samba - Jul 2016 - NT4-Style Auth & Roaming Profiles Only?

On 07/26/2016 1:26 PM, Rowland penny wrote:
> On 26/07/16 19:08, Jim Seymour wrote:
>> On Tue, 26 Jul 2016 12:37:51 -0500
>> Dale Schroeder <dale at BriannasSaladDressing.com> wrote:
>>
>> [snip]
>>> Jim,
>>>
>>> This may be your problem:  Samba 4.3.9
>>>
>>> Upgrading my NT4 domain from 4.2.x to 4.3.x and beyond broke it,
and
>>> no combination of configuration parameters could put it back
together
>>> again.
>>>
>>> I wish you better luck.
>> Yikes!
>>
>> Thanks for mentioning that, Dale.  You may have just saved me a *lot*
>> of wasted time.
>>
>> Current stable is 4.4.5.  I hate to get this server out of the
>> repository cycle, but... How far "forward" did you go?
>>
>> Maybe I'll get the last 4.2.x stable release, and 4.4.5, see if I
can
>> get working what I want on 4.2.x, then see if I can jump to 4.4.5.
>>
>> Thanks,
>> Jim
>
> I cannot let this go by without commenting, when the badlock patches 
> were released, they also introduced several regressions. All of these 
> regressions (hopefully) have now been dealt with, so as long as you 
> are running 4.2.12, 4.3.9 or 4.4.3 at least, you should be okay.
>
> Rowland
Sorry Rowland, but the break happened before the badlock patches when 
Debian jumped from 4.1.x to 4.3.x, skipping 4.2.x altogether. I have a 
Mint LMDE system at 4.2 that can still talk to the domain, so that's all 
good.  Win7 systems can log in, so the ldap auth is still working, but 
cannot access shares.  Because the domain was already not working, I 
never had the opportunity to see what effect the badlock patches might 
have had.  And so it goes.

Jim, currently at Debian 4.4.5.  If you search this list, you will find 
others who have had the same thing happen.  To my knowledge, none have 
come back to say that their NT4 domain is working again post-4.2.x.  I 
will gladly try the smb.conf of someone who has a working Samba4 + ldap 
NT4 domain, if provided.

Dale

On Tue, 26 Jul 2016 13:40:59 -0500
Dale Schroeder <dale at BriannasSaladDressing.com> wrote:

[snip]
> 
> Sorry Rowland, but the break happened before the badlock patches when 
> Debian jumped from 4.1.x to 4.3.x, skipping 4.2.x altogether.
[snip]
> 
> Jim, currently at Debian 4.4.5.  If you search this list, you will
> find others who have had the same thing happen.  To my knowledge,
> none have come back to say that their NT4 domain is working again
> post-4.2.x.
[snip]

What was the nature/symtoms of the failure(s), Dale?

What I'm seeing is that network authentication works, but login takes
an inordinate amount of time: About 40 seconds until I see "Preparing
your desktop" and another 20 seconds until "You have been logged on
with a temporary profile."

It doesn't appear to be a network auth problem.  If I put in an invalid
username or password, I get "The user name or password is incorrect"
*instantly*.

It's not permissions. Once logged-in, I can access the Profiles share,
the user's network home directory, and anything else to which the user
should have access.  And I can write to those places to which I should
be able.

At least I don't *think* it's permissions.  In perusing the logs, with
debug turned up, I see things like

    smbd_check_access_rights: file username.V2 requesting 0x20080
      returning 0x20000 (NT_STATUS_OK)
    smbd_check_access_rights: file username3.V2 requesting 0x80
      returning 0x0 (NT_STATUS_OK)

which makes me wonder if the code's not broken.  (The thing's lying.
The user's id is "Domain User", the directory is group
"Domain User"
and the permissions were "rwxrwxrwt".)

I find more than a little disquieting is that nobody seems able to
actually *troubleshoot* issues like this. Somebody ought to be able to
look at logfiles and say "Oh, well, *this* is what's you're doing
wrong" or "Ah! The code's broken because of <this>", or
whatever.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

On 7/27/2016 12:18 PM, Jim Seymour wrote:
> On Tue, 26 Jul 2016 13:40:59 -0500
> Dale Schroeder <dale at BriannasSaladDressing.com> wrote:
>
> [snip]
>> Sorry Rowland, but the break happened before the badlock patches when
>> Debian jumped from 4.1.x to 4.3.x, skipping 4.2.x altogether.
> [snip]
>> Jim, currently at Debian 4.4.5.  If you search this list, you will
>> find others who have had the same thing happen.  To my knowledge,
>> none have come back to say that their NT4 domain is working again
>> post-4.2.x.
> [snip]
>
> What was the nature/symtoms of the failure(s), Dale?
>
> What I'm seeing is that network authentication works, but login takes
> an inordinate amount of time: About 40 seconds until I see "Preparing
> your desktop" and another 20 seconds until "You have been logged
on
> with a temporary profile."
>
> It doesn't appear to be a network auth problem.  If I put in an invalid
> username or password, I get "The user name or password is
incorrect"
> *instantly*.
>
> It's not permissions. Once logged-in, I can access the Profiles share,
> the user's network home directory, and anything else to which the user
> should have access.  And I can write to those places to which I should
> be able.
>
> At least I don't *think* it's permissions.  In perusing the logs,
with
> debug turned up, I see things like
>
>      smbd_check_access_rights: file username.V2 requesting 0x20080
>        returning 0x20000 (NT_STATUS_OK)
>      smbd_check_access_rights: file username3.V2 requesting 0x80
>        returning 0x0 (NT_STATUS_OK)
>
> which makes me wonder if the code's not broken.  (The thing's
lying.
> The user's id is "Domain User", the directory is group
"Domain User"
> and the permissions were "rwxrwxrwt".)
>
> I find more than a little disquieting is that nobody seems able to
> actually *troubleshoot* issues like this. Somebody ought to be able to
> look at logfiles and say "Oh, well, *this* is what's you're
doing
> wrong" or "Ah! The code's broken because of
<this>", or whatever.
>
> Regards,
> Jim
Are you by chance using client specific logging on Samba?

https://wiki.samba.org/index.php/Client_specific_logging

Do the windows logs display anything relevant?


-- 
-James

On 07/27/2016 11:18 AM, Jim Seymour wrote:
> On Tue, 26 Jul 2016 13:40:59 -0500
> Dale Schroeder <dale at BriannasSaladDressing.com> wrote:
>
> [snip]
>> Sorry Rowland, but the break happened before the badlock patches when
>> Debian jumped from 4.1.x to 4.3.x, skipping 4.2.x altogether.
> [snip]
>> Jim, currently at Debian 4.4.5.  If you search this list, you will
>> find others who have had the same thing happen.  To my knowledge,
>> none have come back to say that their NT4 domain is working again
>> post-4.2.x.
> [snip]
>
> What was the nature/symtoms of the failure(s), Dale?
Jim,

My domain errors were different than yours.  That's why I used the 
phrase "may be your problem" in my initial response.  I was not
dealing
with profiles, just ordinary share access attempts returning 
"NT_STATUS_NO_LOGON_SERVERS.  Win7 users can access shares on a Mint 
member system with 4.2.x post-badlock.  Systems with any version above 
4.2 failed, pre- and post-.  So, it seemed to me that if basic domain 
shares in an NT4 domain >= 4.3.0 failed, then other domain features 
(e.g. roaming profiles) could be broken, too.  I think you get my reasoning.

To avoid hijacking your thread, if you wish, you can view the details of 
my very short thread at: 
https://lists.samba.org/archive/samba/2016-March/198582.html    It has 
the relevant log snippets, etc.  (Note that this time period is before 
the badlock patches were issued.)

I did read the Release Notes and applied the parameter changes for NT4 
members and controllers listed in the 4.2.0 notes 
(https://www.samba.org/samba/history/samba-4.2.0.html).

Like I mentioned previously, no one has yet supplied a working smb.conf 
for a Samba >= 4.3.0 NT4 + LDAP domain.  I'm not currently aware that 
it's possible.

As before, I wish you better luck than I've had.

Dale
>
> What I'm seeing is that network authentication works, but login takes
> an inordinate amount of time: About 40 seconds until I see "Preparing
> your desktop" and another 20 seconds until "You have been logged
on
> with a temporary profile."
>
> It doesn't appear to be a network auth problem.  If I put in an invalid
> username or password, I get "The user name or password is
incorrect"
> *instantly*.
>
> It's not permissions. Once logged-in, I can access the Profiles share,
> the user's network home directory, and anything else to which the user
> should have access.  And I can write to those places to which I should
> be able.
>
> At least I don't *think* it's permissions.  In perusing the logs,
with
> debug turned up, I see things like
>
>      smbd_check_access_rights: file username.V2 requesting 0x20080
>        returning 0x20000 (NT_STATUS_OK)
>      smbd_check_access_rights: file username3.V2 requesting 0x80
>        returning 0x0 (NT_STATUS_OK)
>
> which makes me wonder if the code's not broken.  (The thing's
lying.
> The user's id is "Domain User", the directory is group
"Domain User"
> and the permissions were "rwxrwxrwt".)
>
> I find more than a little disquieting is that nobody seems able to
> actually *troubleshoot* issues like this. Somebody ought to be able to
> look at logfiles and say "Oh, well, *this* is what's you're
doing
> wrong" or "Ah! The code's broken because of
<this>", or whatever.
>
> Regards,
> Jim