samba - Jul 2019 - Problem after upgrading to Debian 10

On 12/07/2019 22:01, Rowland penny via samba wrote:
> On 12/07/2019 21:29, Alberto Jos? Garc?a Fumero wrote:
>> El vie, 12-07-2019 a las 21:05 +0100, Rowland penny via samba escribi?:
>>> On 12/07/2019 20:23, Alberto Jos? Garc?a Fumero via samba wrote:
>>>> Excuse me if I bother you, but I badly need help.
>>>>
>>>> Let me describe the situation. In my network there is a group
of
>>>> Windows boxes in a Windows domain (THE_DOMAIN),
>>> What is the Windows DC ?
>>>> ?? three computers with
>>>> Debian 9.x not linked to the domain (in a workgroup named
>>>> TECHNOLOGY,
>>>> and the parameter security=user) one of which I use, and other
>>>> three
>>>> computers with Debian 7.x in another workgroup (and
security=share,
>>>> so
>>>> no problem accessing these).
>>> You will have a problem when you upgrade the EOL Debian Wheezy,
>>> 'security = share' no longer exists.
>>>> When using Debian 9.x I was able to access (by way of Nautilus)
the
>>>> shared resources in all boxes in the domain THE_DOMAIN
identifying
>>>> me
>>>> as the user administrator of the Samba 4 domain in the dialog
>>>> window.
>>>> After upgrading to Debian 10, this is no longer possible.
>>>>
>>>> What I am doing wrong? Is it necessary to join the domain,
after
>>>> this
>>>> upgrade?
>>> This is probably down to the value for 'ntlm auth' being
changed
>>> from
>>> 'yes' to 'ntlmv2-only' at 4.7.0
>>>
>>> Rowland
>>>
>>>
>> The domain controller is a Samba 4.
>>
>> So what could I do? Is it possible to modify that parameter?
>
> What version of Samba is running on the DC ?
>
> What is the OS the DC is running on ?
>
> How is Samba running on the DC, as an NT4-style PDC or an AD DC ?
>
> Rowland
>
>
>
Whilst waiting for my questions to be answered, I took another look at 
the smb.conf.

After removing all the default lines, it becomes this:

[global]
 ??? workgroup = TECHNOLOGY
 ??? server string = Desarrollo
 ??? security = user
 ??? hosts allow = 192.168.0. 127.
 ??? cups options = raw
 ??? username map = /etc/samba/smbusers
 ??? log file = /var/log/samba/%m.log
 ??? max log size = 50
 ??? local master = no

[homes]
 ??? comment = Home Directories
 ??? browseable = no
 ??? read only = no

[printers]
 ??? comment = All Printers
 ??? path = /usr/spool/samba
 ??? guest ok = yes
 ??? printable = yes

[compartido]
 ??? comment = Lo que comparte Desarrollo
 ??? path = /Compartido
 ??? guest ok = yes

I have to ask, did this ever work ?

You have 'guest ok = yes' set in two of the shares, but the default for 
'map to guest' is 'never', so you cannot have guest access, for
this you
need 'map to guest = bad user' set in [global]. Not that this really 
matters because you do not have 'unix passwd sync = yes' set in 
[global]. This means that nobody can connect to any of your shares.

With a properly set up Samba standalone server on Devuan Ascii (aka 
Debian Stretch without systemd), I can connect to shares on a Domain 
computer as a Domain user. I can also connect to a Domain share as a 
guest user.

Rowland

El s?b, 13-07-2019 a las 09:24 +0100, Rowland penny via samba
escribi?:
> On 12/07/2019 22:01, Rowland penny via samba wrote:
> > On 12/07/2019 21:29, Alberto Jos? Garc?a Fumero wrote:
> > > El vie, 12-07-2019 a las 21:05 +0100, Rowland penny via samba
> > > escribi?:
> > > > On 12/07/2019 20:23, Alberto Jos? Garc?a Fumero via samba
> > > > wrote:
> > > > > Excuse me if I bother you, but I badly need help.
> > > > > 
> > > > > Let me describe the situation. In my network there is a
group
> > > > > of
> > > > > Windows boxes in a Windows domain (THE_DOMAIN),
> > > > What is the Windows DC ?
> > > > >    three computers with
> > > > > Debian 9.x not linked to the domain (in a workgroup
named
> > > > > TECHNOLOGY,
> > > > > and the parameter security=user) one of which I use,
and
> > > > > other
> > > > > three
> > > > > computers with Debian 7.x in another workgroup (and
> > > > > security=share,
> > > > > so
> > > > > no problem accessing these).
> > > > You will have a problem when you upgrade the EOL Debian
Wheezy,
> > > > 'security = share' no longer exists.
> > > > > When using Debian 9.x I was able to access (by way of
> > > > > Nautilus) the
> > > > > shared resources in all boxes in the domain THE_DOMAIN
> > > > > identifying
> > > > > me
> > > > > as the user administrator of the Samba 4 domain in the
dialog
> > > > > window.
> > > > > After upgrading to Debian 10, this is no longer
possible.
> > > > > 
> > > > > What I am doing wrong? Is it necessary to join the
domain,
> > > > > after
> > > > > this
> > > > > upgrade?
> > > > This is probably down to the value for 'ntlm auth'
being
> > > > changed
> > > > from
> > > > 'yes' to 'ntlmv2-only' at 4.7.0
> > > > 
> > > > Rowland
> > > > 
> > > > 
> > > The domain controller is a Samba 4.
> > > 
> > > So what could I do? Is it possible to modify that parameter?
> > 
> > What version of Samba is running on the DC ?
> > 
> > What is the OS the DC is running on ?
> > 
> > How is Samba running on the DC, as an NT4-style PDC or an AD DC ?
> > 
> > Rowland
> > 
> > 
> > 
> Whilst waiting for my questions to be answered, I took another look
> at 
> the smb.conf.
> 
> After removing all the default lines, it becomes this:
> 
> [global]
>      workgroup = TECHNOLOGY
>      server string = Desarrollo
>      security = user
>      hosts allow = 192.168.0. 127.
>      cups options = raw
>      username map = /etc/samba/smbusers
>      log file = /var/log/samba/%m.log
>      max log size = 50
>      local master = no
> 
> [homes]
>      comment = Home Directories
>      browseable = no
>      read only = no
> 
> [printers]
>      comment = All Printers
>      path = /usr/spool/samba
>      guest ok = yes
>      printable = yes
> 
> [compartido]
>      comment = Lo que comparte Desarrollo
>      path = /Compartido
>      guest ok = yes
> 
> I have to ask, did this ever work ?
> 
> You have 'guest ok = yes' set in two of the shares, but the default
> for 
> 'map to guest' is 'never', so you cannot have guest access,
for this
> you 
> need 'map to guest = bad user' set in [global]. Not that this
really
> matters because you do not have 'unix passwd sync = yes' set in 
> [global]. This means that nobody can connect to any of your shares.
> 
> With a properly set up Samba standalone server on Devuan Ascii (aka 
> Debian Stretch without systemd), I can connect to shares on a Domain 
> computer as a Domain user. I can also connect to a Domain share as a 
> guest user.
> 
> Rowland
> 
> 
Thanks!

Certainly it worked, up to Debian 9.x. I used it every day.

The Samba 4 version is 4.6.5. It works as an Active Domain Controller
on a Debian 7.9.

-- 
M.Sc. Alberto Garc?a Fumero
Usuario Linux 97 138, registrado 10/12/1998
http://interese.cubava.cu
No son las horas que pones en tu trabajo lo que cuenta, sino el trabajo
que pones en esas horas.

On 15/07/2019 20:14, Alberto Jos? Garc?a Fumero via samba
wrote:
> El s?b, 13-07-2019 a las 09:24 +0100, Rowland penny via samba escribi?:
>> On 12/07/2019 22:01, Rowland penny via samba wrote:
>>> On 12/07/2019 21:29, Alberto Jos? Garc?a Fumero wrote:
>>>> El vie, 12-07-2019 a las 21:05 +0100, Rowland penny via samba
>>>> escribi?:
>>>>> On 12/07/2019 20:23, Alberto Jos? Garc?a Fumero via samba
>>>>> wrote:
>>>>>> Excuse me if I bother you, but I badly need help.
>>>>>>
>>>>>> Let me describe the situation. In my network there is a
group
>>>>>> of
>>>>>> Windows boxes in a Windows domain (THE_DOMAIN),
>>>>> What is the Windows DC ?
>>>>>>     three computers with
>>>>>> Debian 9.x not linked to the domain (in a workgroup
named
>>>>>> TECHNOLOGY,
>>>>>> and the parameter security=user) one of which I use,
and
>>>>>> other
>>>>>> three
>>>>>> computers with Debian 7.x in another workgroup (and
>>>>>> security=share,
>>>>>> so
>>>>>> no problem accessing these).
>>>>> You will have a problem when you upgrade the EOL Debian
Wheezy,
>>>>> 'security = share' no longer exists.
>>>>>> When using Debian 9.x I was able to access (by way of
>>>>>> Nautilus) the
>>>>>> shared resources in all boxes in the domain THE_DOMAIN
>>>>>> identifying
>>>>>> me
>>>>>> as the user administrator of the Samba 4 domain in the
dialog
>>>>>> window.
>>>>>> After upgrading to Debian 10, this is no longer
possible.
>>>>>>
>>>>>> What I am doing wrong? Is it necessary to join the
domain,
>>>>>> after
>>>>>> this
>>>>>> upgrade?
>>>>> This is probably down to the value for 'ntlm auth'
being
>>>>> changed
>>>>> from
>>>>> 'yes' to 'ntlmv2-only' at 4.7.0
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>> The domain controller is a Samba 4.
>>>>
>>>> So what could I do? Is it possible to modify that parameter?
>>> What version of Samba is running on the DC ?
>>>
>>> What is the OS the DC is running on ?
>>>
>>> How is Samba running on the DC, as an NT4-style PDC or an AD DC ?
>>>
>>> Rowland
>>>
>>>
>>>
>> Whilst waiting for my questions to be answered, I took another look
>> at
>> the smb.conf.
>>
>> After removing all the default lines, it becomes this:
>>
>> [global]
>>       workgroup = TECHNOLOGY
>>       server string = Desarrollo
>>       security = user
>>       hosts allow = 192.168.0. 127.
>>       cups options = raw
>>       username map = /etc/samba/smbusers
>>       log file = /var/log/samba/%m.log
>>       max log size = 50
>>       local master = no
>>
>> [homes]
>>       comment = Home Directories
>>       browseable = no
>>       read only = no
>>
>> [printers]
>>       comment = All Printers
>>       path = /usr/spool/samba
>>       guest ok = yes
>>       printable = yes
>>
>> [compartido]
>>       comment = Lo que comparte Desarrollo
>>       path = /Compartido
>>       guest ok = yes
>>
>> I have to ask, did this ever work ?
>>
>> You have 'guest ok = yes' set in two of the shares, but the
default
>> for
>> 'map to guest' is 'never', so you cannot have guest
access, for this
>> you
>> need 'map to guest = bad user' set in [global]. Not that this
really
>> matters because you do not have 'unix passwd sync = yes' set in
>> [global]. This means that nobody can connect to any of your shares.
>>
>> With a properly set up Samba standalone server on Devuan Ascii (aka
>> Debian Stretch without systemd), I can connect to shares on a Domain
>> computer as a Domain user. I can also connect to a Domain share as a
>> guest user.
>>
>> Rowland
>>
>>
> Thanks!
>
> Certainly it worked, up to Debian 9.x. I used it every day.
>
> The Samba 4 version is 4.6.5. It works as an Active Domain Controller
> on a Debian 7.9.
>
 ?I have got ask, why are you bothering with the Samba AD DC, the 
standalone server has nothing to do with a domain.

You really should upgrade from wheezy, I don't know if you noticed, but 
Debian 10 has just been released.

Rowland