On Fri, Jun 14, 2019 at 09:09:58AM +0100, Rowland penny via samba wrote:> On 14/06/2019 05:50, Stefan Froehlich via samba wrote: > >as I can do ssh logins with this account, even based on group > >membership, the unix side of the job seems to be quite settled. > >The windows side will have to wait a little bit as it requires my > >physical presence.> Windows should just workUnfortunately not at all. What did work is to switch a PC from the legacy PDC (Debian Squeeze, now questions allowed) to the new ADS-controller and to authenticate against the ADS-controller with a newly created test account. This account can connect to network shares on the file server, including his own home share and the share holding the roaming profile and also is able to create files there. What did not work at all is automatic connection of the home drive and (worse) roaming profiles. (Neither did the windows ADS utitlities, but this did not bother me at that point of time). After that I discovered and resolved some config issues (including not having mapped Administrator to the root user on the file server, not having set SeDiskOperatorPrivilege on the file server, assigning a gidNumber to "Domain Admins" instead of creating a new group). But still, no home drive and no roaming profiles. Windows uses temporary profiles instead of creating the appropriate subdirectory on the file server, and if I create the directory manually, it denotes the profile as "server based" but refuses to save it (as said before, I can manually mount the share and create a test file from within windows). At logout there is a warning telling me to look into the event log for details, and their I can see a message with the source "GroupPolicy" and a german text saying "the network is not available or has not been startet", error code 1222 (German error messages are a pain in the ass when trying to google for solutions). Remarkable is perhaps (in my eyes) that the network neighbourhood on the windows PCs does show the legacy PDC and the other PCs, but neither the new ADS-controller nor the new fileserver (even though the PC is a domain member of the first one and can mount shares of the latter one). As I tried all this with two PCs and two different accounts I highly suspect that the problem is located within my setup, but I simply don't know how and where to start with debugging. I created <http://froehlich.priv.at/samba/> with copies of my config files and LDAP-excerpts to avoid including them all in this mail. The profiles and users share look like this at the moment (I added a g+w to /home/profiles for testing purposes at some point of time): root at herakles:~# ls -al /home/profiles/ total 20 drwxrwx--T 5 root domain users 4096 Jun 21 15:59 . drwxr-xr-x 8 root root 4096 Jun 19 10:41 .. drwxr-xr-x 22 gk domain users 4096 Jun 12 15:04 gk.V2 drwxr-xr-x 2 sf domain users 4096 Jun 21 16:06 sf.V2 drwxr-xr-x 2 test domain users 4096 Jun 21 13:45 test.V2 root at herakles:~# ls -l /home/users/ total 12 drwxrws--- 12 gk 1006 4096 Jun 21 14:13 gk drwxr-sr-x 2 sf domain users 4096 Jun 21 16:42 sf drwxr-sr-x 2 test domain users 4096 Jun 21 13:09 test If anything else could be helpful, just tell; as far as the unix side is concerned I can provide pretty much everything. Bye, Stefan
On 23/06/2019 11:48, Stefan Froehlich via samba wrote:> On Fri, Jun 14, 2019 at 09:09:58AM +0100, Rowland penny via samba wrote: >> On 14/06/2019 05:50, Stefan Froehlich via samba wrote: >>> as I can do ssh logins with this account, even based on group >>> membership, the unix side of the job seems to be quite settled. >>> The windows side will have to wait a little bit as it requires my >>> physical presence. >> Windows should just work > Unfortunately not at all. > > What did work is to switch a PC from the legacy PDC (Debian Squeeze, > now questions allowed) to the new ADS-controller and to authenticate > against the ADS-controller with a newly created test account. This > account can connect to network shares on the file server, including > his own home share and the share holding the roaming profile and > also is able to create files there. > > What did not work at all is automatic connection of the home drive > and (worse) roaming profiles. (Neither did the windows ADS > utitlities, but this did not bother me at that point of time). > > After that I discovered and resolved some config issues (including > not having mapped Administrator to the root user on the file server, > not having set SeDiskOperatorPrivilege on the file server, assigning > a gidNumber to "Domain Admins" instead of creating a new group). > > But still, no home drive and no roaming profiles. Windows uses > temporary profiles instead of creating the appropriate subdirectory > on the file server, and if I create the directory manually, it > denotes the profile as "server based" but refuses to save it (as > said before, I can manually mount the share and create a test file > from within windows). At logout there is a warning telling me to > look into the event log for details, and their I can see a message > with the source "GroupPolicy" and a german text saying "the network > is not available or has not been startet", error code 1222 (German > error messages are a pain in the ass when trying to google for > solutions). > > Remarkable is perhaps (in my eyes) that the network neighbourhood on > the windows PCs does show the legacy PDC and the other PCs, but > neither the new ADS-controller nor the new fileserver (even though > the PC is a domain member of the first one and can mount shares of > the latter one). > > As I tried all this with two PCs and two different accounts I highly > suspect that the problem is located within my setup, but I simply > don't know how and where to start with debugging. > > I created <http://froehlich.priv.at/samba/> with copies of my config > files and LDAP-excerpts to avoid including them all in this mail. > The profiles and users share look like this at the moment (I added a > g+w to /home/profiles for testing purposes at some point of time): > > root at herakles:~# ls -al /home/profiles/ > total 20 > drwxrwx--T 5 root domain users 4096 Jun 21 15:59 . > drwxr-xr-x 8 root root 4096 Jun 19 10:41 .. > drwxr-xr-x 22 gk domain users 4096 Jun 12 15:04 gk.V2 > drwxr-xr-x 2 sf domain users 4096 Jun 21 16:06 sf.V2 > drwxr-xr-x 2 test domain users 4096 Jun 21 13:45 test.V2 > root at herakles:~# ls -l /home/users/ > total 12 > drwxrws--- 12 gk 1006 4096 Jun 21 14:13 gk > drwxr-sr-x 2 sf domain users 4096 Jun 21 16:42 sf > drwxr-sr-x 2 test domain users 4096 Jun 21 13:09 test > > If anything else could be helpful, just tell; as far as the unix side is > concerned I can provide pretty much everything. > > Bye, > > Stefan >You are coming from a PDC domain to an AD DC domain, easiest thing first, you do not use 'wins' with an AD DC, you use 'dns'. Can you download this: https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh Run it on your DC and Unix domain member, then post the output, either in a post to here or with the other ones you posted. Can you also supply the AD object for 'Domain Users', I know where you got '100' from, but I need to see if you used it for the 'Domain Users' gidNumber. Rowland
On Sun, Jun 23, 2019 at 12:21:58PM +0100, Rowland penny via samba wrote:> You are coming from a PDC domain to an AD DC domain, easiest thing first, > you do not use 'wins' with an AD DC, you use 'dns'.I know the latter (had to delegate the zone in bind after all), but "wins support=yes" must have been created either by Debian or by "domain provision".> Can you download this: > > https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.shThe results are available at <http://froehlich.priv.at/samba/>> Can you also supply the AD object for 'Domain Users', I know where > you got '100' from, but I need to see if you used it for the > 'Domain Users' gidNumber.Is available as well (and no, I did not, as I thought that AD numbers have to be in the respective range > 10k) Bye, Stefan -- Der Stein der Weisen, oder warum Stefan so m?chtig eifert! Sloganizer, https://www.poetron-zone.de/