See Inline LPHvBvs> Hi Gregory, LPHvBvs> On the questions.>> Is there a good reason to avoid Samba internal DNS?LPHvBvs> No, imo not, but i only use bind9_dlz because i need bind in my lan for other setups also. LPHvBvs> I just used my RSAT on my win7 64b, but at my point it works fine. LPHvBvs> I do have questions to get a better impression of the setup. LPHvBvs> Whats the os your using with RSAT and did u use LPHvBvs> DOM\Administrator or an other account? LPHvBvs> Check if Adminsitrator has id 0. (root) W7P, on a station not joined to the domain. But using this kind of launch. runas /netonly /user:someco-adc1\administrator "mmc /server=someco-adc1.ad.sncc.local." [The names are defined in the hosts file, on the W7 box.] LPHvBvs> Is there anything showing up in the windows event logs? No. LPHvBvs> Are the SePrivileges checked if the needed groups/users exists? LPHvBvs> I use this script to check this, it shows the seprivileges. LPHvBvs> https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-SePrivileges.sh -SNIPPED YOURS- [But mine don't appear to have "NTDOM\Domain Admins" - which seems odd.] SeMachineAccountPrivilege: SeTakeOwnershipPrivilege: BUILTIN\Administrators SeBackupPrivilege: BUILTIN\Backup Operators BUILTIN\Administrators BUILTIN\Server Operators SeRestorePrivilege: BUILTIN\Backup Operators BUILTIN\Administrators BUILTIN\Server Operators SeRemoteShutdownPrivilege: BUILTIN\Administrators BUILTIN\Server Operators SePrintOperatorPrivilege: SeAddUsersPrivilege: SeDiskOperatorPrivilege: SeSecurityPrivilege: BUILTIN\Administrators SeSystemtimePrivilege: BUILTIN\Administrators BUILTIN\Server Operators SeShutdownPrivilege: BUILTIN\Print Operators BUILTIN\Backup Operators BUILTIN\Administrators BUILTIN\Server Operators SeDebugPrivilege: BUILTIN\Administrators SeSystemEnvironmentPrivilege: BUILTIN\Administrators SeSystemProfilePrivilege: BUILTIN\Administrators SeProfileSingleProcessPrivilege: BUILTIN\Administrators SeIncreaseBasePriorityPrivilege: BUILTIN\Administrators SeLoadDriverPrivilege: BUILTIN\Print Operators BUILTIN\Administrators SeCreatePagefilePrivilege: BUILTIN\Administrators SeIncreaseQuotaPrivilege: BUILTIN\Administrators SeChangeNotifyPrivilege: BUILTIN\Administrators BUILTIN\Pre-Windows 2000 Compatible Access SeUndockPrivilege: BUILTIN\Administrators SeManageVolumePrivilege: BUILTIN\Administrators SeImpersonatePrivilege: BUILTIN\Administrators SeCreateGlobalPrivilege: BUILTIN\Administrators SeEnableDelegationPrivilege: BUILTIN\Administrators LPHvBvs> Have you setup samba with a higher debug level also, that LPHvBvs> might show whats missing/going wrong. Samba logs, [log level = 2] Opening a user/computer properties gives these log lines: [2018/05/21 17:05:15.278252, 2] ../source4/smbd/process_standard.c:473(standard_terminate) standard_terminate: reason[ldapsrv_call_wait_done: call->wait_recv() - NT_STATUS_LOCAL_DISCONNECT] [2018/05/21 17:05:15.283207, 2] ../source4/smbd/process_standard.c:157(standard_child_pipe_handler) Child 27541 () exited with status 0 [2018/05/21 17:05:15.327654, 0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) NTLMSSP NTLM2 packet check failed due to invalid signature! [2018/05/21 17:05:15.328495, 2] ../source4/smbd/process_standard.c:473(standard_terminate) standard_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_IO_DEVICE_ERROR] [2018/05/21 17:05:15.333242, 2] ../source4/smbd/process_standard.c:157(standard_child_pipe_handler) Child 27553 () exited with status 0 [Multiple times] Then when I open the security tab, and force close after the hang of the MMC, I get this. [2018/05/21 17:05:36.549449, 2] ../source4/smbd/process_standard.c:473(standard_terminate) [2018/05/21 17:05:36.549762, 2] ../source4/smbd/process_standard.c:473(standard_terminate) [2018/05/21 17:05:36.549967, 2] ../source4/smbd/process_standard.c:473(standard_terminate) standard_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_RESET] standard_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_RESET] standard_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_RESET] [2018/05/21 17:05:36.550139, 2] ../source4/smbd/process_standard.c:473(standard_terminate) standard_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_RESET] [2018/05/21 17:05:36.565558, 2] ../source4/smbd/process_standard.c:157(standard_child_pipe_handler) Child 27531 () exited with status 0 [2018/05/21 17:05:36.565742, 2] ../source4/smbd/process_standard.c:157(standard_child_pipe_handler) Child 27524 () exited with status 0 [2018/05/21 17:05:36.565877, 2] ../source4/smbd/process_standard.c:157(standard_child_pipe_handler) Child 27561 () exited with status 0 [2018/05/21 17:05:36.566021, 2] ../source4/smbd/process_standard.c:157(standard_child_pipe_handler) Child 27552 () exited with status 0 Not sure if any of that is helpful, but lets see. I'll keep digging too. -Greg
On Mon, 21 May 2018 17:15:21 -0700 Gregory Sloop via samba <samba at lists.samba.org> wrote:> [2018/05/21 17:05:36.549449, > 2] ../source4/smbd/process_standard.c:473(standard_terminate) > [2018/05/21 17:05:36.549762, > 2] ../source4/smbd/process_standard.c:473(standard_terminate) > [2018/05/21 17:05:36.549967, > 2] ../source4/smbd/process_standard.c:473(standard_terminate) > standard_terminate: reason[ldapsrv_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_RESET] > standard_terminate: reason[ldapsrv_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_RESET] > standard_terminate: reason[ldapsrv_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_RESET] > [2018/05/21 17:05:36.550139, > 2] ../source4/smbd/process_standard.c:473(standard_terminate) > standard_terminate: reason[ldapsrv_call_loop: > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_RESET] > [2018/05/21 17:05:36.565558, > 2] ../source4/smbd/process_standard.c:157(standard_child_pipe_handler) > Child 27531 () exited with status 0 [2018/05/21 17:05:36.565742, > 2] ../source4/smbd/process_standard.c:157(standard_child_pipe_handler) > Child 27524 () exited with status 0 [2018/05/21 17:05:36.565877, > 2] ../source4/smbd/process_standard.c:157(standard_child_pipe_handler) > Child 27561 () exited with status 0 [2018/05/21 17:05:36.566021, > 2] ../source4/smbd/process_standard.c:157(standard_child_pipe_handler) > Child 27552 () exited with status 0 > > Not sure if any of that is helpful, but lets see. I'll keep digging > too. > > -GregWhat version of Samba is the NAS running ? Is it joined to the domain ? Can you post the smb.conf from the NAS ? As for 'internal' versus 'bind9' dns server, I have never used the 'internal' dns server, I also have never had any real problems with the dns server ;-) I personally think that if you have more than one DC, you should use Bind9. Rowland
On Mon, 21 May 2018 17:15:21 -0700 Gregory Sloop via samba <samba at lists.samba.org> wrote:> See Inline > > LPHvBvs> Hi Gregory, > > LPHvBvs> On the questions. > >> Is there a good reason to avoid Samba internal DNS? > LPHvBvs> No, imo not, but i only use bind9_dlz because i need bind in > LPHvBvs> my lan for other setups also. > > LPHvBvs> I just used my RSAT on my win7 64b, but at my point it works > LPHvBvs> fine. > > LPHvBvs> I do have questions to get a better impression of the setup. > LPHvBvs> Whats the os your using with RSAT and did u use > LPHvBvs> DOM\Administrator or an other account? > LPHvBvs> Check if Adminsitrator has id 0. (root) > > W7P, on a station not joined to the domain. But using this kind of > launch. runas /netonly /user:someco-adc1\administrator > "mmc /server=someco-adc1.ad.sncc.local." [The names are defined in > the hosts file, on the W7 box.] > > LPHvBvs> Is there anything showing up in the windows event logs? > > No. > > LPHvBvs> Are the SePrivileges checked if the needed groups/users> [But mine don't appear to have "NTDOM\Domain Admins" - which seems > odd.] > > SeRemoteShutdownPrivilege: > BUILTIN\Administrators > BUILTIN\Server Operators > SePrintOperatorPrivilege: > SeAddUsersPrivilege: > SeDiskOperatorPrivilege: > SeSecurityPrivilege: > BUILTIN\AdministratorsThe important one is 'SeDiskOperatorPrivilege' and, as you can see, nothing has this privilege. I would expect something like this: SeDiskOperatorPrivilege: SAMDOM\Administrator BUILTIN\Administrators SAMDOM\Unix Admins NOTE: I use the 'Unix Admins' group instead of 'Domain Admins', this way I can give 'Unix Admins' a gidNumber and 'Domain Admins' can be both a group and a user on a DC. Rowland
RPvs> On Mon, 21 May 2018 17:15:21 -0700 RPvs> Gregory Sloop via samba <samba at lists.samba.org> wrote:>> See Inline>> LPHvBvs> Hi Gregory,>> LPHvBvs> On the questions. >> >> Is there a good reason to avoid Samba internal DNS? >> LPHvBvs> No, imo not, but i only use bind9_dlz because i need bind in >> LPHvBvs> my lan for other setups also.>> LPHvBvs> I just used my RSAT on my win7 64b, but at my point it works >> LPHvBvs> fine.>> LPHvBvs> I do have questions to get a better impression of the setup. >> LPHvBvs> Whats the os your using with RSAT and did u use >> LPHvBvs> DOM\Administrator or an other account? >> LPHvBvs> Check if Adminsitrator has id 0. (root)>> W7P, on a station not joined to the domain. But using this kind of >> launch. runas /netonly /user:someco-adc1\administrator >> "mmc /server=someco-adc1.ad.sncc.local." [The names are defined in >> the hosts file, on the W7 box.]>> LPHvBvs> Is there anything showing up in the windows event logs?>> No.>> LPHvBvs> Are the SePrivileges checked if the needed groups/users>> [But mine don't appear to have "NTDOM\Domain Admins" - which seems >> odd.]>> SeRemoteShutdownPrivilege: >> BUILTIN\Administrators >> BUILTIN\Server Operators >> SePrintOperatorPrivilege: >> SeAddUsersPrivilege: >> SeDiskOperatorPrivilege: >> SeSecurityPrivilege: >> BUILTIN\AdministratorsRPvs> The important one is 'SeDiskOperatorPrivilege' and, as you can see, RPvs> nothing has this privilege. RPvs> I would expect something like this: RPvs> SeDiskOperatorPrivilege: RPvs> SAMDOM\Administrator RPvs> BUILTIN\Administrators RPvs> SAMDOM\Unix Admins RPvs> NOTE: I use the 'Unix Admins' group instead of 'Domain Admins', this RPvs> way I can give 'Unix Admins' a gidNumber and 'Domain Admins' can be RPvs> both a group and a user on a DC. I was under the impression that during provision that the Administrator account got all the domain [and other] "root" privs by default. If that's the case, why doesn't Administrator have the privs we'd expect? [Perhaps I misunderstand what Administrator starts with after an initial provision.] As to your prior message - the FreeNAS box isn't part of the setup yet. I'm just trying to get the user and computer accounts I'll need to join the NAS to AD ready. TIA -Greg