As Gaiseric requested, here is the testparm -v diff of a working and
nonworking member server in the NT4 domain. I've tried to align the
columns, but it's possible your mail client may mangle them.
The only parameter change I have tried is changing 'ntlm auth' to Yes on
the the nonworking system. It did not fix anything.
Thanks for looking.
Dale
*# Samba 4.2.14 (working)* | *# Samba 4.6.5 (not
working)*
> aio max threads = 100
> auto services client ipc signing = default
| client ipc
signing = if_required
client signing = default | client
signing = if_required
debug timestamp = Yes <
disable spoolss = Yes | disable
spoolss = No
ldap page size = 1024 | ldap page
size = 1000
load printers = No | load
printers = Yes
> logging lpq command = lpq -P'%p'
| lpq
command = %p
lprm command = lprm -P'%p' %j | lprm command
> lsa over netlogon = No
> msdfs shuffle referrals = No
ntlm auth = Yes | ntlm
auth = No
only user = No <
> password hash gpg key ids preload =
<
print command = lpr -r -P'%p' %s | print
command print ok = No <
printcap name = /dev/null | printcap
name = cups
printing = bsd |
printing = cups
> rpc server port = 0
> server multi channel support = No
server signing = default | server
signing = if_required
smb2 leases = No | smb2
leases = Yes
> smbd profiling level = off
> spotlight = No
syslog = 0 |
syslog = 1
> timestamp logs = Yes
use ntdb = No <
username = <
On 07/28/2017 3:43 PM, Dale Schroeder via samba wrote:> Thank you, Gaiseric, for this invaluable input.
>
> Preliminary results: (1) smbclient to any nonworking system gives the
> same 'no logon server' error as before, while using to a working
> member or the PDC give the expected output. (2) net rpc testjoin from
> a working member returns an OK, while from a nonworking member returns
> nothing.
>
> When I get in front of the domain, I will run diffs on the output of
> testparm from working and nonworking systems, then report the results.
>
> Thanks again.
>
> Dale
>
>
> On 07/28/2017 2:38 PM, Gaiseric Vandal via samba wrote:
>>
>> my member file server sanitized samba config . (samba 4.4.14) I
>> have the idmapping entries to force consistency between machines.
>>
>>
>> Can you try "smbclient -L \\someserver" from various samba
machines?
>> That make shake out if there is some version incompatibility.
>>
>> Can you try "net rpc testjoin" on a member server?
>>
>> Can you run "testparm -v" on a problem server and compare to
a good
>> server? Defaults may have changed.
>>
>> ----------------------------------------------------------
>>
>>
>> #======================= Global Settings
>> ====================================>> [global]
>>
>> # 5/28/17 - disable nt pipe support
>> nt pipe support = no
>>
>> syslog = 3
>>
>> # 10/8/16 for badlock idr
>> client signing = auto
>> client ipc signing = auto
>> #
>>
>> workgroup = MYDOMAIN
>>
>> # server string is the equivalent of the NT Description field
>>
>> server string = FileServer1
>>
>> # set the netbios name in case change unix host name
>> netbios name = FILESERVER1
>>
>> # Security mode. Defines in which mode Samba will operate. Possible
>> # values are share, user, server, domain and ads. Most people will want
>> # user level security. See the Samba-HOWTO-Collection for details.
>> security = domain
>>
>> #IDMAPPING
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 5000-6000
>>
>>
>> idmap config MYDOMAIN : backend = nss
>> idmap config MYDOMAIN : range = 100-2000
>>
>>
>> # winbind use default domain = yes
>> # winbind trusted domains only = yes
>> log level = 5
>>
>>
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> #winbind rpc only = yes
>>
>>
>> # This option is important for security. It allows you to restrict
>> # connections to machines which are on your local network. The
>> # following example restricts access to two C class networks and
>> # the "loopback" interface. For more examples of the syntax
see
>> # the smb.conf man page
>> ; hosts allow = 192.168.1. 192.168.2. 127.
>>
>> # If you want to automatically load your printer list rather
>> # than setting them up individually then you'll need this
>> load printers = yes
>>
>> # you may wish to override the location of the printcap file
>> ; printcap name = /etc/printcap
>>
>> # on SystemV system setting printcap name to lpstat should allow
>> # you to automatically obtain a printer list from the SystemV spool
>> # system
>> ; printcap name = lpstat
>>
>> # It should not be necessary to specify the print system type unless
>> # it is non-standard. Currently supported print systems include:
>> # bsd, cups, sysv, plp, lprng, aix, hpux, qnx
>> ; printing = cups
>>
>> # Uncomment this if you want a guest account, you must add this to
>> /etc/passwd
>> # otherwise the user "nobody" is used
>> ; guest account = pcguest
>>
>> # this tells Samba to use a separate log file for each machine
>> # that connects
>> log file = /var/samba/log/log.%m
>>
>> # Put a capping on the size of the log files (in Kb).
>> max log size = 50
>>
>> # Use password server option only with security = server
>> # The argument list may include:
>> # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
>> # or to auto-locate the domain controller/s
>> # password server = *
>> ; password server = <NT-Server-Name>
>>
>> # Use the realm option only with security = ads
>> # Specifies the Active Directory realm the host is part of
>> ; realm = MY_REALM
>>
>> # Backend to store user information in. New installations should
>> # use either tdbsam or ldapsam. smbpasswd is available for backwards
>> # compatibility. tdbsam requires no further configuration.
>> #passdb backend = smbpasswd
>> passdb backend = tdbsam
>>
>> # Using the following line enables you to customise your configuration
>> # on a per machine basis. The %m gets replaced with the netbios name
>> # of the machine that is connecting.
>> # Note: Consider carefully the location in the configuration file of
>> # this line. The included file is read at that point.
>> ; include = /usr/sfw/lib/smb.conf.%m
>>
>> # Configure Samba to use multiple interfaces
>> # If you have multiple network interfaces then you must list them
>> # here. See the man page for details.
>> ; interfaces = 192.168.12.2/24 192.168.13.2/24
>>
>> # Browser Control Options:
>> # set local master to no if you don't want Samba to become a master
>> # browser on your network. Otherwise the normal election rules apply
>> ; local master = no
>>
>> # OS Level determines the precedence of this server in master browser
>> # elections. The default value should be reasonable
>> ; os level = 33
>>
>> # Domain Master specifies Samba to be the Domain Master Browser. This
>> # allows Samba to collate browse lists between subnets. Don't use
this
>> # if you already have a Windows NT domain controller doing this job
>> ; domain master = yes
>>
>> # Preferred Master causes Samba to force a local browser election on
>> startup
>> # and gives it a slightly higher chance of winning the election
>> ; preferred master = yes
>>
>> # Enable this if you want Samba to be a domain logon server for
>> # Windows95 workstations.
>> ; domain logons = yes
>>
>> # if you enable domain logons then you may want a per-machine or
>> # per user logon script
>> # run a specific logon batch file per workstation (machine)
>> ; logon script = %m.bat
>> # run a specific logon batch file per username
>> ; logon script = %U.bat
>>
>> # Where to store roving profiles (only for Win95 and WinNT)
>> # %L substitutes for this servers netbios name, %U is username
>> # You must uncomment the [Profiles] share below
>> ; logon path = \\%L\Profiles\%U
>>
>> # Windows Internet Name Serving Support Section:
>> # WINS Support - Tells the NMBD component of Samba to enable it's
>> WINS Server
>> ; wins support = yes
>>
>> # WINS Server - Tells the NMBD components of Samba to be a WINS Client
>> # Note: Samba can be either a WINS Server, or a WINS Client, but
>> NOT both
>> ; wins server = w.x.y.z
>> wins server = 192.168.x.x
>>
>> # WINS Proxy - Tells Samba to answer name resolution queries on
>> # behalf of a non WINS capable client, for this to work there must be
>> # at least one WINS Server on the network. The default is NO.
>> ; wins proxy = yes
>>
>> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS
names
>> # via DNS nslookups. The default is NO.
>> dns proxy = no
>>
>>
>> #============================ Share Definitions
>> =============================>>
>> ...
>>
>> [archived_projects]
>> path = /ArchiveProjectsPool1
>> #valid users = @engr, ssc
>> read only = No
>> hide special files = Yes
>> map archive = No
>> guest ok = yes
>>
>>
>>
>> [dept]
>> msdfs root = yes
>> path = /DataPool1/Dept
>> # valid users = @group1,someuser
>> read only = No
>> hide special files = Yes
>> map archive = No
>> inherit permissions = Yes
>> inherit acls = Yes
>> vfs objects = zfsacl
>> nfs4:acedup = merge
>> nfs4:chown = yes
>> nfs4: mode = special
>> mapread only = no
>> ea support = yes
>> store dos attributes = yes
>> create mask = 0770
>> force create mode = 0600
>> directory mask = 0775
>> force directory mode = 0600
>> zfsacl: acesort = dontcare
>> ,...
>> # Un-comment the following and create the netlogon directory for
>> Domain Logons
>> ; [netlogon]
>> ; comment = Network Logon Service
>> ; path = /usr/local/sambanetlogon
>> ; guest ok = yes
>> ; writable = no
>> ; share modes = no
>>
>>
>> # Un-comment the following to provide a specific roving profile share
>> # the default is to use the user's home directory
>> ;[Profiles]
>> ; path = /usr/local/samba/profiles
>> ; browseable = no
>> ; guest ok = yes
>>
>>
>> # NOTE: If you have a BSD-style print system there is no need to
>> # specifically define each individual printer
>> [printers]
>> comment = All Printers
>> path = /var/spool/samba
>> browseable = no
>> # Set public = yes to allow user 'guest account' to print
>> guest ok = no
>> writable = no
>> printable = yes
>>
>> # This one is useful for people to share files
>> ;[tmp]
>> ; comment = Temporary file space
>> ; path = /tmp
>> ; read only = no
>> ; public = yes
>>
>> # A publicly accessible directory, but read only, except for people in
>> # the "staff" group
>> ;[public]
>> ; comment = Public Stuff
>> ; path = /home/samba
>> ; public = yes
>> ; writable = no
>> ; printable = no
>> ; write list = @staff
>>
>> # Other examples.
>> #
>> # A private printer, usable only by fred. Spool data will be placed
>> in fred's
>> # home directory. Note that fred must have write access to the spool
>> directory,
>> # wherever it is.
>> ;[fredsprn]
>> ; comment = Fred's Printer
>> ; valid users = fred
>> ; path = /homes/fred
>> ; printer = freds_printer
>> ; public = no
>> ; writable = no
>> ; printable = yes
>>
>> # A private directory, usable only by fred. Note that fred requires
>> write
>> # access to the directory.
>> ;[fredsdir]
>> ; comment = Fred's Service
>> ; path = /usr/somewhere/private
>> ; valid users = fred
>> ; public = no
>> ; writable = yes
>> ; printable = no
>>
>> # a service which has a different directory for each machine that
>> connects
>> # this allows you to tailor configurations to incoming machines. You
>> could
>> # also use the %U option to tailor it by user name.
>> # The %m gets replaced with the machine name that is connecting.
>> ;[pchome]
>> ; comment = PC Directories
>> ; path = /usr/pc/%m
>> ; public = no
>> ; writable = yes
>>
>> # A publicly accessible directory, read/write to all users. Note that
>> all files
>> # created in the directory by users will be owned by the default
>> user, so
>> # any user with access can delete any other user's files. Obviously
this
>> # directory must be writable by the default user. Another user could
>> of course
>> # be specified, in which case all files would be owned by that user
>> instead.
>> ;[public]
>> ; path = /usr/somewhere/else/public
>> ; public = yes
>> ; only guest = yes
>> ; writable = yes
>> ; printable = no
>>
>> # The following two entries demonstrate how to share a directory so
>> that two
>> # users can place files there that will be owned by the specific
>> users. In this
>> # setup, the directory should be writable by both users and should
>> have the
>> # sticky bit set on it to prevent abuse. Obviously this could be
>> extended to
>> # as many users as required.
>> ;[myshare]
>> ; comment = Mary's and Fred's stuff
>> ; path = /usr/somewhere/shared
>> ; valid users = mary fred
>> ; public = no
>> ; writable = yes
>> ; printable = no
>> ; create mask = 0765
>> -------------------------------------------------------
>>
>>
>> On 07/28/17 14:57, Dale Schroeder via samba wrote:
>>> There have been a rash of NT4 threads lately on this list, so I
will
>>> try to resurrect my problem once more and hope that someone is
looking.
>>>
>>> I believe that there has to be more to it than the parameters
listed
>>> below, because I've tried those parameters, the max/min
protocol
>>> parameter options, and every other incantation postulated on this
>>> list. Regardless of what I've tried, member servers above
4.2.x
>>> absolutely will not allow access to shares with the stated fixes.
>>> [Please note that this problem started pre-badlock patches,
>>> immediately after upgrading to 4.3.x.]
>>>
>>> For me, (1) an NT4 PDC (ver. 4.6.5) with a share, allows access
from
>>> linux and Windows 7 clients; however, (2) shares on 4.6.5 member
>>> servers are inaccessible (NT_STATUS_NO_LOGON_SERVERS error). (3)
>>> Shares on member servers running 4.2.x are accessible from linux
and
>>> Win7.
>>>
>>> Is there anyone at all who is willing to share their
'working' NT4
>>> global config? I would appreciate it very much.
>>>
>>> Thanks,
>>> Dale
>>>
>>>
>>> On 07/21/2017 8:15 AM, Gaiseric Vandal via samba wrote:
>>>> In October, when samba was patched for "badlock" I
had to set the
>>>> following
>>>>
>>>>
>>>> client signing = auto
>>>> client ipc signing = auto
>>>> server signing = auto
>>>>
>>>>
>>>> otherwise some of the signing behavior was defaulting on on.
You
>>>> may want to try turning some of the signing options to auto or
off.
>>>>
>>>> I am also using NT1 as the min and max server and client
>>>> protocol. SMB 2.x causes problems.
>>>>
>>>> I am running Samba 4.4.14 on my domain controllers and key file
>>>> servers. I think Samba 4.2.x is end-of-life so at some point
there
>>>> will be some windows update that will break compatibility. I
had
>>>> Samba 3.6.x running last year and I couldn't keep it
working anymore.
>>>>
>>>>
>>>>
>>>>
>>>> On 07/21/17 08:32, Manon JEANJEAN via samba wrote:
>>>>> Hello again,
>>>>>
>>>>> False Server max protocol = NT1 doesn't work because
all my server
>>>>> fell there are 20 minutes.
>>>>> So it's necessary to find a new idea.
>>>>>
>>>>> Thank you.
>>>>>
>>>>> -----Message d'origine-----
>>>>> De : Manon JEANJEAN via samba [mailto:samba at
lists.samba.org]
>>>>> Envoyé : vendredi 21 juillet 2017 11:47
>>>>> À : samba at lists.samba.org
>>>>> Objet : Re: [Samba] Incompatibility Windows 7
>>>>>
>>>>> Hello everybody
>>>>>
>>>>> Ok Marco, I'm reassured to look you have the same
problem.
>>>>> My friend speak of NTML for my problem, it can help me?
>>>>> What is NTML?
>>>>>
>>>>> Thank you
>>>>>
>>>>>
>>>>>> -----Message d'origine-----
>>>>>> De : Marco Gaiarin via samba [mailto:samba at
lists.samba.org] Envoyé :
>>>>>> vendredi 21 juillet 2017 11:27 À : samba at
lists.samba.org Objet : Re:
>>>>>> [Samba] Incompatibility Windows 7
>>>>>> Mandi! Manon JEANJEAN via samba
>>>>> > In chel di` si favelave...
>>>>>
>>>>>> I'm still in these situation, a samba4 NT-like
domains with
>>>>>> windows 7 pro clients.
>>>>>> The error reads : There are currently no log on servers
available to
>>>>>> service the log on request
>>>>>> I'm hitting this also i, recurring but
''random''; apart
>>>>>> effectively troubled box (eg, a box that boot bad, do
an
>>>>>> automatic rollback from a restore point and so lost the
machine
>>>>>> account) i hit errors like these, normally in twin with
user
>>>>>> password change troubles.
>>>>>> Tipically it sufficies to look at windows updates, most
of the
>>>>>> time the box have some update stuck or half-installed,
and so a
>>>>>> windows update runnign and a reboot fix the trouble.
>>>>>> All these sort of troubles start last autumn by the
infamous
>>>>>> KB3167679 update, that broke for a month or so NT
domains.
>>>>>
>>>>>> Rowland, i've not set:
>>>>> Server max protocol = NT1
>>>>>
>>>>> >but, as stated, these trouble are spot and random...
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>
>
>
