug.cgi?id=11061 I need specifically the time that the hang happens. As a developer I still don't see how this area of code changes with a change to the auth methods, so I'm most curious but even more so, most puzzled . Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba --------------------------------------------------->-----Oorspronkelijk bericht----- >Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >Verzonden: vrijdag 1 mei 2015 15:35 >Aan: L.P.H. van Belle >CC: samba at lists.samba.org; samba-bounces at lists.samba.org >Onderwerp: Re: [Samba] After the classicupgrade from samba3 >tosernet-samba-4.2.1 , users are not able to remote desktop >anymore ( bug11061 ) > >ok this is my smb.conf file now > > ># Global parameters >[global] > workgroup = CCDC > realm = CCDC.LAN > netbios name = CCDC-SAMBA4 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 9.0.138.50 > ##For debugging > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, >netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, >browser, eventlog6, >backupkey, dnsserver, remote, winreg, srvsvc > auth methods = sam, winbind, ntdomain, ntdomain:winbind > >[netlogon] > path = /var/lib/samba/sysvol/ccdc.lan/scripts > read only = No > >[sysvol] > path = /var/lib/samba/sysvol > read only = No > > >still same error on the windows machine > >It looks like that the GPO are now applied when we do not define the >directive > >"auth methods = sam, winbind, ntdomain, ntdomain:winbind" > >let me know if you need any other debugging info, I'm happy to >hel (and get >this sorted :D) > >thanks > >_______________________________________________________________ >____________________________ > >Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >FAX: +353 1 >815 2236, eMail: mariopiorusso at ie.ibm.com >IBM Ireland Product Distribution Limited registered in Ireland >with number >92815. Registered Office: IBM House, Shelbourne Road, >Ballsbridge, Dublin 4 > >(Embedded image moved to file: pic03533.gif) > > > >From: "L.P.H. van Belle" <belle at bazuin.nl> >To: "samba at lists.samba.org" <samba at lists.samba.org> >Cc: Mario Pio Russo/Ireland/IBM at IBMIE >Date: 01/05/2015 14:24 >Subject: Re: [Samba] After the classicupgrade from samba3 > tosernet-samba-4.2.1 , users are not able to >remote desktop > anymore ( bug11061 ) >Sent by: samba-bounces at lists.samba.org > > > >Hello Mario , > >what if you try these : > >dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, >lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, >eventlog6, backupkey, >dnsserver, remote, winreg, srvsvc >auth methods = sam, winbind, ntdomain, ntdomain:winbind > >!! these are only for helping in debugging and should not be used in >production. >!! see all the e-mails with subject : Re: [Samba] samba 4.2 RDP problem >(solved) >!! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett > >so if you want to help debuggen, that would be nice. see >bug-id in subject. > >In my case ( debian wheezy, sernet samba 4.2.1, only default GPO ) >auth methods = sam, winbind is sufficient to login with rdp. >so if we can find what we need to get GPO workin also, that >might help the >developers. > >I'll set some GPOs in my test and try again also. > > >Greetz, > >Louis > > >>-----Oorspronkelijk bericht----- >>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >>Verzonden: vrijdag 1 mei 2015 15:08 >>Aan: L.P.H. van Belle >>CC: samba at lists.samba.org >>Onderwerp: RE: [Samba] After the classicupgrade from samba3 to >>sernet-samba-4.2.1 , users are not able to remote desktop anymore >> >>Thanks Luis >> >>I've changed the smb.conf as you said, now it looks like this: >> >> >>root at ccdc-samba4:~# cat /etc/samba/smb.conf >># Global parameters >>[global] >> workgroup = CCDC >> realm = CCDC.LAN >> netbios name = CCDC-SAMBA4 >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> dns forwarder = 9.0.138.50 >> auth methods = sam, winbind >> >>[netlogon] >> path = /var/lib/samba/sysvol/ccdc.lan/scripts >> read only = No >> >>[sysvol] >> path = /var/lib/samba/sysvol >> read only = No >>root at ccdc-samba4:~# >> >> >>however from the windows machine when i try to update the >>group policies, I >>am now getting this errors: >> >> >> >>Microsoft Windows [Version 6.1.7601] >>Copyright (c) 2009 Microsoft Corporation. All rights reserved. >> >>C:\Users\Administrator.CCDC>gpupdate /force >>Updating Policy... >> >>User policy could not be updated successfully. The following >>errors were >>encount >>ered: >> >>The processing of Group Policy failed. Windows attempted to >>read the file >>\\ccdc >>.lan\sysvol\ccdc.lan\Policies >>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >>m a domain controller and was not successful. Group Policy >>settings may not >>be a >>pplied until this event is resolved. This issue may be >>transient and could >>be ca >>used by one or more of the following: >>a) Name Resolution/Network Connectivity to the current domain >>controller. >>b) File Replication Service Latency (a file created on another domain >>controller >> has not replicated to the current domain controller). >>c) The Distributed File System (DFS) client has been disabled. >>Computer policy could not be updated successfully. The >following errors >>were enc >>ountered: >> >>The processing of Group Policy failed. Windows attempted to >>read the file >>\\ccdc >>.lan\sysvol\ccdc.lan\Policies >>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >>m a domain controller and was not successful. Group Policy >>settings may not >>be a >>pplied until this event is resolved. This issue may be >>transient and could >>be ca >>used by one or more of the following: >>a) Name Resolution/Network Connectivity to the current domain >>controller. >>b) File Replication Service Latency (a file created on another domain >>controller >> has not replicated to the current domain controller). >>c) The Distributed File System (DFS) client has been disabled. >> >>To diagnose the failure, review the event log or run GPRESULT /H >>GPReport.html f >>rom the command line to access information about Group Policy results. >> >>C:\Users\Administrator.CCDC> >> >> >> >> >> >>I'm still unable to login with normal users via RDP >> >> >>_______________________________________________________________ >>____________________________ >> >>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>FAX: +353 1 >>815 2236, eMail: mariopiorusso at ie.ibm.com >>IBM Ireland Product Distribution Limited registered in Ireland >>with number >>92815. Registered Office: IBM House, Shelbourne Road, >>Ballsbridge, Dublin 4 >> >>(Embedded image moved to file: pic60454.gif) >> >> >> >>From: "L.P.H. van Belle" <belle at bazuin.nl> >>To: "samba at lists.samba.org" <samba at lists.samba.org> >>Cc: Mario Pio Russo/Ireland/IBM at IBMIE >>Date: 01/05/2015 13:55 >>Subject: RE: [Samba] After the classicupgrade >from samba3 to >> sernet-samba-4.2.1 , users are not able to remote desktop >> anymore >> >> >> >>correct. >> >>bug still exists, just tested also on latest git master. >>see : https://bugzilla.samba.org/show_bug.cgi?id=11061 >> >> >>temp solution. >> >>try adding : >>auth methods = sam, winbind >>to smb.conf on the dc and restart the DC. >> >> >>Greetz, >> >>Louis >> >> >>>-----Oorspronkelijk bericht----- >>>Van: mariopiorusso at ie.ibm.com >>>[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo >>>Verzonden: vrijdag 1 mei 2015 14:51 >>>Aan: samba at lists.samba.org >>>Onderwerp: [Samba] After the classicupgrade from samba3 to >>>sernet-samba-4.2.1 , users are not able to remote desktop anymore >>> >>> >>>Good Day All >>> >>>I have a current working configuration of sernet-samba-4.2.1, >>>created by >>>upgrading from a samba3 PDC using the classic upgrade. >>> >>>Now, I have added a windows 2008 machine to the domain and I'm >>>using the AD >>>snap in tools in order to browse the domain. >>> >>>I can see all the users and groups and they have been imported >>>correctly. >>>However I am able to remote desktop to the domain machines >>>only with the >>>user "Administrator at ccdc.lan"; no other user is able to RDP. >>>Furthermore I am able to add machines to the domain only form >>the users >>>Administrator, and not from any other user. I have been using >>the Group >>>Policy Manager from the window administrative tool in order >>>to grant logon >>>rights to all the users belonging to the Domain User group; >>>furthermore I >>>have added the users to the group Remote Desktop users, but >>>still I have no >>>success at all. at the moment the group policies looks like this: >>> >>>root at ccdc-samba4:/# samba-tool gpo listall >>>GPO : {31B2F340-016D-11D2-945F-00C04FB984F9} >>>display name : Default Domain Policy >>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>>\{31B2F340-016D-11D2-945F-00C04FB984F9} >>>dn : CN>>>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>>=ccdc,DC=lan >>>version : 3 >>>flags : NONE >>> >>>GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9} >>>display name : Default Domain Controllers Policy >>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>>\{6AC1786C-016F-11D2-945F-00C04FB984F9} >>>dn : CN>>>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>>=ccdc,DC=lan >>>version : 7 >>>flags : NONE >>> >>> >>>while from the GPM looks like this: >>> >>>(Embedded image moved to file: pic08924.gif) >>> >>> >>> >>>I have also run gpupdate /force from he windows machine and If I do >>>samba-tool gpo fetch <Domain Policy> I am able to see the >>>changes I have >>>done from the windows snap in >>> >>> >>>I am unsure now where the problem lies, are the GPO I have >>>modified being >>>applied correctly on samba 4 OR is the GPO itself that is not >>>configured >>>correctly in order to allow RDP (and add machine to domain)? >>>Or any other >>>issue? >>> >>>Note that all this was working correctly when I did the same >>>test upgrade >>>from samba 3 to samba 4.1.6 >>> >>>also I am able to login to every machine in the domain using >>>my domain user >>>when logging in locally. >>> >>>Any idea / suggestion? >>> >>> >>>thanks! >>> >>>_______________________________________________________________ >>>____________________________ >>> >>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>>FAX: +353 1 >>>815 2236, eMail: mariopiorusso at ie.ibm.com >>>IBM Ireland Product Distribution Limited registered in Ireland >>>with number >>>92815. Registered Office: IBM House, Shelbourne Road, >>>Ballsbridge, Dublin 4 >>> >>>(Embedded image moved to file: pic19418.gif)-- >>>To unsubscribe from this list go to the following URL and read the >>>instructions: https://lists.samba.org/mailman/options/samba >>> >> >> >> > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > > >
L.P.H. van Belle
2015-May-01 13:49 UTC
[Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
while im reading.. im seeing : getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol # owner: root # group: 544 your using : idmap_ldb:use rfc2307 = yes but i dont see a complete smb.conf for a rfc2307 setup. please also read : https://wiki.samba.org/index.php/RFC2307_backend so im puzzel what your backend is set to (AD or RID) and what the ranges are. Greetz, louis>-----Oorspronkelijk bericht----- >Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >Verzonden: vrijdag 1 mei 2015 15:35 >Aan: L.P.H. van Belle >CC: samba at lists.samba.org; samba-bounces at lists.samba.org >Onderwerp: Re: [Samba] After the classicupgrade from samba3 >tosernet-samba-4.2.1 , users are not able to remote desktop >anymore ( bug11061 ) > >ok this is my smb.conf file now > > ># Global parameters >[global] > workgroup = CCDC > realm = CCDC.LAN > netbios name = CCDC-SAMBA4 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 9.0.138.50 > ##For debugging > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, >netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, >browser, eventlog6, >backupkey, dnsserver, remote, winreg, srvsvc > auth methods = sam, winbind, ntdomain, ntdomain:winbind > >[netlogon] > path = /var/lib/samba/sysvol/ccdc.lan/scripts > read only = No > >[sysvol] > path = /var/lib/samba/sysvol > read only = No > > >still same error on the windows machine > >It looks like that the GPO are now applied when we do not define the >directive > >"auth methods = sam, winbind, ntdomain, ntdomain:winbind" > >let me know if you need any other debugging info, I'm happy to >hel (and get >this sorted :D) > >thanks > >_______________________________________________________________ >____________________________ > >Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >FAX: +353 1 >815 2236, eMail: mariopiorusso at ie.ibm.com >IBM Ireland Product Distribution Limited registered in Ireland >with number >92815. Registered Office: IBM House, Shelbourne Road, >Ballsbridge, Dublin 4 > >(Embedded image moved to file: pic03533.gif) > > > >From: "L.P.H. van Belle" <belle at bazuin.nl> >To: "samba at lists.samba.org" <samba at lists.samba.org> >Cc: Mario Pio Russo/Ireland/IBM at IBMIE >Date: 01/05/2015 14:24 >Subject: Re: [Samba] After the classicupgrade from samba3 > tosernet-samba-4.2.1 , users are not able to >remote desktop > anymore ( bug11061 ) >Sent by: samba-bounces at lists.samba.org > > > >Hello Mario , > >what if you try these : > >dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, >lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, >eventlog6, backupkey, >dnsserver, remote, winreg, srvsvc >auth methods = sam, winbind, ntdomain, ntdomain:winbind > >!! these are only for helping in debugging and should not be used in >production. >!! see all the e-mails with subject : Re: [Samba] samba 4.2 RDP problem >(solved) >!! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett > >so if you want to help debuggen, that would be nice. see >bug-id in subject. > >In my case ( debian wheezy, sernet samba 4.2.1, only default GPO ) >auth methods = sam, winbind is sufficient to login with rdp. >so if we can find what we need to get GPO workin also, that >might help the >developers. > >I'll set some GPOs in my test and try again also. > > >Greetz, > >Louis > > >>-----Oorspronkelijk bericht----- >>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >>Verzonden: vrijdag 1 mei 2015 15:08 >>Aan: L.P.H. van Belle >>CC: samba at lists.samba.org >>Onderwerp: RE: [Samba] After the classicupgrade from samba3 to >>sernet-samba-4.2.1 , users are not able to remote desktop anymore >> >>Thanks Luis >> >>I've changed the smb.conf as you said, now it looks like this: >> >> >>root at ccdc-samba4:~# cat /etc/samba/smb.conf >># Global parameters >>[global] >> workgroup = CCDC >> realm = CCDC.LAN >> netbios name = CCDC-SAMBA4 >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> dns forwarder = 9.0.138.50 >> auth methods = sam, winbind >> >>[netlogon] >> path = /var/lib/samba/sysvol/ccdc.lan/scripts >> read only = No >> >>[sysvol] >> path = /var/lib/samba/sysvol >> read only = No >>root at ccdc-samba4:~# >> >> >>however from the windows machine when i try to update the >>group policies, I >>am now getting this errors: >> >> >> >>Microsoft Windows [Version 6.1.7601] >>Copyright (c) 2009 Microsoft Corporation. All rights reserved. >> >>C:\Users\Administrator.CCDC>gpupdate /force >>Updating Policy... >> >>User policy could not be updated successfully. The following >>errors were >>encount >>ered: >> >>The processing of Group Policy failed. Windows attempted to >>read the file >>\\ccdc >>.lan\sysvol\ccdc.lan\Policies >>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >>m a domain controller and was not successful. Group Policy >>settings may not >>be a >>pplied until this event is resolved. This issue may be >>transient and could >>be ca >>used by one or more of the following: >>a) Name Resolution/Network Connectivity to the current domain >>controller. >>b) File Replication Service Latency (a file created on another domain >>controller >> has not replicated to the current domain controller). >>c) The Distributed File System (DFS) client has been disabled. >>Computer policy could not be updated successfully. The >following errors >>were enc >>ountered: >> >>The processing of Group Policy failed. Windows attempted to >>read the file >>\\ccdc >>.lan\sysvol\ccdc.lan\Policies >>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >>m a domain controller and was not successful. Group Policy >>settings may not >>be a >>pplied until this event is resolved. This issue may be >>transient and could >>be ca >>used by one or more of the following: >>a) Name Resolution/Network Connectivity to the current domain >>controller. >>b) File Replication Service Latency (a file created on another domain >>controller >> has not replicated to the current domain controller). >>c) The Distributed File System (DFS) client has been disabled. >> >>To diagnose the failure, review the event log or run GPRESULT /H >>GPReport.html f >>rom the command line to access information about Group Policy results. >> >>C:\Users\Administrator.CCDC> >> >> >> >> >> >>I'm still unable to login with normal users via RDP >> >> >>_______________________________________________________________ >>____________________________ >> >>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>FAX: +353 1 >>815 2236, eMail: mariopiorusso at ie.ibm.com >>IBM Ireland Product Distribution Limited registered in Ireland >>with number >>92815. Registered Office: IBM House, Shelbourne Road, >>Ballsbridge, Dublin 4 >> >>(Embedded image moved to file: pic60454.gif) >> >> >> >>From: "L.P.H. van Belle" <belle at bazuin.nl> >>To: "samba at lists.samba.org" <samba at lists.samba.org> >>Cc: Mario Pio Russo/Ireland/IBM at IBMIE >>Date: 01/05/2015 13:55 >>Subject: RE: [Samba] After the classicupgrade >from samba3 to >> sernet-samba-4.2.1 , users are not able to remote desktop >> anymore >> >> >> >>correct. >> >>bug still exists, just tested also on latest git master. >>see : https://bugzilla.samba.org/show_bug.cgi?id=11061 >> >> >>temp solution. >> >>try adding : >>auth methods = sam, winbind >>to smb.conf on the dc and restart the DC. >> >> >>Greetz, >> >>Louis >> >> >>>-----Oorspronkelijk bericht----- >>>Van: mariopiorusso at ie.ibm.com >>>[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo >>>Verzonden: vrijdag 1 mei 2015 14:51 >>>Aan: samba at lists.samba.org >>>Onderwerp: [Samba] After the classicupgrade from samba3 to >>>sernet-samba-4.2.1 , users are not able to remote desktop anymore >>> >>> >>>Good Day All >>> >>>I have a current working configuration of sernet-samba-4.2.1, >>>created by >>>upgrading from a samba3 PDC using the classic upgrade. >>> >>>Now, I have added a windows 2008 machine to the domain and I'm >>>using the AD >>>snap in tools in order to browse the domain. >>> >>>I can see all the users and groups and they have been imported >>>correctly. >>>However I am able to remote desktop to the domain machines >>>only with the >>>user "Administrator at ccdc.lan"; no other user is able to RDP. >>>Furthermore I am able to add machines to the domain only form >>the users >>>Administrator, and not from any other user. I have been using >>the Group >>>Policy Manager from the window administrative tool in order >>>to grant logon >>>rights to all the users belonging to the Domain User group; >>>furthermore I >>>have added the users to the group Remote Desktop users, but >>>still I have no >>>success at all. at the moment the group policies looks like this: >>> >>>root at ccdc-samba4:/# samba-tool gpo listall >>>GPO : {31B2F340-016D-11D2-945F-00C04FB984F9} >>>display name : Default Domain Policy >>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>>\{31B2F340-016D-11D2-945F-00C04FB984F9} >>>dn : CN>>>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>>=ccdc,DC=lan >>>version : 3 >>>flags : NONE >>> >>>GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9} >>>display name : Default Domain Controllers Policy >>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>>\{6AC1786C-016F-11D2-945F-00C04FB984F9} >>>dn : CN>>>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>>=ccdc,DC=lan >>>version : 7 >>>flags : NONE >>> >>> >>>while from the GPM looks like this: >>> >>>(Embedded image moved to file: pic08924.gif) >>> >>> >>> >>>I have also run gpupdate /force from he windows machine and If I do >>>samba-tool gpo fetch <Domain Policy> I am able to see the >>>changes I have >>>done from the windows snap in >>> >>> >>>I am unsure now where the problem lies, are the GPO I have >>>modified being >>>applied correctly on samba 4 OR is the GPO itself that is not >>>configured >>>correctly in order to allow RDP (and add machine to domain)? >>>Or any other >>>issue? >>> >>>Note that all this was working correctly when I did the same >>>test upgrade >>>from samba 3 to samba 4.1.6 >>> >>>also I am able to login to every machine in the domain using >>>my domain user >>>when logging in locally. >>> >>>Any idea / suggestion? >>> >>> >>>thanks! >>> >>>_______________________________________________________________ >>>____________________________ >>> >>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>>FAX: +353 1 >>>815 2236, eMail: mariopiorusso at ie.ibm.com >>>IBM Ireland Product Distribution Limited registered in Ireland >>>with number >>>92815. Registered Office: IBM House, Shelbourne Road, >>>Ballsbridge, Dublin 4 >>> >>>(Embedded image moved to file: pic19418.gif)-- >>>To unsubscribe from this list go to the following URL and read the >>>instructions: https://lists.samba.org/mailman/options/samba >>> >> >> >> > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > > >
Steve Ankeny
2015-May-01 14:29 UTC
[Samba] After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
On Samba AD DC most of these enpoint server are already running -- dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, mapiproxy Use samba-tool testparm -v first before adding them to the smb.conf I say this because I could not "join" Windows clients to Samba with these running from smb.conf Rowland indicated these stopped certain other services -- wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey https://lists.samba.org/archive/samba/2015-February/189171.html On 05/01/2015 09:34 AM, Mario Pio Russo wrote:> ok this is my smb.conf file now > > > # Global parameters > [global] > workgroup = CCDC > realm = CCDC.LAN > netbios name = CCDC-SAMBA4 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 9.0.138.50 > ##For debugging > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, > netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, > backupkey, dnsserver, remote, winreg, srvsvc > auth methods = sam, winbind, ntdomain, ntdomain:winbind > > [netlogon] > path = /var/lib/samba/sysvol/ccdc.lan/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > still same error on the windows machine > > It looks like that the GPO are now applied when we do not define the > directive > > "auth methods = sam, winbind, ntdomain, ntdomain:winbind" > > let me know if you need any other debugging info, I'm happy to hel (and get > this sorted :D) > > thanks > > ___________________________________________________________________________________________ > > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland with number > 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 > > (Embedded image moved to file: pic32512.gif) > > > > From: "L.P.H. van Belle" <belle at bazuin.nl> > To: "samba at lists.samba.org" <samba at lists.samba.org> > Cc: Mario Pio Russo/Ireland/IBM at IBMIE > Date: 01/05/2015 14:24 > Subject: Re: [Samba] After the classicupgrade from samba3 > tosernet-samba-4.2.1 , users are not able to remote desktop > anymore ( bug11061 ) > Sent by: samba-bounces at lists.samba.org > > > > Hello Mario , > > what if you try these : > > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, > lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, > dnsserver, remote, winreg, srvsvc > auth methods = sam, winbind, ntdomain, ntdomain:winbind > > !! these are only for helping in debugging and should not be used in > production. > !! see all the e-mails with subject : Re: [Samba] samba 4.2 RDP problem > (solved) > !! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett > > so if you want to help debuggen, that would be nice. see bug-id in subject. > > In my case ( debian wheezy, sernet samba 4.2.1, only default GPO ) > auth methods = sam, winbind is sufficient to login with rdp. > so if we can find what we need to get GPO workin also, that might help the > developers. > > I'll set some GPOs in my test and try again also. > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >> Verzonden: vrijdag 1 mei 2015 15:08 >> Aan: L.P.H. van Belle >> CC: samba at lists.samba.org >> Onderwerp: RE: [Samba] After the classicupgrade from samba3 to >> sernet-samba-4.2.1 , users are not able to remote desktop anymore >> >> Thanks Luis >> >> I've changed the smb.conf as you said, now it looks like this: >> >> >> root at ccdc-samba4:~# cat /etc/samba/smb.conf >> # Global parameters >> [global] >> workgroup = CCDC >> realm = CCDC.LAN >> netbios name = CCDC-SAMBA4 >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> dns forwarder = 9.0.138.50 >> auth methods = sam, winbind >> >> [netlogon] >> path = /var/lib/samba/sysvol/ccdc.lan/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> root at ccdc-samba4:~# >> >> >> however from the windows machine when i try to update the >> group policies, I >> am now getting this errors: >> >> >> >> Microsoft Windows [Version 6.1.7601] >> Copyright (c) 2009 Microsoft Corporation. All rights reserved. >> >> C:\Users\Administrator.CCDC>gpupdate /force >> Updating Policy... >> >> User policy could not be updated successfully. The following >> errors were >> encount >> ered: >> >> The processing of Group Policy failed. Windows attempted to >> read the file >> \\ccdc >> .lan\sysvol\ccdc.lan\Policies >> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >> m a domain controller and was not successful. Group Policy >> settings may not >> be a >> pplied until this event is resolved. This issue may be >> transient and could >> be ca >> used by one or more of the following: >> a) Name Resolution/Network Connectivity to the current domain >> controller. >> b) File Replication Service Latency (a file created on another domain >> controller >> has not replicated to the current domain controller). >> c) The Distributed File System (DFS) client has been disabled. >> Computer policy could not be updated successfully. The following errors >> were enc >> ountered: >> >> The processing of Group Policy failed. Windows attempted to >> read the file >> \\ccdc >> .lan\sysvol\ccdc.lan\Policies >> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >> m a domain controller and was not successful. Group Policy >> settings may not >> be a >> pplied until this event is resolved. This issue may be >> transient and could >> be ca >> used by one or more of the following: >> a) Name Resolution/Network Connectivity to the current domain >> controller. >> b) File Replication Service Latency (a file created on another domain >> controller >> has not replicated to the current domain controller). >> c) The Distributed File System (DFS) client has been disabled. >> >> To diagnose the failure, review the event log or run GPRESULT /H >> GPReport.html f >> rom the command line to access information about Group Policy results. >> >> C:\Users\Administrator.CCDC> >> >> >> >> >> >> I'm still unable to login with normal users via RDP >> >> >> _______________________________________________________________ >> ____________________________ >> >> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >> FAX: +353 1 >> 815 2236, eMail: mariopiorusso at ie.ibm.com >> IBM Ireland Product Distribution Limited registered in Ireland >> with number >> 92815. Registered Office: IBM House, Shelbourne Road, >> Ballsbridge, Dublin 4 >> >> (Embedded image moved to file: pic60454.gif) >> >> >> >> From: "L.P.H. van Belle" <belle at bazuin.nl> >> To: "samba at lists.samba.org" <samba at lists.samba.org> >> Cc: Mario Pio Russo/Ireland/IBM at IBMIE >> Date: 01/05/2015 13:55 >> Subject: RE: [Samba] After the classicupgrade from samba3 to >> sernet-samba-4.2.1 , users are not able to remote desktop >> anymore >> >> >> >> correct. >> >> bug still exists, just tested also on latest git master. >> see : https://bugzilla.samba.org/show_bug.cgi?id=11061 >> >> >> temp solution. >> >> try adding : >> auth methods = sam, winbind >> to smb.conf on the dc and restart the DC. >> >> >> Greetz, >> >> Louis >> >> >>> -----Oorspronkelijk bericht----- >>> Van: mariopiorusso at ie.ibm.com >>> [mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo >>> Verzonden: vrijdag 1 mei 2015 14:51 >>> Aan: samba at lists.samba.org >>> Onderwerp: [Samba] After the classicupgrade from samba3 to >>> sernet-samba-4.2.1 , users are not able to remote desktop anymore >>> >>> >>> Good Day All >>> >>> I have a current working configuration of sernet-samba-4.2.1, >>> created by >>> upgrading from a samba3 PDC using the classic upgrade. >>> >>> Now, I have added a windows 2008 machine to the domain and I'm >>> using the AD >>> snap in tools in order to browse the domain. >>> >>> I can see all the users and groups and they have been imported >>> correctly. >>> However I am able to remote desktop to the domain machines >>> only with the >>> user "Administrator at ccdc.lan"; no other user is able to RDP. >>> Furthermore I am able to add machines to the domain only form >> the users >>> Administrator, and not from any other user. I have been using >> the Group >>> Policy Manager from the window administrative tool in order >>> to grant logon >>> rights to all the users belonging to the Domain User group; >>> furthermore I >>> have added the users to the group Remote Desktop users, but >>> still I have no >>> success at all. at the moment the group policies looks like this: >>> >>> root at ccdc-samba4:/# samba-tool gpo listall >>> GPO : {31B2F340-016D-11D2-945F-00C04FB984F9} >>> display name : Default Domain Policy >>> path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>> \{31B2F340-016D-11D2-945F-00C04FB984F9} >>> dn : CN>>> {31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>> =ccdc,DC=lan >>> version : 3 >>> flags : NONE >>> >>> GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9} >>> display name : Default Domain Controllers Policy >>> path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>> \{6AC1786C-016F-11D2-945F-00C04FB984F9} >>> dn : CN>>> {6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>> =ccdc,DC=lan >>> version : 7 >>> flags : NONE >>> >>> >>> while from the GPM looks like this: >>> >>> (Embedded image moved to file: pic08924.gif) >>> >>> >>> >>> I have also run gpupdate /force from he windows machine and If I do >>> samba-tool gpo fetch <Domain Policy> I am able to see the >>> changes I have >>> done from the windows snap in >>> >>> >>> I am unsure now where the problem lies, are the GPO I have >>> modified being >>> applied correctly on samba 4 OR is the GPO itself that is not >>> configured >>> correctly in order to allow RDP (and add machine to domain)? >>> Or any other >>> issue? >>> >>> Note that all this was working correctly when I did the same >>> test upgrade >> >from samba 3 to samba 4.1.6 >>> also I am able to login to every machine in the domain using >>> my domain user >>> when logging in locally. >>> >>> Any idea / suggestion? >>> >>> >>> thanks! >>> >>> _______________________________________________________________ >>> ____________________________ >>> >>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>> FAX: +353 1 >>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>> IBM Ireland Product Distribution Limited registered in Ireland >>> with number >>> 92815. Registered Office: IBM House, Shelbourne Road, >>> Ballsbridge, Dublin 4 >>> >>> (Embedded image moved to file: pic19418.gif)-- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > >
Mario Pio Russo
2015-May-01 14:48 UTC
[Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
yeah I'm confused too. I think AD is the backend to be honest. that parameter was automatically added to the smb.conf when running the classigupgrade. nothig else has been populated. I can def try to give it a go with the parameters set on the link you sent me. It's a strange behaviour tho, I am still unsure if I have run in bug https://bugzilla.samba.org/show_bug.cgi?id=11061 or I am still a step behind that bug. neverthless, with the native 4.1.6 all was working fine ___________________________________________________________________________________________ Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 815 2236, eMail: mariopiorusso at ie.ibm.com IBM Ireland Product Distribution Limited registered in Ireland with number 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 (Embedded image moved to file: pic31983.gif) From: "L.P.H. van Belle" <belle at bazuin.nl> To: Mario Pio Russo/Ireland/IBM at IBMIE Cc: "samba at lists.samba.org" <samba at lists.samba.org> Date: 01/05/2015 14:50 Subject: RE: [Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 ) while im reading.. im seeing : getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol # owner: root # group: 544 your using : idmap_ldb:use rfc2307 = yes but i dont see a complete smb.conf for a rfc2307 setup. please also read : https://wiki.samba.org/index.php/RFC2307_backend so im puzzel what your backend is set to (AD or RID) and what the ranges are. Greetz, louis>-----Oorspronkelijk bericht----- >Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >Verzonden: vrijdag 1 mei 2015 15:35 >Aan: L.P.H. van Belle >CC: samba at lists.samba.org; samba-bounces at lists.samba.org >Onderwerp: Re: [Samba] After the classicupgrade from samba3 >tosernet-samba-4.2.1 , users are not able to remote desktop >anymore ( bug11061 ) > >ok this is my smb.conf file now > > ># Global parameters >[global] > workgroup = CCDC > realm = CCDC.LAN > netbios name = CCDC-SAMBA4 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 9.0.138.50 > ##For debugging > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, >netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, >browser, eventlog6, >backupkey, dnsserver, remote, winreg, srvsvc > auth methods = sam, winbind, ntdomain, ntdomain:winbind > >[netlogon] > path = /var/lib/samba/sysvol/ccdc.lan/scripts > read only = No > >[sysvol] > path = /var/lib/samba/sysvol > read only = No > > >still same error on the windows machine > >It looks like that the GPO are now applied when we do not define the >directive > >"auth methods = sam, winbind, ntdomain, ntdomain:winbind" > >let me know if you need any other debugging info, I'm happy to >hel (and get >this sorted :D) > >thanks > >_______________________________________________________________ >____________________________ > >Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >FAX: +353 1 >815 2236, eMail: mariopiorusso at ie.ibm.com >IBM Ireland Product Distribution Limited registered in Ireland >with number >92815. Registered Office: IBM House, Shelbourne Road, >Ballsbridge, Dublin 4 > >(Embedded image moved to file: pic03533.gif) > > > >From: "L.P.H. van Belle" <belle at bazuin.nl> >To: "samba at lists.samba.org" <samba at lists.samba.org> >Cc: Mario Pio Russo/Ireland/IBM at IBMIE >Date: 01/05/2015 14:24 >Subject: Re: [Samba] After the classicupgrade from samba3 > tosernet-samba-4.2.1 , users are not able to >remote desktop > anymore ( bug11061 ) >Sent by: samba-bounces at lists.samba.org > > > >Hello Mario , > >what if you try these : > >dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, >lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, >eventlog6, backupkey, >dnsserver, remote, winreg, srvsvc >auth methods = sam, winbind, ntdomain, ntdomain:winbind > >!! these are only for helping in debugging and should not be used in >production. >!! see all the e-mails with subject : Re: [Samba] samba 4.2 RDP problem >(solved) >!! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett > >so if you want to help debuggen, that would be nice. see >bug-id in subject. > >In my case ( debian wheezy, sernet samba 4.2.1, only default GPO ) >auth methods = sam, winbind is sufficient to login with rdp. >so if we can find what we need to get GPO workin also, that >might help the >developers. > >I'll set some GPOs in my test and try again also. > > >Greetz, > >Louis > > >>-----Oorspronkelijk bericht----- >>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >>Verzonden: vrijdag 1 mei 2015 15:08 >>Aan: L.P.H. van Belle >>CC: samba at lists.samba.org >>Onderwerp: RE: [Samba] After the classicupgrade from samba3 to >>sernet-samba-4.2.1 , users are not able to remote desktop anymore >> >>Thanks Luis >> >>I've changed the smb.conf as you said, now it looks like this: >> >> >>root at ccdc-samba4:~# cat /etc/samba/smb.conf >># Global parameters >>[global] >> workgroup = CCDC >> realm = CCDC.LAN >> netbios name = CCDC-SAMBA4 >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> dns forwarder = 9.0.138.50 >> auth methods = sam, winbind >> >>[netlogon] >> path = /var/lib/samba/sysvol/ccdc.lan/scripts >> read only = No >> >>[sysvol] >> path = /var/lib/samba/sysvol >> read only = No >>root at ccdc-samba4:~# >> >> >>however from the windows machine when i try to update the >>group policies, I >>am now getting this errors: >> >> >> >>Microsoft Windows [Version 6.1.7601] >>Copyright (c) 2009 Microsoft Corporation. All rights reserved. >> >>C:\Users\Administrator.CCDC>gpupdate /force >>Updating Policy... >> >>User policy could not be updated successfully. The following >>errors were >>encount >>ered: >> >>The processing of Group Policy failed. Windows attempted to >>read the file >>\\ccdc >>.lan\sysvol\ccdc.lan\Policies >>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >>m a domain controller and was not successful. Group Policy >>settings may not >>be a >>pplied until this event is resolved. This issue may be >>transient and could >>be ca >>used by one or more of the following: >>a) Name Resolution/Network Connectivity to the current domain >>controller. >>b) File Replication Service Latency (a file created on another domain >>controller >> has not replicated to the current domain controller). >>c) The Distributed File System (DFS) client has been disabled. >>Computer policy could not be updated successfully. The >following errors >>were enc >>ountered: >> >>The processing of Group Policy failed. Windows attempted to >>read the file >>\\ccdc >>.lan\sysvol\ccdc.lan\Policies >>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >>m a domain controller and was not successful. Group Policy >>settings may not >>be a >>pplied until this event is resolved. This issue may be >>transient and could >>be ca >>used by one or more of the following: >>a) Name Resolution/Network Connectivity to the current domain >>controller. >>b) File Replication Service Latency (a file created on another domain >>controller >> has not replicated to the current domain controller). >>c) The Distributed File System (DFS) client has been disabled. >> >>To diagnose the failure, review the event log or run GPRESULT /H >>GPReport.html f >>rom the command line to access information about Group Policy results. >> >>C:\Users\Administrator.CCDC> >> >> >> >> >> >>I'm still unable to login with normal users via RDP >> >> >>_______________________________________________________________ >>____________________________ >> >>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>FAX: +353 1 >>815 2236, eMail: mariopiorusso at ie.ibm.com >>IBM Ireland Product Distribution Limited registered in Ireland >>with number >>92815. Registered Office: IBM House, Shelbourne Road, >>Ballsbridge, Dublin 4 >> >>(Embedded image moved to file: pic60454.gif) >> >> >> >>From: "L.P.H. van Belle" <belle at bazuin.nl> >>To: "samba at lists.samba.org" <samba at lists.samba.org> >>Cc: Mario Pio Russo/Ireland/IBM at IBMIE >>Date: 01/05/2015 13:55 >>Subject: RE: [Samba] After the classicupgrade >from samba3 to >> sernet-samba-4.2.1 , users are not able to remote desktop >> anymore >> >> >> >>correct. >> >>bug still exists, just tested also on latest git master. >>see : https://bugzilla.samba.org/show_bug.cgi?id=11061 >> >> >>temp solution. >> >>try adding : >>auth methods = sam, winbind >>to smb.conf on the dc and restart the DC. >> >> >>Greetz, >> >>Louis >> >> >>>-----Oorspronkelijk bericht----- >>>Van: mariopiorusso at ie.ibm.com >>>[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo >>>Verzonden: vrijdag 1 mei 2015 14:51 >>>Aan: samba at lists.samba.org >>>Onderwerp: [Samba] After the classicupgrade from samba3 to >>>sernet-samba-4.2.1 , users are not able to remote desktop anymore >>> >>> >>>Good Day All >>> >>>I have a current working configuration of sernet-samba-4.2.1, >>>created by >>>upgrading from a samba3 PDC using the classic upgrade. >>> >>>Now, I have added a windows 2008 machine to the domain and I'm >>>using the AD >>>snap in tools in order to browse the domain. >>> >>>I can see all the users and groups and they have been imported >>>correctly. >>>However I am able to remote desktop to the domain machines >>>only with the >>>user "Administrator at ccdc.lan"; no other user is able to RDP. >>>Furthermore I am able to add machines to the domain only form >>the users >>>Administrator, and not from any other user. I have been using >>the Group >>>Policy Manager from the window administrative tool in order >>>to grant logon >>>rights to all the users belonging to the Domain User group; >>>furthermore I >>>have added the users to the group Remote Desktop users, but >>>still I have no >>>success at all. at the moment the group policies looks like this: >>> >>>root at ccdc-samba4:/# samba-tool gpo listall >>>GPO : {31B2F340-016D-11D2-945F-00C04FB984F9} >>>display name : Default Domain Policy >>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>>\{31B2F340-016D-11D2-945F-00C04FB984F9} >>>dn : CN>>>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>>=ccdc,DC=lan >>>version : 3 >>>flags : NONE >>> >>>GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9} >>>display name : Default Domain Controllers Policy >>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>>\{6AC1786C-016F-11D2-945F-00C04FB984F9} >>>dn : CN>>>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>>=ccdc,DC=lan >>>version : 7 >>>flags : NONE >>> >>> >>>while from the GPM looks like this: >>> >>>(Embedded image moved to file: pic08924.gif) >>> >>> >>> >>>I have also run gpupdate /force from he windows machine and If I do >>>samba-tool gpo fetch <Domain Policy> I am able to see the >>>changes I have >>>done from the windows snap in >>> >>> >>>I am unsure now where the problem lies, are the GPO I have >>>modified being >>>applied correctly on samba 4 OR is the GPO itself that is not >>>configured >>>correctly in order to allow RDP (and add machine to domain)? >>>Or any other >>>issue? >>> >>>Note that all this was working correctly when I did the same >>>test upgrade >>>from samba 3 to samba 4.1.6 >>> >>>also I am able to login to every machine in the domain using >>>my domain user >>>when logging in locally. >>> >>>Any idea / suggestion? >>> >>> >>>thanks! >>> >>>_______________________________________________________________ >>>____________________________ >>> >>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>>FAX: +353 1 >>>815 2236, eMail: mariopiorusso at ie.ibm.com >>>IBM Ireland Product Distribution Limited registered in Ireland >>>with number >>>92815. Registered Office: IBM House, Shelbourne Road, >>>Ballsbridge, Dublin 4 >>> >>>(Embedded image moved to file: pic19418.gif)-- >>>To unsubscribe from this list go to the following URL and read the >>>instructions: https://lists.samba.org/mailman/options/samba >>> >> >> >> > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > > >
Mario Pio Russo
2015-Jun-04 13:57 UTC
[Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
guys sorry to take this thread onboard once more, but I still can't get this sorted. I have compiled the latest tarball from samba, 4.2.2 . compilation works fine and after that I am able to upgrade from samba 3 with the following command: samba-tool domain classicupgrade --dbdir=/var/lib/samba-ccdc1/dbdir/ --use-xattrs=yes --realm=ccdc.lan /etc/samba/smb-ccdc1.conf 2>&1 | tee upgrade.log the upgrade works fine as far as I can see, samba starts and I am able to RDP using my domain admin rights. however I am not able to RDP using any other user. the error i get is: "The connection is denied because the user account is not authorized for remote login" however the user I am testing is member of the BUILTIN/REMOTE DESKTOP USERS dn: CN=mariopio,CN=Users,DC=ccdc,DC=lan cn: mariopio instanceType: 4 whenCreated: 20150604120049.0Z whenChanged: 20150604120049.0Z uSNCreated: 6165 name: mariopio objectGUID:: cBOr+Abs90yYT6r612524Q=badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogon: 0 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAANxKzmMQKGuPHWLf6VCAAAA=logonCount: 0 sAMAccountName: mariopio sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ccdc,DC=lan pwdLastSet: 130746879650000000 displayName: Mario Pio Russo/Ireland/IBM scriptPath: logon.bat accountExpires: 137919572470000000 lastLogoff: 137919572470000000 logonHours:: //////////////////////////// userAccountControl: 512 description: mariopiorusso at ie.ibm.com uidNumber: 3638 objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user unixHomeDirectory: /home/mariopio loginShell: /bin/bash gidNumber: 513 msSFU30NisDomain: ccdc uSNChanged: 6169 memberOf: CN=DomainUsers,CN=Users,DC=ccdc,DC=lan memberOf: CN=Remote Desktop Users,CN=Builtin,DC=ccdc,DC=lan distinguishedName: CN=mariopio,CN=Users,DC=ccdc,DC=lan This is my smb.conf cat /etc/samba/smb.conf # Global parameters [global] workgroup = CCDC realm = ccdc.lan netbios name = CCDC-SAMBA4 server role = active directory domain controller server services = -winbindd +winbind auth methods = winbind, sam idmap_ldb:use rfc2307 = yes dns forwarder = 9.0.138.50 idmap config CCDC:backend = ad idmap config CCDC:schema_mode = rfc2307 idmap config CCDC:range = 10000-40000 # Store UIDs/GIDs for all other domains (including local # accounts/groups of this server) in a tdb file idmap config *:backend = tdb idmap config *:range = 2000-9999 # Use home directory and shell information from AD winbind nss info = rfc2307 [netlogon] path = /var/lib/samba/sysvol/ccdc.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No any suggestion? ___________________________________________________________________________________________ Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 815 2236, eMail: mariopiorusso at ie.ibm.com IBM Ireland Product Distribution Limited registered in Ireland with number 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 (Embedded image moved to file: pic18258.gif) From: "L.P.H. van Belle" <belle at bazuin.nl> To: Mario Pio Russo/Ireland/IBM at IBMIE Date: 01/05/2015 16:00 Subject: RE: [Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 ) yes, you did hit that bug, like lots of us.. 4.1.x was ok yes. you can also try this one. ( remove the others ) for the 4.2.1 samba server services = -winbindd +winbind and use the old winbind behavoir. and you should get my scripts, change it for ubuntu. ( mail me the changes ;-) ) and you have a clean and quick setup. look here. https://secure.bazuin.nl/scripts/ read the 0-README-FIRST.TXT file I think most wil work for ubuntu. Get this one for the ad install 4-sernet-samba-addc-debian-wheezy.sh Have a nice weekend.. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >Verzonden: vrijdag 1 mei 2015 16:49 >Aan: L.P.H. van Belle >CC: samba at lists.samba.org >Onderwerp: RE: [Samba] After the classicupgrade from samba3 to >sernet-samba-4.2.1 , users are not able to remote desktop >anymore ( bug11061 ) > >yeah I'm confused too. I think AD is the backend to be honest. that >parameter was automatically added to the smb.conf when running the >classigupgrade. nothig else has been populated. > >I can def try to give it a go with the parameters set on the >link you sent >me. > >It's a strange behaviour tho, I am still unsure if I have run in bug >https://bugzilla.samba.org/show_bug.cgi?id=11061 > >or I am still a step behind that bug. neverthless, with the >native 4.1.6 >all was working fine >_______________________________________________________________ >____________________________ > >Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >FAX: +353 1 >815 2236, eMail: mariopiorusso at ie.ibm.com >IBM Ireland Product Distribution Limited registered in Ireland >with number >92815. Registered Office: IBM House, Shelbourne Road, >Ballsbridge, Dublin 4 > >(Embedded image moved to file: pic57978.gif) > > > >From: "L.P.H. van Belle" <belle at bazuin.nl> >To: Mario Pio Russo/Ireland/IBM at IBMIE >Cc: "samba at lists.samba.org" <samba at lists.samba.org> >Date: 01/05/2015 14:50 >Subject: RE: [Samba] After the classicupgrade from samba3 to > sernet-samba-4.2.1 , users are not able to remote desktop > anymore ( bug11061 ) > > > >while im reading.. > >im seeing : >getfacl: Removing leading '/' from absolute path names ># file: var/lib/samba/sysvol ># owner: root ># group: 544 > > >your using : >idmap_ldb:use rfc2307 = yes >but i dont see a complete smb.conf for a rfc2307 setup. > >please also read : https://wiki.samba.org/index.php/RFC2307_backend > >so im puzzel what your backend is set to (AD or RID) and what >the ranges >are. > > > >Greetz, > >louis > >>-----Oorspronkelijk bericht----- >>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >>Verzonden: vrijdag 1 mei 2015 15:35 >>Aan: L.P.H. van Belle >>CC: samba at lists.samba.org; samba-bounces at lists.samba.org >>Onderwerp: Re: [Samba] After the classicupgrade from samba3 >>tosernet-samba-4.2.1 , users are not able to remote desktop >>anymore ( bug11061 ) >> >>ok this is my smb.conf file now >> >> >># Global parameters >>[global] >> workgroup = CCDC >> realm = CCDC.LAN >> netbios name = CCDC-SAMBA4 >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> dns forwarder = 9.0.138.50 >> ##For debugging >> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, >>netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, >>browser, eventlog6, >>backupkey, dnsserver, remote, winreg, srvsvc >> auth methods = sam, winbind, ntdomain, ntdomain:winbind >> >>[netlogon] >> path = /var/lib/samba/sysvol/ccdc.lan/scripts >> read only = No >> >>[sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> >>still same error on the windows machine >> >>It looks like that the GPO are now applied when we do not define the >>directive >> >>"auth methods = sam, winbind, ntdomain, ntdomain:winbind" >> >>let me know if you need any other debugging info, I'm happy to >>hel (and get >>this sorted :D) >> >>thanks >> >>_______________________________________________________________ >>____________________________ >> >>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>FAX: +353 1 >>815 2236, eMail: mariopiorusso at ie.ibm.com >>IBM Ireland Product Distribution Limited registered in Ireland >>with number >>92815. Registered Office: IBM House, Shelbourne Road, >>Ballsbridge, Dublin 4 >> >>(Embedded image moved to file: pic03533.gif) >> >> >> >>From: "L.P.H. van Belle" <belle at bazuin.nl> >>To: "samba at lists.samba.org" <samba at lists.samba.org> >>Cc: Mario Pio Russo/Ireland/IBM at IBMIE >>Date: 01/05/2015 14:24 >>Subject: Re: [Samba] After the classicupgrade >from samba3 >> tosernet-samba-4.2.1 , users are notable to>>remote desktop >> anymore ( bug11061 ) >>Sent by: samba-bounces at lists.samba.org >> >> >> >>Hello Mario , >> >>what if you try these : >> >>dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, >>lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, >>eventlog6, backupkey, >>dnsserver, remote, winreg, srvsvc >>auth methods = sam, winbind, ntdomain, ntdomain:winbind >> >>!! these are only for helping in debugging and should not be used in >>production. >>!! see all the e-mails with subject : Re: [Samba] samba 4.2 >RDP problem >>(solved) >>!! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett >> >>so if you want to help debuggen, that would be nice. see >>bug-id in subject. >> >>In my case ( debian wheezy, sernet samba 4.2.1, only default GPO ) >>auth methods = sam, winbind is sufficient to login with rdp. >>so if we can find what we need to get GPO workin also, that >>might help the >>developers. >> >>I'll set some GPOs in my test and try again also. >> >> >>Greetz, >> >>Louis >> >> >>>-----Oorspronkelijk bericht----- >>>Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >>>Verzonden: vrijdag 1 mei 2015 15:08 >>>Aan: L.P.H. van Belle >>>CC: samba at lists.samba.org >>>Onderwerp: RE: [Samba] After the classicupgrade from samba3 to >>>sernet-samba-4.2.1 , users are not able to remote desktop anymore >>> >>>Thanks Luis >>> >>>I've changed the smb.conf as you said, now it looks like this: >>> >>> >>>root at ccdc-samba4:~# cat /etc/samba/smb.conf >>># Global parameters >>>[global] >>> workgroup = CCDC >>> realm = CCDC.LAN >>> netbios name = CCDC-SAMBA4 >>> server role = active directory domain controller >>> idmap_ldb:use rfc2307 = yes >>> dns forwarder = 9.0.138.50 >>> auth methods = sam, winbind >>> >>>[netlogon] >>> path = /var/lib/samba/sysvol/ccdc.lan/scripts >>> read only = No >>> >>>[sysvol] >>> path = /var/lib/samba/sysvol >>> read only = No >>>root at ccdc-samba4:~# >>> >>> >>>however from the windows machine when i try to update the >>>group policies, I >>>am now getting this errors: >>> >>> >>> >>>Microsoft Windows [Version 6.1.7601] >>>Copyright (c) 2009 Microsoft Corporation. All rights reserved. >>> >>>C:\Users\Administrator.CCDC>gpupdate /force >>>Updating Policy... >>> >>>User policy could not be updated successfully. The following >>>errors were >>>encount >>>ered: >>> >>>The processing of Group Policy failed. Windows attempted to >>>read the file >>>\\ccdc >>>.lan\sysvol\ccdc.lan\Policies >>>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >>>m a domain controller and was not successful. Group Policy >>>settings may not >>>be a >>>pplied until this event is resolved. This issue may be >>>transient and could >>>be ca >>>used by one or more of the following: >>>a) Name Resolution/Network Connectivity to the current domain >>>controller. >>>b) File Replication Service Latency (a file created on another domain >>>controller >>> has not replicated to the current domain controller). >>>c) The Distributed File System (DFS) client has been disabled. >>>Computer policy could not be updated successfully. The >>following errors >>>were enc >>>ountered: >>> >>>The processing of Group Policy failed. Windows attempted to >>>read the file >>>\\ccdc >>>.lan\sysvol\ccdc.lan\Policies >>>\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >>>m a domain controller and was not successful. Group Policy >>>settings may not >>>be a >>>pplied until this event is resolved. This issue may be >>>transient and could >>>be ca >>>used by one or more of the following: >>>a) Name Resolution/Network Connectivity to the current domain >>>controller. >>>b) File Replication Service Latency (a file created on another domain >>>controller >>> has not replicated to the current domain controller). >>>c) The Distributed File System (DFS) client has been disabled. >>> >>>To diagnose the failure, review the event log or run GPRESULT /H >>>GPReport.html f >>>rom the command line to access information about Group >Policy results. >>> >>>C:\Users\Administrator.CCDC> >>> >>> >>> >>> >>> >>>I'm still unable to login with normal users via RDP >>> >>> >>>_______________________________________________________________ >>>____________________________ >>> >>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>>FAX: +353 1 >>>815 2236, eMail: mariopiorusso at ie.ibm.com >>>IBM Ireland Product Distribution Limited registered in Ireland >>>with number >>>92815. Registered Office: IBM House, Shelbourne Road, >>>Ballsbridge, Dublin 4 >>> >>>(Embedded image moved to file: pic60454.gif) >>> >>> >>> >>>From: "L.P.H. van Belle"><belle at bazuin.nl> >>>To:"samba at lists.samba.org"><samba at lists.samba.org> >>>Cc: Mario PioRusso/Ireland/IBM at IBMIE>>>Date: 01/05/2015 13:55 >>>Subject: RE: [Samba] Afterthe>classicupgrade >>from samba3 to >>> sernet-samba-4.2.1 , users are not able to remote desktop >>> anymore >>> >>> >>> >>>correct. >>> >>>bug still exists, just tested also on latest git master. >>>see : https://bugzilla.samba.org/show_bug.cgi?id=11061 >>> >>> >>>temp solution. >>> >>>try adding : >>>auth methods = sam, winbind >>>to smb.conf on the dc and restart the DC. >>> >>> >>>Greetz, >>> >>>Louis >>> >>> >>>>-----Oorspronkelijk bericht----- >>>>Van: mariopiorusso at ie.ibm.com >>>>[mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo >>>>Verzonden: vrijdag 1 mei 2015 14:51 >>>>Aan: samba at lists.samba.org >>>>Onderwerp: [Samba] After the classicupgrade from samba3 to >>>>sernet-samba-4.2.1 , users are not able to remote desktop anymore >>>> >>>> >>>>Good Day All >>>> >>>>I have a current working configuration of sernet-samba-4.2.1, >>>>created by >>>>upgrading from a samba3 PDC using the classic upgrade. >>>> >>>>Now, I have added a windows 2008 machine to the domain and I'm >>>>using the AD >>>>snap in tools in order to browse the domain. >>>> >>>>I can see all the users and groups and they have been imported >>>>correctly. >>>>However I am able to remote desktop to the domain machines >>>>only with the >>>>user "Administrator at ccdc.lan"; no other user is able to RDP. >>>>Furthermore I am able to add machines to the domain only form >>>the users >>>>Administrator, and not from any other user. I have been using >>>the Group >>>>Policy Manager from the window administrative tool in order >>>>to grant logon >>>>rights to all the users belonging to the Domain User group; >>>>furthermore I >>>>have added the users to the group Remote Desktop users, but >>>>still I have no >>>>success at all. at the moment the group policies looks like this: >>>> >>>>root at ccdc-samba4:/# samba-tool gpo listall >>>>GPO : {31B2F340-016D-11D2-945F-00C04FB984F9} >>>>display name : Default Domain Policy >>>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>>>\{31B2F340-016D-11D2-945F-00C04FB984F9} >>>>dn : CN>>>>{31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>>>=ccdc,DC=lan >>>>version : 3 >>>>flags : NONE >>>> >>>>GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9} >>>>display name : Default Domain Controllers Policy >>>>path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>>>\{6AC1786C-016F-11D2-945F-00C04FB984F9} >>>>dn : CN>>>>{6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>>>=ccdc,DC=lan >>>>version : 7 >>>>flags : NONE >>>> >>>> >>>>while from the GPM looks like this: >>>> >>>>(Embedded image moved to file: pic08924.gif) >>>> >>>> >>>> >>>>I have also run gpupdate /force from he windows machine and If I do >>>>samba-tool gpo fetch <Domain Policy> I am able to see the >>>>changes I have >>>>done from the windows snap in >>>> >>>> >>>>I am unsure now where the problem lies, are the GPO I have >>>>modified being >>>>applied correctly on samba 4 OR is the GPO itself that is not >>>>configured >>>>correctly in order to allow RDP (and add machine to domain)? >>>>Or any other >>>>issue? >>>> >>>>Note that all this was working correctly when I did the same >>>>test upgrade >>>>from samba 3 to samba 4.1.6 >>>> >>>>also I am able to login to every machine in the domain using >>>>my domain user >>>>when logging in locally. >>>> >>>>Any idea / suggestion? >>>> >>>> >>>>thanks! >>>> >>>>_______________________________________________________________ >>>>____________________________ >>>> >>>>Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>>>FAX: +353 1 >>>>815 2236, eMail: mariopiorusso at ie.ibm.com >>>>IBM Ireland Product Distribution Limited registered in Ireland >>>>with number >>>>92815. Registered Office: IBM House, Shelbourne Road, >>>>Ballsbridge, Dublin 4 >>>> >>>>(Embedded image moved to file: pic19418.gif)-- >>>>To unsubscribe from this list go to the following URL and read the >>>>instructions: https://lists.samba.org/mailman/options/samba >>>> >>> >>> >>> >> >>-- >>To unsubscribe from this list go to the following URL and read the >>instructions: https://lists.samba.org/mailman/options/samba >> >> >> > > >
James
2015-Jun-04 14:57 UTC
[Samba] After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
On 6/4/2015 9:57 AM, Mario Pio Russo wrote:> guys sorry to take this thread onboard once more, but I still can't get > this sorted. > > I have compiled the latest tarball from samba, 4.2.2 . compilation works > fine and after that I am able to upgrade from samba 3 with the following > command: > > samba-tool domain classicupgrade --dbdir=/var/lib/samba-ccdc1/dbdir/ > --use-xattrs=yes --realm=ccdc.lan /etc/samba/smb-ccdc1.conf 2>&1 | tee > upgrade.log > > the upgrade works fine as far as I can see, samba starts and I am able to > RDP using my domain admin rights. however I am not able to RDP using any > other user. > > the error i get is: > > "The connection is denied because the user account is not authorized for > remote login" > > however the user I am testing is member of the BUILTIN/REMOTE DESKTOP USERS > > dn: CN=mariopio,CN=Users,DC=ccdc,DC=lan > cn: mariopio > instanceType: 4 > whenCreated: 20150604120049.0Z > whenChanged: 20150604120049.0Z > uSNCreated: 6165 > name: mariopio > objectGUID:: cBOr+Abs90yYT6r612524Q=> badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogon: 0 > primaryGroupID: 513 > objectSid:: AQUAAAAAAAUVAAAANxKzmMQKGuPHWLf6VCAAAA=> logonCount: 0 > sAMAccountName: mariopio > sAMAccountType: 805306368 > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ccdc,DC=lan > pwdLastSet: 130746879650000000 > displayName: Mario Pio Russo/Ireland/IBM > scriptPath: logon.bat > accountExpires: 137919572470000000 > lastLogoff: 137919572470000000 > logonHours:: //////////////////////////// > userAccountControl: 512 > description: mariopiorusso at ie.ibm.com > uidNumber: 3638 > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > unixHomeDirectory: /home/mariopio > loginShell: /bin/bash > gidNumber: 513 > msSFU30NisDomain: ccdc > uSNChanged: 6169 > memberOf: CN=DomainUsers,CN=Users,DC=ccdc,DC=lan > memberOf: CN=Remote Desktop Users,CN=Builtin,DC=ccdc,DC=lan > distinguishedName: CN=mariopio,CN=Users,DC=ccdc,DC=lan > > This is my smb.conf > > cat /etc/samba/smb.conf > # Global parameters > [global] > workgroup = CCDC > realm = ccdc.lan > netbios name = CCDC-SAMBA4 > server role = active directory domain controller > server services = -winbindd +winbind > auth methods = winbind, sam > idmap_ldb:use rfc2307 = yes > dns forwarder = 9.0.138.50 > idmap config CCDC:backend = ad > idmap config CCDC:schema_mode = rfc2307 > idmap config CCDC:range = 10000-40000 > > # Store UIDs/GIDs for all other domains (including local > # accounts/groups of this server) in a tdb file > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # Use home directory and shell information from AD > winbind nss info = rfc2307 > > [netlogon] > path = /var/lib/samba/sysvol/ccdc.lan/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > > any suggestion? > > ___________________________________________________________________________________________ > > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland with number > 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 > > (Embedded image moved to file: pic18258.gif) > > > > From: "L.P.H. van Belle" <belle at bazuin.nl> > To: Mario Pio Russo/Ireland/IBM at IBMIE > Date: 01/05/2015 16:00 > Subject: RE: [Samba] After the classicupgrade from samba3 to > sernet-samba-4.2.1 , users are not able to remote desktop > anymore ( bug11061 ) > > > > yes, you did hit that bug, like lots of us.. > > 4.1.x was ok yes. > > you can also try this one. ( remove the others ) for the 4.2.1 samba > server services = -winbindd +winbind > > and use the old winbind behavoir. > > and you should get my scripts, change it for ubuntu. ( mail me the > changes ;-) ) > and you have a clean and quick setup. > > look here. > https://secure.bazuin.nl/scripts/ > read the 0-README-FIRST.TXT file > > I think most wil work for ubuntu. > Get this one for the ad install 4-sernet-samba-addc-debian-wheezy.sh > > Have a nice weekend.. > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >> Verzonden: vrijdag 1 mei 2015 16:49 >> Aan: L.P.H. van Belle >> CC: samba at lists.samba.org >> Onderwerp: RE: [Samba] After the classicupgrade from samba3 to >> sernet-samba-4.2.1 , users are not able to remote desktop >> anymore ( bug11061 ) >> >> yeah I'm confused too. I think AD is the backend to be honest. that >> parameter was automatically added to the smb.conf when running the >> classigupgrade. nothig else has been populated. >> >> I can def try to give it a go with the parameters set on the >> link you sent >> me. >> >> It's a strange behaviour tho, I am still unsure if I have run in bug >> https://bugzilla.samba.org/show_bug.cgi?id=11061 >> >> or I am still a step behind that bug. neverthless, with the >> native 4.1.6 >> all was working fine >> _______________________________________________________________ >> ____________________________ >> >> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >> FAX: +353 1 >> 815 2236, eMail: mariopiorusso at ie.ibm.com >> IBM Ireland Product Distribution Limited registered in Ireland >> with number >> 92815. Registered Office: IBM House, Shelbourne Road, >> Ballsbridge, Dublin 4 >> >> (Embedded image moved to file: pic57978.gif) >> >> >> >> From: "L.P.H. van Belle" <belle at bazuin.nl> >> To: Mario Pio Russo/Ireland/IBM at IBMIE >> Cc: "samba at lists.samba.org" <samba at lists.samba.org> >> Date: 01/05/2015 14:50 >> Subject: RE: [Samba] After the classicupgrade from samba3 to >> sernet-samba-4.2.1 , users are not able to remote desktop >> anymore ( bug11061 ) >> >> >> >> while im reading.. >> >> im seeing : >> getfacl: Removing leading '/' from absolute path names >> # file: var/lib/samba/sysvol >> # owner: root >> # group: 544 >> >> >> your using : >> idmap_ldb:use rfc2307 = yes >> but i dont see a complete smb.conf for a rfc2307 setup. >> >> please also read : https://wiki.samba.org/index.php/RFC2307_backend >> >> so im puzzel what your backend is set to (AD or RID) and what >> the ranges >> are. >> >> >> >> Greetz, >> >> louis >> >>> -----Oorspronkelijk bericht----- >>> Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >>> Verzonden: vrijdag 1 mei 2015 15:35 >>> Aan: L.P.H. van Belle >>> CC: samba at lists.samba.org; samba-bounces at lists.samba.org >>> Onderwerp: Re: [Samba] After the classicupgrade from samba3 >>> tosernet-samba-4.2.1 , users are not able to remote desktop >>> anymore ( bug11061 ) >>> >>> ok this is my smb.conf file now >>> >>> >>> # Global parameters >>> [global] >>> workgroup = CCDC >>> realm = CCDC.LAN >>> netbios name = CCDC-SAMBA4 >>> server role = active directory domain controller >>> idmap_ldb:use rfc2307 = yes >>> dns forwarder = 9.0.138.50 >>> ##For debugging >>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, >>> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, >>> browser, eventlog6, >>> backupkey, dnsserver, remote, winreg, srvsvc >>> auth methods = sam, winbind, ntdomain, ntdomain:winbind >>> >>> [netlogon] >>> path = /var/lib/samba/sysvol/ccdc.lan/scripts >>> read only = No >>> >>> [sysvol] >>> path = /var/lib/samba/sysvol >>> read only = No >>> >>> >>> still same error on the windows machine >>> >>> It looks like that the GPO are now applied when we do not define the >>> directive >>> >>> "auth methods = sam, winbind, ntdomain, ntdomain:winbind" >>> >>> let me know if you need any other debugging info, I'm happy to >>> hel (and get >>> this sorted :D) >>> >>> thanks >>> >>> _______________________________________________________________ >>> ____________________________ >>> >>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>> FAX: +353 1 >>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>> IBM Ireland Product Distribution Limited registered in Ireland >>> with number >>> 92815. Registered Office: IBM House, Shelbourne Road, >>> Ballsbridge, Dublin 4 >>> >>> (Embedded image moved to file: pic03533.gif) >>> >>> >>> >>> From: "L.P.H. van Belle" <belle at bazuin.nl> >>> To: "samba at lists.samba.org" <samba at lists.samba.org> >>> Cc: Mario Pio Russo/Ireland/IBM at IBMIE >>> Date: 01/05/2015 14:24 >>> Subject: Re: [Samba] After the classicupgrade > >from samba3 >>> tosernet-samba-4.2.1 , users are not > able to >>> remote desktop >>> anymore ( bug11061 ) >>> Sent by: samba-bounces at lists.samba.org >>> >>> >>> >>> Hello Mario , >>> >>> what if you try these : >>> >>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, >>> lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, >>> eventlog6, backupkey, >>> dnsserver, remote, winreg, srvsvc >>> auth methods = sam, winbind, ntdomain, ntdomain:winbind >>> >>> !! these are only for helping in debugging and should not be used in >>> production. >>> !! see all the e-mails with subject : Re: [Samba] samba 4.2 >> RDP problem >>> (solved) >>> !! and specialy : ma 27-4-2015 8:37 from Andrew Bartlett >>> >>> so if you want to help debuggen, that would be nice. see >>> bug-id in subject. >>> >>> In my case ( debian wheezy, sernet samba 4.2.1, only default GPO ) >>> auth methods = sam, winbind is sufficient to login with rdp. >>> so if we can find what we need to get GPO workin also, that >>> might help the >>> developers. >>> >>> I'll set some GPOs in my test and try again also. >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: Mario Pio Russo [mailto:mariopiorusso at ie.ibm.com] >>>> Verzonden: vrijdag 1 mei 2015 15:08 >>>> Aan: L.P.H. van Belle >>>> CC: samba at lists.samba.org >>>> Onderwerp: RE: [Samba] After the classicupgrade from samba3 to >>>> sernet-samba-4.2.1 , users are not able to remote desktop anymore >>>> >>>> Thanks Luis >>>> >>>> I've changed the smb.conf as you said, now it looks like this: >>>> >>>> >>>> root at ccdc-samba4:~# cat /etc/samba/smb.conf >>>> # Global parameters >>>> [global] >>>> workgroup = CCDC >>>> realm = CCDC.LAN >>>> netbios name = CCDC-SAMBA4 >>>> server role = active directory domain controller >>>> idmap_ldb:use rfc2307 = yes >>>> dns forwarder = 9.0.138.50 >>>> auth methods = sam, winbind >>>> >>>> [netlogon] >>>> path = /var/lib/samba/sysvol/ccdc.lan/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /var/lib/samba/sysvol >>>> read only = No >>>> root at ccdc-samba4:~# >>>> >>>> >>>> however from the windows machine when i try to update the >>>> group policies, I >>>> am now getting this errors: >>>> >>>> >>>> >>>> Microsoft Windows [Version 6.1.7601] >>>> Copyright (c) 2009 Microsoft Corporation. All rights reserved. >>>> >>>> C:\Users\Administrator.CCDC>gpupdate /force >>>> Updating Policy... >>>> >>>> User policy could not be updated successfully. The following >>>> errors were >>>> encount >>>> ered: >>>> >>>> The processing of Group Policy failed. Windows attempted to >>>> read the file >>>> \\ccdc >>>> .lan\sysvol\ccdc.lan\Policies >>>> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >>>> m a domain controller and was not successful. Group Policy >>>> settings may not >>>> be a >>>> pplied until this event is resolved. This issue may be >>>> transient and could >>>> be ca >>>> used by one or more of the following: >>>> a) Name Resolution/Network Connectivity to the current domain >>>> controller. >>>> b) File Replication Service Latency (a file created on another domain >>>> controller >>>> has not replicated to the current domain controller). >>>> c) The Distributed File System (DFS) client has been disabled. >>>> Computer policy could not be updated successfully. The >>> following errors >>>> were enc >>>> ountered: >>>> >>>> The processing of Group Policy failed. Windows attempted to >>>> read the file >>>> \\ccdc >>>> .lan\sysvol\ccdc.lan\Policies >>>> \{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini fro >>>> m a domain controller and was not successful. Group Policy >>>> settings may not >>>> be a >>>> pplied until this event is resolved. This issue may be >>>> transient and could >>>> be ca >>>> used by one or more of the following: >>>> a) Name Resolution/Network Connectivity to the current domain >>>> controller. >>>> b) File Replication Service Latency (a file created on another domain >>>> controller >>>> has not replicated to the current domain controller). >>>> c) The Distributed File System (DFS) client has been disabled. >>>> >>>> To diagnose the failure, review the event log or run GPRESULT /H >>>> GPReport.html f >>>> rom the command line to access information about Group >> Policy results. >>>> C:\Users\Administrator.CCDC> >>>> >>>> >>>> >>>> >>>> >>>> I'm still unable to login with normal users via RDP >>>> >>>> >>>> _______________________________________________________________ >>>> ____________________________ >>>> >>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>>> FAX: +353 1 >>>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>>> IBM Ireland Product Distribution Limited registered in Ireland >>>> with number >>>> 92815. Registered Office: IBM House, Shelbourne Road, >>>> Ballsbridge, Dublin 4 >>>> >>>> (Embedded image moved to file: pic60454.gif) >>>> >>>> >>>> >>>> From: "L.P.H. van Belle" >> <belle at bazuin.nl> >>>> To: > "samba at lists.samba.org" >> <samba at lists.samba.org> >>>> Cc: Mario Pio > Russo/Ireland/IBM at IBMIE >>>> Date: 01/05/2015 13:55 >>>> Subject: RE: [Samba] After > the >> classicupgrade >> >from samba3 to >>>> sernet-samba-4.2.1 , users are not able to remote desktop >>>> anymore >>>> >>>> >>>> >>>> correct. >>>> >>>> bug still exists, just tested also on latest git master. >>>> see : https://bugzilla.samba.org/show_bug.cgi?id=11061 >>>> >>>> >>>> temp solution. >>>> >>>> try adding : >>>> auth methods = sam, winbind >>>> to smb.conf on the dc and restart the DC. >>>> >>>> >>>> Greetz, >>>> >>>> Louis >>>> >>>> >>>>> -----Oorspronkelijk bericht----- >>>>> Van: mariopiorusso at ie.ibm.com >>>>> [mailto:samba-bounces at lists.samba.org] Namens Mario Pio Russo >>>>> Verzonden: vrijdag 1 mei 2015 14:51 >>>>> Aan: samba at lists.samba.org >>>>> Onderwerp: [Samba] After the classicupgrade from samba3 to >>>>> sernet-samba-4.2.1 , users are not able to remote desktop anymore >>>>> >>>>> >>>>> Good Day All >>>>> >>>>> I have a current working configuration of sernet-samba-4.2.1, >>>>> created by >>>>> upgrading from a samba3 PDC using the classic upgrade. >>>>> >>>>> Now, I have added a windows 2008 machine to the domain and I'm >>>>> using the AD >>>>> snap in tools in order to browse the domain. >>>>> >>>>> I can see all the users and groups and they have been imported >>>>> correctly. >>>>> However I am able to remote desktop to the domain machines >>>>> only with the >>>>> user "Administrator at ccdc.lan"; no other user is able to RDP. >>>>> Furthermore I am able to add machines to the domain only form >>>> the users >>>>> Administrator, and not from any other user. I have been using >>>> the Group >>>>> Policy Manager from the window administrative tool in order >>>>> to grant logon >>>>> rights to all the users belonging to the Domain User group; >>>>> furthermore I >>>>> have added the users to the group Remote Desktop users, but >>>>> still I have no >>>>> success at all. at the moment the group policies looks like this: >>>>> >>>>> root at ccdc-samba4:/# samba-tool gpo listall >>>>> GPO : {31B2F340-016D-11D2-945F-00C04FB984F9} >>>>> display name : Default Domain Policy >>>>> path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>>>> \{31B2F340-016D-11D2-945F-00C04FB984F9} >>>>> dn : CN>>>>> {31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>>>> =ccdc,DC=lan >>>>> version : 3 >>>>> flags : NONE >>>>> >>>>> GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9} >>>>> display name : Default Domain Controllers Policy >>>>> path : \\ccdc.lan\sysvol\ccdc.lan\Policies >>>>> \{6AC1786C-016F-11D2-945F-00C04FB984F9} >>>>> dn : CN>>>>> {6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC >>>>> =ccdc,DC=lan >>>>> version : 7 >>>>> flags : NONE >>>>> >>>>> >>>>> while from the GPM looks like this: >>>>> >>>>> (Embedded image moved to file: pic08924.gif) >>>>> >>>>> >>>>> >>>>> I have also run gpupdate /force from he windows machine and If I do >>>>> samba-tool gpo fetch <Domain Policy> I am able to see the >>>>> changes I have >>>>> done from the windows snap in >>>>> >>>>> >>>>> I am unsure now where the problem lies, are the GPO I have >>>>> modified being >>>>> applied correctly on samba 4 OR is the GPO itself that is not >>>>> configured >>>>> correctly in order to allow RDP (and add machine to domain)? >>>>> Or any other >>>>> issue? >>>>> >>>>> Note that all this was working correctly when I did the same >>>>> test upgrade >>>> >from samba 3 to samba 4.1.6 >>>>> also I am able to login to every machine in the domain using >>>>> my domain user >>>>> when logging in locally. >>>>> >>>>> Any idea / suggestion? >>>>> >>>>> >>>>> thanks! >>>>> >>>>> _______________________________________________________________ >>>>> ____________________________ >>>>> >>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & >>>>> FAX: +353 1 >>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>>>> IBM Ireland Product Distribution Limited registered in Ireland >>>>> with number >>>>> 92815. Registered Office: IBM House, Shelbourne Road, >>>>> Ballsbridge, Dublin 4 >>>>> >>>>> (Embedded image moved to file: pic19418.gif)-- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>> >>>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >>> >> >> > > >Mario, This guide may help you. http://www.dannyeckes.com/server-2012-enable-remote-desktop-rdp-group-policy-gpo/ -- -James
Maybe Matching Threads
- After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
- After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
- After the classicupgrade from samba3 tosernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
- After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore
- After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )