samba - Oct 2017 - Using GPO to mount shares on Linux

Hai, 

I did a re-read of you thread. 

First. 
If you use smblcient, with a samba installed, use -s
/path/alternative/smbclient.conf

If i did read it correct. 
Your connecting from  xUbuntu (samba version ??) to (debian8) samba 4.2 member

How did you join the xUbuntu? 
https://docs.pagure.org/SSSD.sssd/users/ad_provider.html 
Like this setup? ^^^ 
> This setup is working as expected (some windows bugs hide 
> network drives, but is not samba problem). 
Not a windows bug, but probely a ACL problem on sysvol, check windows event
logs.
Works fine here since samba 4.2 DC's. 

Now, i can only give a few advices. 
1) upgrade the debian jessie to debian stretch, and start with samba 4.5.12 from
debian.
2) tell us the xUbuntu version and the samba (smbclient) version 

If i recall correct.. 
Sssd lower then 1.12 my have problems, but as Rowland also said, 
I (we) know nothing about sssd here, except what i google. 
If you did not read this one, please do.
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
I dont know it it helps, but it shows some good settings and its good explained.
And if you get it working, please share the solution.  ;-) 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Daniel Carrasco via samba
> Verzonden: dinsdag 24 oktober 2017 15:42
> Aan: Rowland Penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Using GPO to mount shares on Linux
> 
> Hello,
> 
> My actual setup is:
> 
>    - 2 Domain Controller using Samba 4.7 stable (synced)
>    - Multiple Windows Workstations that has joined the Domain without
>    problem
>    - 1 Linux server using Debian 8 with Samba 4.2 as Member 
> Server joined
>    also to that Domain
> 
> This setup is working as expected (some windows bugs hide 
> network drives,
> but is not samba problem). All workstations are able to login 
> with domain
> credentials, and connect to shared drives on Linux server 
> (managed by GPO
> and ACL).
> 
> Now I've an xUbuntu workstation that I want to join to that 
> Domain and I've
> used realm and sssd to the job. The basic setup works fine and:
> 
>    - I'm able to login with domain users credentials into the linux
>    workstation
>    - I can get the domain data like for example users and 
> groups, and even
>    use domain data to manage autofs
>    - I can mount shares stored on a DC using Kerberos authentication
>    - I can connect to shares using smbclient using Kerberos 
> authentication
> 
> My problem comes when I try to mount o connect to a share 
> that is on Member
> server from the xUbuntu workstation, that give me the errors 
> I've commented
> before. After your comments and research about SPN on google 
> I think that
> maybe is the problem, but for now I'm not able to test it.
> 
> Greetings!!
> 
> 2017-10-24 14:40 GMT+02:00 Rowland Penny via samba 
> <samba at lists.samba.org>:
> 
> > On Tue, 24 Oct 2017 14:11:15 +0200
> > Daniel Carrasco <d.carrasco at i2tic.com> wrote:
> >
> > > Thanks Rowland.
> > >
> > > I'll give a try to both things (WG and SPN).
> > >
> > > To be honest, I ask here because the sssd daemon is working as
> > > expected allowing the authentication of the machine to the
domain,
> > > and the real problem is that I'm not able to access to a 
> shared drive
> > > using a Kerberos authentication (cifs and smbclient) and 
> i've thought
> > > that maybe was a misconfiguration on member server (because works
> > > fine with domain server), and this server is configured as Samba4
> > > member server without sssd.
> > >
> >
> > Sorry, but I don't understand what you are trying to say.
> > Do you mean that it works on a Unix domain member against a 
> Samba AD DC
> > and the Unix domain member isn't using sssd ?
> > Or do you mean something else, if so, please explain your set up.
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> 
> 
> 
> -- 
> _________________________________________
> 
>       Daniel Carrasco Marín
>       Ingeniería para la Innovación i2TIC, S.L.
>       Tlf:  +34 911 12 32 84 Ext: 223
>       www.i2tic.com
> _________________________________________
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hello, I answer bellow.

Thanks!!

2017-10-24 16:52 GMT+02:00 L.P.H. van Belle via samba <samba at
lists.samba.org
>:
> Hai,
>
> I did a re-read of you thread.
>
> First.
> If you use smblcient, with a samba installed, use -s
> /path/alternative/smbclient.conf
>
I think that Samba is not installed on this client because I'm not using
samba to join the domain. Just realmd, sssd and Kerberos. That's why
there's no smb.conf file.

>
> If i did read it correct.
> Your connecting from  xUbuntu (samba version ??) to (debian8) samba 4.2
> member
>
> How did you join the xUbuntu?
> https://docs.pagure.org/SSSD.sssd/users/ad_provider.html
> Like this setup? ^^^
>
Now I don't know the samba version of the client because I cannot access to
the computer, but looks like is the 4.5 version (xUbuntu 16.04 repository).

I've used this guide:
https://www.unixmen.com/how-to-join-an-ubuntu-desktop-into-an-active-directory-domain/


>
> > This setup is working as expected (some windows bugs hide
> > network drives, but is not samba problem).
> Not a windows bug, but probely a ACL problem on sysvol, check windows
> event logs.
> Works fine here since samba 4.2 DC's.
>
This time looks like a bug in Windows Explorer, because I've already
checked all:

   - sysvol ACL
   - GPO
   - Clients have access to GPO files
   - gpresult shows like all GPO are applied and all drives mounted
   - There's no info about the problem on event log
   - I can access all drives from CMD
   - When I try to mount the drive manually using connect on explorer I can
   see all mounted on drives list
   - I cannot mount the drive until I umount the drives using cmd
   - The problem is not always on the same drives and even sometimes all
   drives are working
   - The option to set the drive as visible in GPO is enabled
   - The problem only happens on 2 computers of about 15 that have joined
   the domain.
   - ...

Anyway, this don't care because I've already asked it on other thread ;)


>
> Now, i can only give a few advices.
> 1) upgrade the debian jessie to debian stretch, and start with samba
> 4.5.12 from debian.
> 2) tell us the xUbuntu version and the samba (smbclient) version
>
I can't do this... I had problems with the old server after upgrade Debian
to stretch, because I use xen with a Windows guest and the xen version
provided by Stretch just have a memory leak running Windows guests. The
process starts to consume memory and when host server is full the guest
machines dies...

Maybe one day I'll try to compile a newer version.

>
> If i recall correct..
> Sssd lower then 1.12 my have problems, but as Rowland also said,
> I (we) know nothing about sssd here, except what i google.
> If you did not read this one, please do.
> https://jhrozek.wordpress.com/2015/08/19/performance-tuning-
> sssd-for-large-ipa-ad-trust-deployments/
> I dont know it it helps, but it shows some good settings and its good
> explained.
> And if you get it working, please share the solution.  ;-)
>
I'm not sure about the version but I think that is higher, because I've
read about problems on sssd prior to a version and I've already checked it.

Thanks for the links. I'll take a look because all info is welcome.

>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Daniel Carrasco via samba
> > Verzonden: dinsdag 24 oktober 2017 15:42
> > Aan: Rowland Penny
> > CC: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Using GPO to mount shares on Linux
> >
> > Hello,
> >
> > My actual setup is:
> >
> >    - 2 Domain Controller using Samba 4.7 stable (synced)
> >    - Multiple Windows Workstations that has joined the Domain without
> >    problem
> >    - 1 Linux server using Debian 8 with Samba 4.2 as Member
> > Server joined
> >    also to that Domain
> >
> > This setup is working as expected (some windows bugs hide
> > network drives,
> > but is not samba problem). All workstations are able to login
> > with domain
> > credentials, and connect to shared drives on Linux server
> > (managed by GPO
> > and ACL).
> >
> > Now I've an xUbuntu workstation that I want to join to that
> > Domain and I've
> > used realm and sssd to the job. The basic setup works fine and:
> >
> >    - I'm able to login with domain users credentials into the
linux
> >    workstation
> >    - I can get the domain data like for example users and
> > groups, and even
> >    use domain data to manage autofs
> >    - I can mount shares stored on a DC using Kerberos authentication
> >    - I can connect to shares using smbclient using Kerberos
> > authentication
> >
> > My problem comes when I try to mount o connect to a share
> > that is on Member
> > server from the xUbuntu workstation, that give me the errors
> > I've commented
> > before. After your comments and research about SPN on google
> > I think that
> > maybe is the problem, but for now I'm not able to test it.
> >
> > Greetings!!
> >
> > 2017-10-24 14:40 GMT+02:00 Rowland Penny via samba
> > <samba at lists.samba.org>:
> >
> > > On Tue, 24 Oct 2017 14:11:15 +0200
> > > Daniel Carrasco <d.carrasco at i2tic.com> wrote:
> > >
> > > > Thanks Rowland.
> > > >
> > > > I'll give a try to both things (WG and SPN).
> > > >
> > > > To be honest, I ask here because the sssd daemon is working
as
> > > > expected allowing the authentication of the machine to the
domain,
> > > > and the real problem is that I'm not able to access to a
> > shared drive
> > > > using a Kerberos authentication (cifs and smbclient) and
> > i've thought
> > > > that maybe was a misconfiguration on member server (because
works
> > > > fine with domain server), and this server is configured as
Samba4
> > > > member server without sssd.
> > > >
> > >
> > > Sorry, but I don't understand what you are trying to say.
> > > Do you mean that it works on a Unix domain member against a
> > Samba AD DC
> > > and the Unix domain member isn't using sssd ?
> > > Or do you mean something else, if so, please explain your set up.
> > >
> > > Rowland
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> >
> >
> >
> > --
> > _________________________________________
> >
> >       Daniel Carrasco Marín
> >       Ingeniería para la Innovación i2TIC, S.L.
> >       Tlf:  +34 911 12 32 84 Ext: 223
> >       www.i2tic.com
> > _________________________________________
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________

On Tue, 24 Oct 2017 19:30:23 +0200
Daniel Carrasco via samba <samba at lists.samba.org> wrote:
> Hello, I answer bellow.
> 
> Thanks!!
> 
> 2017-10-24 16:52 GMT+02:00 L.P.H. van Belle via samba
> <samba at lists.samba.org
> >:
> 
> > Hai,
> >
> > I did a re-read of you thread.
> >
> > First.
> > If you use smblcient, with a samba installed, use -s
> > /path/alternative/smbclient.conf
> >
> 
> I think that Samba is not installed on this client because I'm not
> using samba to join the domain. Just realmd, sssd and Kerberos.
> That's why there's no smb.conf file.
> 
> 
> >
> > If i did read it correct.
> > Your connecting from  xUbuntu (samba version ??) to (debian8) samba
> > 4.2 member
> >
> > How did you join the xUbuntu?
> > https://docs.pagure.org/SSSD.sssd/users/ad_provider.html
> > Like this setup? ^^^
> >
> 
> Now I don't know the samba version of the client because I cannot
> access to the computer, but looks like is the 4.5 version (xUbuntu
> 16.04 repository).
> 
> I've used this guide:
>
https://www.unixmen.com/how-to-join-an-ubuntu-desktop-into-an-active-directory-domain/
I am fairly sure I have said this before, but I will say it in a
different way. 

If you are not using Samba, why are you asking on the Samba mailing
list ? How can your problem be with Samba, if you are not using it!

You are using sssd and realmd, these have nothing to do with Samba, so
I suggest you ask on the sssd-users mailing list.

Rowland

Hai, 

I commented below. 

P.s. @Rowland, i dont believe this is a sssd problem but a old bug in samba.

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Daniel Carrasco via samba
> Verzonden: dinsdag 24 oktober 2017 19:30
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Using GPO to mount shares on Linux
> 
> Hello, I answer bellow.
> 
> Thanks!!
> 
> 2017-10-24 16:52 GMT+02:00 L.P.H. van Belle via samba 
> <samba at lists.samba.org
> >:
> 
> > Hai,
> >
> > I did a re-read of you thread.
> >
> > First.
> > If you use smblcient, without a samba installed, use -s
> > /path/alternative/smbclient.conf
> >
> 
> I think that Samba is not installed on this client because 
> I'm not using
> samba to join the domain. Just realmd, sssd and Kerberos. That's why
> there's no smb.conf file.
Sorry, i made a typo in my question, what i mean is, do make use of that
smb.conf
Or put put your settings in the smb.conf. Even if you dont have samba installed.
Smbclient = samba and looks for smb.conf, just saying it may help.
> 
> 
> >
> > If i did read it correct.
> > Your connecting from  xUbuntu (samba version ??) to 
> (debian8) samba 4.2
> > member
> >
> > How did you join the xUbuntu?
> > https://docs.pagure.org/SSSD.sssd/users/ad_provider.html
> > Like this setup? ^^^
> >
> 
> Now I don't know the samba version of the client because I 
> cannot access to
> the computer, but looks like is the 4.5 version (xUbuntu 
> 16.04 repository).
> 
> I've used this guide:
> https://www.unixmen.com/how-to-join-an-ubuntu-desktop-into-an-
> active-directory-domain/
> 
Thanks, i've been reading it, thanks, your solution is a mix of both howtos
i think.
But sssd is not my cookie.. 
> 
> 
> >
> > > This setup is working as expected (some windows bugs hide
> > > network drives, but is not samba problem).
> > Not a windows bug, but probely a ACL problem on sysvol, 
> check windows
> > event logs.
> > Works fine here since samba 4.2 DC's.
> >
> 
> This time looks like a bug in Windows Explorer, because I've already
> checked all:
> 
>    - sysvol ACL
>    - GPO
>    - Clients have access to GPO files
>    - gpresult shows like all GPO are applied and all drives mounted
>    - There's no info about the problem on event log
>    - I can access all drives from CMD
>    - When I try to mount the drive manually using connect on 
> explorer I can
>    see all mounted on drives list
>    - I cannot mount the drive until I umount the drives using cmd
>    - The problem is not always on the same drives and even 
> sometimes all
>    drives are working
>    - The option to set the drive as visible in GPO is enabled
>    - The problem only happens on 2 computers of about 15 that 
> have joined
>    the domain.
>    - ...
> 
> Anyway, this don't care because I've already asked it on 
> other thread ;)
Ok, good to see you did check a lot already. 

Now, this part..
>    - I can access all drives from CMD
>    - When I try to mount the drive manually using connect on 
> explorer I can
>    see all mounted on drives list
>    - I cannot mount the drive until I umount the drives using cmd
I do remember something about that..  I've seen that before.. 
I might be something with the pc connecting to samba and samba keeping a lock on
something.
I just cant find it where i did read this. Must be on the list some time ago. 

Then i suggest, for the 4.2 for jessie since you cant upgrade, have a look at my
apt.
apt.van-belle.nl and use the latest 4.5.x or the backported version from
stretch.

> 
> 
> 
> >
> > Now, i can only give a few advices.
> > 1) upgrade the debian jessie to debian stretch, and start with samba
> > 4.5.12 from debian.
> > 2) tell us the xUbuntu version and the samba (smbclient) version
> >
> 
> I can't do this... I had problems with the old server after 
> upgrade Debian to stretch, because I use xen with a Windows guest and the
xen version
> provided by Stretch just have a memory leak running Windows  guests. The
> process starts to consume memory and when host server is full 
> the guest machines dies...
> 
> Maybe one day I'll try to compile a newer version.
Did you ever give thought on XenServer (https://xenserver.org)
I use Xen (Debian) Hypervisors also in the past, i switched to xenserver.
Also free to use, and has some nice features. 
I see the debian Xen is the same, why i did choose to drop debian Xen. 
The security issues and boot issues..   :-( 

And your sure you Xen Host is not balloning out. 
(possible fix for that.
https://bugs.launchpad.net/ubuntu/+source/xen/+bug/1484682/comments/3 )

For a xen hypervisor, i would suggest ubuntu ( arg, yes i did say that, and i
even dont like ubuntu..) ;-)
I use Ubuntu for kodi only at home, but if you use the debian/ubuntu
xen-hypervisors, then go for ubuntu.
Because it more focues on that for companies. 
> 
> 
> >
> > If i recall correct..
> > Sssd lower then 1.12 my have problems, but as Rowland also said,
> > I (we) know nothing about sssd here, except what i google.
> > If you did not read this one, please do.
> > https://jhrozek.wordpress.com/2015/08/19/performance-tuning-
> > sssd-for-large-ipa-ad-trust-deployments/
> > I dont know it it helps, but it shows some good settings 
> and its good
> > explained.
> > And if you get it working, please share the solution.  ;-)
> >
> 
> I'm not sure about the version but I think that is higher, 
> because I've
> read about problems on sssd prior to a version and I've 
> already checked it.
> 
> Thanks for the links. I'll take a look because all info is welcome.
Your welkom, happy to hear that even this helps. 

> 
> 
> >
> > Greetz,
> >
> > Louis
> >
> >
> >

On Wed, 25 Oct 2017 10:23:19 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai, 
> 
> I commented below. 
> 
> P.s. @Rowland, i dont believe this is a sssd problem but a old bug in
> samba.
> 
Hi Louis, I never said this was a sssd problem, I just cannot see how
you can fix a potential Samba problem when the OP isn't using much of
Samba.
He is using 'samba-common samba-common-bin samba-libs'. These, by
themselves, don't do much, but when coupled with something else, they
help the 'something else' to work.
In this instance the 'something else' is 'sssd' and
'sssd-tools' and
these are not Samba packages, so, in my opinion, the OP will get better
help from the sssd-users mailing list.

If it turns out to be a Samba problem, then we can try to help the OP
to fix it, but a sssd problem has to be ruled out first, mainly because
sssd is the main component in use here.

I also cannot really understand why the OP is using sssd, when it is
just as easy to use Samba instead (by the way, do you think the OP is
aware that he is using the sssd version of winbind ?)

Rowland