samba - Nov 2015 - Samba4 DC is not visible in network neighborhood

Greetings, Rowland Penny!
>>>> Is there at last a solution? I've only found questions, in
the list, and on
>>>> the network.
>>>>
>>>> The issue is that DC built on Samba4 does not report to network
browsers
>>>> neither it is participating in election to become browser
itself.
>>>> Consequently, it is not visible in the neighborhood neither on
Windows, nor on
>>>> Linux.
>>>>
>>>> I've managed to force a second Linux host (member server)
become a local
>>>> browser. At least, I can see it and other hosts now. But not
the DC itself.
>>>>
>>>>
>>> Hi Andrey,
>>> In that case you did exactly what you were supposed to do. :)
>>> Browsing is turned off for the DC by design, and this will not
change.
>>> Use member servers to implement browsing.
>> And how am I supposed to address the DC then?
>> For all my attempts, I've had to conclude that member servers
can't be
>> configured to manage shares with native ACL's. No matter what I do,
I always
>> get "access denied" on a member server when trying to setup
share permissions
>> on a member server using Windows tools.
>> So far, the only solution was to move ACL-sensitive services to the DC.
>> But this is really not a solution. Only a workaround.
>>
>>
> What do you mean 'native ACLs' ?
Err, okay, "windows ACL's", not "native (POSIX)". Was
writing in a
less-than-sane state of mind.
> you should be able to manage access to a share on a domain member from a 
> windows machine,
Should be, that much I've gathered from wiki. But it is already nine months
that I'm unable to implement it.
> see this page on the wiki:
> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
> If you follow the various pages on the wiki, you should be able make it 
> work, if you cannot, you are doing something wrong.
So, what I'm doing wrong? I've followed the wiki multiple times to the
point.
If you have any diagnostics in mind, please suggest, because this is tiring.

The smb.conf is attached, the member server do see the users correctly.

# wbinfo -i domainuser
domainuser:*:10000:513::/home/domainuser:/bin/bash

# getent passwd domainuser
domainuser:*:10000:513::/home/domainuser:/bin/bash


-- 
With best regards,
Andrey Repin
Sunday, November 22, 2015 12:01:09

Sorry for my terrible english...
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: smb.conf.txt
URL:
<http://lists.samba.org/pipermail/samba/attachments/20151122/e2c54367/smb.conf.txt>

On 22/11/15 09:14, Andrey Repin wrote:
> Greetings, Rowland Penny!
>
>>>>> Is there at last a solution? I've only found questions,
in the list, and on
>>>>> the network.
>>>>>
>>>>> The issue is that DC built on Samba4 does not report to
network browsers
>>>>> neither it is participating in election to become browser
itself.
>>>>> Consequently, it is not visible in the neighborhood neither
on Windows, nor on
>>>>> Linux.
>>>>>
>>>>> I've managed to force a second Linux host (member
server) become a local
>>>>> browser. At least, I can see it and other hosts now. But
not the DC itself.
>>>>>
>>>>>
>>>> Hi Andrey,
>>>> In that case you did exactly what you were supposed to do. :)
>>>> Browsing is turned off for the DC by design, and this will not
change.
>>>> Use member servers to implement browsing.
>>> And how am I supposed to address the DC then?
>>> For all my attempts, I've had to conclude that member servers
can't be
>>> configured to manage shares with native ACL's. No matter what I
do, I always
>>> get "access denied" on a member server when trying to
setup share permissions
>>> on a member server using Windows tools.
>>> So far, the only solution was to move ACL-sensitive services to the
DC.
>>> But this is really not a solution. Only a workaround.
>>>
>>>
>> What do you mean 'native ACLs' ?
> Err, okay, "windows ACL's", not "native (POSIX)".
Was writing in a
> less-than-sane state of mind.
>
>> you should be able to manage access to a share on a domain member from
a
>> windows machine,
> Should be, that much I've gathered from wiki. But it is already nine
months
> that I'm unable to implement it.
>
>> see this page on the wiki:
>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
>> If you follow the various pages on the wiki, you should be able make it
>> work, if you cannot, you are doing something wrong.
> So, what I'm doing wrong? I've followed the wiki multiple times to
the point.
> If you have any diagnostics in mind, please suggest, because this is
tiring.
>
> The smb.conf is attached, the member server do see the users correctly.
>
> # wbinfo -i domainuser
> domainuser:*:10000:513::/home/domainuser:/bin/bash
>
> # getent passwd domainuser
> domainuser:*:10000:513::/home/domainuser:/bin/bash
>
>
Firstly I would remove these lines:

         idmap config * : schema_mode = rfc2307
         dns forwarder = 192.168.35.4 (AD DC)
         idmap_ldb:use rfc2307 = yes

The first one isn't needed and the other two should only be on a DC

You do not have a 'username map' line, does 'Domain Admins' have
a
gidNumber and have you given 'Domain Admins' the
'SeDiskOperatorPrivilege' ?

Rowland

Greetings, Rowland Penny!
>> Err, okay, "windows ACL's", not "native
(POSIX)". Was writing in a
>> less-than-sane state of mind.
>>
>>> you should be able to manage access to a share on a domain member
from a
>>> windows machine,
>> Should be, that much I've gathered from wiki. But it is already
nine months
>> that I'm unable to implement it.
>>
>>> see this page on the wiki:
>>> https://wiki.samba.org/index.php/Shares_with_Windows_ACLs
>>> If you follow the various pages on the wiki, you should be able
make it
>>> work, if you cannot, you are doing something wrong.
>> So, what I'm doing wrong? I've followed the wiki multiple times
to the point.
>> If you have any diagnostics in mind, please suggest, because this is
tiring.
>>
>> The smb.conf is attached, the member server do see the users correctly.
>>
>> # wbinfo -i domainuser
>> domainuser:*:10000:513::/home/domainuser:/bin/bash
>>
>> # getent passwd domainuser
>> domainuser:*:10000:513::/home/domainuser:/bin/bash
>>
>>
> Firstly I would remove these lines:
>          idmap config * : schema_mode = rfc2307
>          dns forwarder = 192.168.35.4 (AD DC)
>          idmap_ldb:use rfc2307 = yes
> The first one isn't needed and the other two should only be on a DC
> You do not have a 'username map' line, does 'Domain Admins'
have a
> gidNumber and have you given 'Domain Admins' the
'SeDiskOperatorPrivilege' ?
(member server)$ id
uid=1000(anrdaemon) gid=513(domain users) groups=513(domain
users),33(www-data),114(lpadmin),512(domain admins)

$ wbinfo --group-info 'TD-ART\Domain Admins'
domain admins:x:512:anrdaemon,administrator

# getent group "Domain Admins"
domain admins:x:512:anrdaemon,administrator

$ net rpc group
Enter anrdaemon's password:
Administrators
Users

$ net rpc rights list accounts
Enter anrdaemon's password:
BUILTIN\Print Operators
No privileges assigned

TD-ART\Domain Admins
SeDiskOperatorPrivilege

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

BUILTIN\Server Operators
No privileges assigned

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege

Everyone
No privileges assigned
> Rowland





-- 
With best regards,
Andrey Repin
Sunday, November 22, 2015 14:02:02

Sorry for my terrible english...