samba - Feb 2017 - Regular users can't log in to Samba AD DC from Windows

On 02/06/2017 16:36, Rowland Penny via samba wrote:
> On Mon, 6 Feb 2017 16:16:28 +0200
> Alnis Morics via samba <samba at lists.samba.org> wrote:
>
>>
>>
>> On 02/06/2017 15:43, Rowland Penny via samba wrote:
>>> On Mon, 6 Feb 2017 14:47:21 +0200
>>> Alnis Morics via samba <samba at lists.samba.org> wrote:
>>>
>>>> I see. But I don't necessarily need homedirs and hence PAM
>>>> configured just to log in from Windows and access a file share
>>>> from there, do I? Or even just to log in on Windows to the
domain.
>>>>
>>>> Alnis
>>>>
>>>
>>> If you only have windows users and they will never actually log
into
>>> the Samba AD DC, then you don't need user homedirs on the DC.
>>>
>>> Rowland
>>>
>>>
>>
>> That's my main problem for now: single sign-on doesn't work.
The
>> Windows machine is joined the domain. Domain Administrator can log in
>> with this Windows machine, and other users that I created with
>> samba-tool, can not. Can you suggest a way of how to trace what's
>> going on?
>>
>> Alnis
>>
>
> Not sure I understand what you are saying, do you want your users to
> connect to shares on the DC, or are you saying that your users cannot
> log into a windows PC joined to the domain ?
>
> Rowland
>
My (domain) users cannot log into a Windows PC joined to the domain.

I created those users with samba-tool. Only the domain Administrator can 
log into this Windows PC.

Alnis

On Mon, 6 Feb 2017 17:09:27 +0200
Alnis Morics via samba <samba at lists.samba.org> wrote:
> 
> On 02/06/2017 16:36, Rowland Penny via samba wrote:
> > On Mon, 6 Feb 2017 16:16:28 +0200
> > Alnis Morics via samba <samba at lists.samba.org> wrote:
> >
> >>
> >>
> >> On 02/06/2017 15:43, Rowland Penny via samba wrote:
> >>> On Mon, 6 Feb 2017 14:47:21 +0200
> >>> Alnis Morics via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> I see. But I don't necessarily need homedirs and hence
PAM
> >>>> configured just to log in from Windows and access a file
share
> >>>> from there, do I? Or even just to log in on Windows to the
> >>>> domain.
> >>>>
> >>>> Alnis
> >>>>
> >>>
> >>> If you only have windows users and they will never actually
log
> >>> into the Samba AD DC, then you don't need user homedirs on
the DC.
> >>>
> >>> Rowland
> >>>
> >>>
> >>
> >> That's my main problem for now: single sign-on doesn't
work. The
> >> Windows machine is joined the domain. Domain Administrator can log
> >> in with this Windows machine, and other users that I created with
> >> samba-tool, can not. Can you suggest a way of how to trace
what's
> >> going on?
> >>
> >> Alnis
> >>
> >
> > Not sure I understand what you are saying, do you want your users to
> > connect to shares on the DC, or are you saying that your users
> > cannot log into a windows PC joined to the domain ?
> >
> > Rowland
> >
> My (domain) users cannot log into a Windows PC joined to the domain.
> 
> I created those users with samba-tool. Only the domain Administrator
> can log into this Windows PC.
> 
> Alnis
> 
I seem to remember something about freebsd, what filesystem are you
using and what were your ./config optiond when you built Samba ?

Rowland

On 02/06/2017 18:07, Rowland Penny via samba wrote:
> On Mon, 6 Feb 2017 17:09:27 +0200
> Alnis Morics via samba <samba at lists.samba.org> wrote:
>
>>
>> On 02/06/2017 16:36, Rowland Penny via samba wrote:
>>> On Mon, 6 Feb 2017 16:16:28 +0200
>>> Alnis Morics via samba <samba at lists.samba.org> wrote:
>>>
>>>>
>>>>
>>>> On 02/06/2017 15:43, Rowland Penny via samba wrote:
>>>>> On Mon, 6 Feb 2017 14:47:21 +0200
>>>>> Alnis Morics via samba <samba at lists.samba.org>
wrote:
>>>>>
>>>>>> I see. But I don't necessarily need homedirs and
hence PAM
>>>>>> configured just to log in from Windows and access a
file share
>>>>>> from there, do I? Or even just to log in on Windows to
the
>>>>>> domain.
>>>>>>
>>>>>> Alnis
>>>>>>
>>>>>
>>>>> If you only have windows users and they will never actually
log
>>>>> into the Samba AD DC, then you don't need user homedirs
on the DC.
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>
>>>> That's my main problem for now: single sign-on doesn't
work. The
>>>> Windows machine is joined the domain. Domain Administrator can
log
>>>> in with this Windows machine, and other users that I created
with
>>>> samba-tool, can not. Can you suggest a way of how to trace
what's
>>>> going on?
>>>>
>>>> Alnis
>>>>
>>>
>>> Not sure I understand what you are saying, do you want your users
to
>>> connect to shares on the DC, or are you saying that your users
>>> cannot log into a windows PC joined to the domain ?
>>>
>>> Rowland
>>>
>> My (domain) users cannot log into a Windows PC joined to the domain.
>>
>> I created those users with samba-tool. Only the domain Administrator
>> can log into this Windows PC.
>>
>> Alnis
>>
>
> I seem to remember something about freebsd, what filesystem are you
> using and what were your ./config optiond when you built Samba ?
>
> Rowland
>
My filesystem is UFS (v.2), I enabled ACLs with:
tunefs -a enable <filesystem-device>

and placed the "rw,acls" options into fstab, although the
"mount" showed
they are enabled even without that option in fstab.

Extended File Attributes are supported.

./configure options were "--without-systemd --man-dir=/usr/local/man"

Rowland, we were probably writing simultaneously, and you didn't notice 
I wrote that I finally managed to log in with that user1. Either 
passwords were messed up while I experimented with them (samba-tool user 
password/setpassword) or firewall was in the way, or both.

Thanks for helping,
Alnis