L.P.H. van Belle
2016-Apr-08 07:25 UTC
[Samba] Samba as AD-Controller: unable to update policies and call start scripts
This is correct>>that gpupdate tries to copy somethings from \\cch.intra\sysvol and not from \\dc1\sysvol...>>There a no server with name cch.intra, this is just the Realm...No not REALM, but DNSdomain but with the same name as the REALM. You “should” be able to “ping cch.intra” or browse to \\cch.intra if not, then your missing dns records. If you have only windows users accessing sysvol Change your sysvol to> [sysvol]> path = /usr/local/samba/var/locks/sysvol> read only = No> acl_xattr:ignore system acls = yesWhich helps, because you can set better windows ACLs. But most important, it helps if you post your smb.conf here. And before deleting your domain, if you do the same, you end up with the same problem. The “old PC” i guess windows 7? The New PC, i guess windows 10? Static ip of DHCP ip? So more info wil help. Smb.conf also maybe? Greetz, Louis> -----Oorspronkelijk bericht-----> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Luca Bertoncello> Verzonden: vrijdag 8 april 2016 9:06> Aan: samba at lists.samba.org> Onderwerp: Re: [Samba] Samba as AD-Controller: unable to update policies> and call start scripts>> Zitat von Rowland penny <rpenny at samba.org>:>> >> Maybe is it possible that my tries with Samba as AD (this is my first> >> installation of Samba 4 as AD controller) damages the AD-data?> >> > Well if it works for one PC and not another, it is probably a> > problem with the second PC.>> Now I cannot update GPO on the first PC, too...>> The very strange thing is, that gpupdate tries to copy somethings from> \\cch.intra\sysvol and not from \\dc1\sysvol...> There a no server with name cch.intra, this is just the Realm...>> Another strange thing is, hat I see a server with name CCH-SRV, that I> don't have in my network...>> >> How can I drop all and restart without reinstalling the Server?> >> > You could try restarting Samba on the DC as a first step. If that> > doesn't work, you will need to backup the required files, Samba comes>> Already done, didn't help...>> > with a script to do this 'samba-backup' though you may have to alter> > the paths in it.>> I don't have this script...>> > You could then re-install Samba and re-install your backup.>> Well, there a not yet many users in the domain, so that I have no> problem to complete delete the domain and recreate all...> How can I do that?>> Thanks> Luca Bertoncello> (lucabert at lucabert.de)>>> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/options/samba
Luca Bertoncello
2016-Apr-08 07:33 UTC
[Samba] Samba as AD-Controller: unable to update policies and call start scripts
Zitat von "L.P.H. van Belle" <belle at bazuin.nl>:> This is correct > >>> that gpupdate tries to copy somethings from \\cch.intra\sysvol and >>> not from \\dc1\sysvol... > >>> There a no server with name cch.intra, this is just the Realm... > > No not REALM, but DNSdomain but with the same name as the REALM.OK, I'm not expert in Samba as AD...> You “should” be able to “ping cch.intra” or browse to \\cch.intraping yes, browse not. Or better, I can see the shares, but not access them!> if not, then your missing dns records.I'm not sure, I undestood your sentence, sorry...> If you have only windows users accessing sysvol > > Change your sysvol to > > > >> [sysvol] > >> path = /usr/local/samba/var/locks/sysvol > >> read only = No > >> acl_xattr:ignore system acls = yes > > > > Which helps, because you can set better windows ACLs.It doesn't... From Windows I tried: dir \\dc1\sysvol and I got data, but dir \\cch.intra\sysvol returns: Anmeldung fehlgeschlagen: unbekannter Benutzername oder falsches Kennwort. PCs are in German... Translated is the error: unable to login, unknown username or wrong password.> But most important, it helps if you post your smb.conf here.# Global parameters [global] workgroup = CCH server string = Domain controller realm = CCH.INTRA netbios name = DC1 server role = active directory domain controller dns forwarder = 192.168.50.1 server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, smb dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc idmap_ldb:use rfc2307 = yes # Damit die Nutzer sich auch in Linux anmelden können template shell = /bin/bash # Homedir in /home template homedir = /home/%ACCOUNTNAME% domain logons = yes logon script = logon.cmd [netlogon] path = /var/lib/samba/sysvol/cch.intra/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No acl_xattr:ignore system acls = yes> And before deleting your domain, if you do the same, you end up with > the same problem. > > > > The “old PC” i guess windows 7? > > The New PC, i guess windows 10?All PCs use Windows 7.> Static ip of DHCP ip?All PCs with DHCP. Thanks Luca Bertoncello (lucabert at lucabert.de)
L.P.H. van Belle
2016-Apr-08 08:00 UTC
[Samba] Samba as AD-Controller: unable to update policies and call start scripts
Anmeldung fehlgeschlagen: unbekannter Benutzername oder falsches Kennwort. And you did login in the domain with a domain user? Looks like it you did not. So try this from the pc which give the problem. net use x: \\cch.intra\sysvol /user:CCH\username Did it work? Ow and one i forgot.. Did you check the time on the pc and server, these must be in sync. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Luca Bertoncello > Verzonden: vrijdag 8 april 2016 9:34 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba as AD-Controller: unable to update policies > and call start scripts > > Zitat von "L.P.H. van Belle" <belle at bazuin.nl>: > > > This is correct > > > >>> that gpupdate tries to copy somethings from \\cch.intra\sysvol and > >>> not from \\dc1\sysvol... > > > >>> There a no server with name cch.intra, this is just the Realm... > > > > No not REALM, but DNSdomain but with the same name as the REALM. > > OK, I'm not expert in Samba as AD... > > > You ?should? be able to ?ping cch.intra? or browse to \\cch.intra > > ping yes, browse not. Or better, I can see the shares, but not access > them! > > > if not, then your missing dns records. > > I'm not sure, I undestood your sentence, sorry... > > > If you have only windows users accessing sysvol > > > > Change your sysvol to > > > > > > > >> [sysvol] > > > >> path = /usr/local/samba/var/locks/sysvol > > > >> read only = No > > > >> acl_xattr:ignore system acls = yes > > > > > > > > Which helps, because you can set better windows ACLs. > > It doesn't... > > From Windows I tried: > > dir \\dc1\sysvol > > and I got data, but > > dir \\cch.intra\sysvol > > returns: > > Anmeldung fehlgeschlagen: unbekannter Benutzername oder falsches Kennwort. > > PCs are in German... > Translated is the error: unable to login, unknown username or wrong > password. > > > But most important, it helps if you post your smb.conf here. > > # Global parameters > [global] > workgroup = CCH > server string = Domain controller > realm = CCH.INTRA > netbios name = DC1 > server role = active directory domain controller > dns forwarder = 192.168.50.1 > server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbind, ntp_signd, kcc, dnsupdate, dns, smb > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, > netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, > eventlog6, backupkey, dnsserver, winreg, srvsvc > idmap_ldb:use rfc2307 = yes > > > # Damit die Nutzer sich auch in Linux anmelden können > template shell = /bin/bash > # Homedir in /home > template homedir = /home/%ACCOUNTNAME% > > domain logons = yes > logon script = logon.cmd > > [netlogon] > path = /var/lib/samba/sysvol/cch.intra/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > acl_xattr:ignore system acls = yes > > > And before deleting your domain, if you do the same, you end up with > > the same problem. > > > > > > > > The ?old PC? i guess windows 7? > > > > The New PC, i guess windows 10? > > All PCs use Windows 7. > > > Static ip of DHCP ip? > > All PCs with DHCP. > > Thanks > Luca Bertoncello > (lucabert at lucabert.de) > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Sébastien Le Ray
2016-Apr-08 08:01 UTC
[Samba] Samba as AD-Controller: unable to update policies and call start scripts
Le 08/04/2016 09:25, L.P.H. van Belle a écrit :> T > If you have only windows users accessing sysvol > > Change your sysvol to >> acl_xattr:ignore system acls = yesShouldn't this be the default? I mean sysvol is a Windows administrative share, chances that a user wants to sync unix permissions on it seem very low to me (in fact, the CIFS + NFS use case which legitimate Unix ACL syncing seems far less common that the Windows only access in a general way)
Luca Bertoncello
2016-Apr-08 08:14 UTC
[Samba] Samba as AD-Controller: unable to update policies and call start scripts
Zitat von "L.P.H. van Belle" <belle at bazuin.nl>:> Anmeldung fehlgeschlagen: unbekannter Benutzername oder falsches Kennwort. > > And you did login in the domain with a domain user? > Looks like it you did not.Of course I did it! And I can see other shares...> So try this from the pc which give the problem. > > net use x: \\cch.intra\sysvol /user:CCH\username > > Did it work?No, it does NOT. It always say "bad password" If I try with: net use x: \\dc1\sysvol /user:CCH\username it works (and don't ask for a password)> Ow and one i forgot.. > Did you check the time on the pc and server, these must be in sync.Yes, they are. Thanks Luca Bertoncello (lucabert at lucabert.de)
L.P.H. van Belle
2016-Apr-08 08:26 UTC
[Samba] Samba as AD-Controller: unable to update policies and call start scripts
Yes, i do think that also but thats up the user, not samba. It all depends you how run you network and since i dont have any linux clients connecting to sysvol i can set it this way. And for these i use other shares, of use nfs. I do the same for the profiles share, since only windows using the profiles. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le Ray > Verzonden: vrijdag 8 april 2016 10:01 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba as AD-Controller: unable to update policies > and call start scripts > > > > Le 08/04/2016 09:25, L.P.H. van Belle a écrit : > > T > > If you have only windows users accessing sysvol > > > > Change your sysvol to > >> acl_xattr:ignore system acls = yes > > Shouldn't this be the default? > > I mean sysvol is a Windows administrative share, chances that a user > wants to sync unix permissions on it seem very low to me (in fact, the > CIFS + NFS use case which legitimate Unix ACL syncing seems far less > common that the Windows only access in a general way) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Possibly Parallel Threads
- Samba as AD-Controller: unable to update policies and call start scripts
- Home directory of AD-User
- Home directory of AD-User
- Samba as AD-Controller: unable to update policies and call start scripts
- Samba as AD-Controller: unable to update policies and call start scripts