On 15/07/2019 20:14, Alberto Jos? Garc?a Fumero via samba wrote:> El s?b, 13-07-2019 a las 09:24 +0100, Rowland penny via samba escribi?: >> On 12/07/2019 22:01, Rowland penny via samba wrote: >>> On 12/07/2019 21:29, Alberto Jos? Garc?a Fumero wrote: >>>> El vie, 12-07-2019 a las 21:05 +0100, Rowland penny via samba >>>> escribi?: >>>>> On 12/07/2019 20:23, Alberto Jos? Garc?a Fumero via samba >>>>> wrote: >>>>>> Excuse me if I bother you, but I badly need help. >>>>>> >>>>>> Let me describe the situation. In my network there is a group >>>>>> of >>>>>> Windows boxes in a Windows domain (THE_DOMAIN), >>>>> What is the Windows DC ? >>>>>> three computers with >>>>>> Debian 9.x not linked to the domain (in a workgroup named >>>>>> TECHNOLOGY, >>>>>> and the parameter security=user) one of which I use, and >>>>>> other >>>>>> three >>>>>> computers with Debian 7.x in another workgroup (and >>>>>> security=share, >>>>>> so >>>>>> no problem accessing these). >>>>> You will have a problem when you upgrade the EOL Debian Wheezy, >>>>> 'security = share' no longer exists. >>>>>> When using Debian 9.x I was able to access (by way of >>>>>> Nautilus) the >>>>>> shared resources in all boxes in the domain THE_DOMAIN >>>>>> identifying >>>>>> me >>>>>> as the user administrator of the Samba 4 domain in the dialog >>>>>> window. >>>>>> After upgrading to Debian 10, this is no longer possible. >>>>>> >>>>>> What I am doing wrong? Is it necessary to join the domain, >>>>>> after >>>>>> this >>>>>> upgrade? >>>>> This is probably down to the value for 'ntlm auth' being >>>>> changed >>>>> from >>>>> 'yes' to 'ntlmv2-only' at 4.7.0 >>>>> >>>>> Rowland >>>>> >>>>> >>>> The domain controller is a Samba 4. >>>> >>>> So what could I do? Is it possible to modify that parameter? >>> What version of Samba is running on the DC ? >>> >>> What is the OS the DC is running on ? >>> >>> How is Samba running on the DC, as an NT4-style PDC or an AD DC ? >>> >>> Rowland >>> >>> >>> >> Whilst waiting for my questions to be answered, I took another look >> at >> the smb.conf. >> >> After removing all the default lines, it becomes this: >> >> [global] >> workgroup = TECHNOLOGY >> server string = Desarrollo >> security = user >> hosts allow = 192.168.0. 127. >> cups options = raw >> username map = /etc/samba/smbusers >> log file = /var/log/samba/%m.log >> max log size = 50 >> local master = no >> >> [homes] >> comment = Home Directories >> browseable = no >> read only = no >> >> [printers] >> comment = All Printers >> path = /usr/spool/samba >> guest ok = yes >> printable = yes >> >> [compartido] >> comment = Lo que comparte Desarrollo >> path = /Compartido >> guest ok = yes >> >> I have to ask, did this ever work ? >> >> You have 'guest ok = yes' set in two of the shares, but the default >> for >> 'map to guest' is 'never', so you cannot have guest access, for this >> you >> need 'map to guest = bad user' set in [global]. Not that this really >> matters because you do not have 'unix passwd sync = yes' set in >> [global]. This means that nobody can connect to any of your shares. >> >> With a properly set up Samba standalone server on Devuan Ascii (aka >> Debian Stretch without systemd), I can connect to shares on a Domain >> computer as a Domain user. I can also connect to a Domain share as a >> guest user. >> >> Rowland >> >> > Thanks! > > Certainly it worked, up to Debian 9.x. I used it every day. > > The Samba 4 version is 4.6.5. It works as an Active Domain Controller > on a Debian 7.9. >?I have got ask, why are you bothering with the Samba AD DC, the standalone server has nothing to do with a domain. You really should upgrade from wheezy, I don't know if you noticed, but Debian 10 has just been released. Rowland
Alberto José García Fumero
2019-Jul-15 21:12 UTC
[Samba] Problem after upgrading to Debian 10
El lun, 15-07-2019 a las 20:25 +0100, Rowland penny via samba escribi?:> > I have got ask, why are you bothering with the Samba AD DC, the > standalone server has nothing to do with a domain. > > You really should upgrade from wheezy, I don't know if you noticed, > but > Debian 10 has just been released. > > Rowland > > >Well, the fact is, I have to. My workstation is now a Debian 10 one, all right, but the Debian Wheezy with Samba 4 ADS I can not change, at least for the moment. I do need to access the shared resources as I did until the upgrade of my workstation. And I'd prefer not to join my workstation to the ADS, except if this is the only solution. For the moment, I am able to mount shared resources of the Windows boxes in the domain using mount -t cifs //workstation/shared-resource /mnt -o user=administrator --verbose but of course this is not as comfortable a solution as the use of, for instance, Nautilus. -- M.Sc. Alberto Garc?a Fumero Usuario Linux 97 138, registrado 10/12/1998 http://interese.cubava.cu No son las horas que pones en tu trabajo lo que cuenta, sino el trabajo que pones en esas horas.
On 15/07/2019 22:12, Alberto Jos? Garc?a Fumero via samba wrote:> El lun, 15-07-2019 a las 20:25 +0100, Rowland penny via samba escribi?: >> I have got ask, why are you bothering with the Samba AD DC, the >> standalone server has nothing to do with a domain. >> >> You really should upgrade from wheezy, I don't know if you noticed, >> but >> Debian 10 has just been released. >> >> Rowland >> >> >> > Well, the fact is, I have to. My workstation is now a Debian 10 one, > all right, but the Debian Wheezy with Samba 4 ADS I can not change, at > least for the moment. I do need to access the shared resources as I did > until the upgrade of my workstation. And I'd prefer not to join my > workstation to the ADS, except if this is the only solution.I understand, but if I was in your shoes, I would be contacting whomever does have control of the Wheezy machine and pointing out that to continue using Wheezy is very insecure mainly because it is EOL and contains packages that are subject to unresolved CVE's> > > For the moment, I am able to mount shared resources of the Windows > boxes in the domain using > mount -t cifs //workstation/shared-resource /mnt -o user=administrator > --verbose > > but of course this is not as comfortable a solution as the use of, for > instance, Nautilus.You better get used to either mapping shares or navigating to them via UNC, this is because you need SMBv1 for network browsing and this is going away. Windows 10 has this turned off by default (you can turn it back on, but it isn't recommended), Samba 4.11.0 (the next version) will also have it turned off by default. Rowland