samba - Jul 2020 - Users, home directories and profiles

On Wed, 8 Jul 2020 13:50:06 +0100
Rowland penny via samba <samba at lists.samba.org> wrote:
> On 08/07/2020 13:28, Enrico Morelli wrote:
> > On Wed, 8 Jul 2020 11:36:50 +0100
> > Rowland penny via samba <samba at lists.samba.org> wrote:
> >  
> >> On 08/07/2020 09:57, Enrico Morelli wrote:  
> >>> On Wed, 8 Jul 2020 09:13:37 +0100
> >>> Rowland penny via samba <samba at lists.samba.org>
wrote:
> >>>  
> >>>> On 08/07/2020 08:06, Enrico Morelli wrote:  
> >>>>> On Wed, 1 Jul 2020 13:03:50 +0100
> >>>>> Rowland penny via samba <samba at
lists.samba.org> wrote:
> >>>>>      
> >>>>>> The problem from my point of view is, I cannot
recreate the
> >>>>>> crash. My feelings are that the OP hasn't set
up the share
> >>>>>> correctly, or hasn't mapped root to
Administrator. I am testing
> >>>>>> using a share on a raspberrypi and even if I
change the
> >>>>>> directory owner to 'pi', it does not crash
Windows explorer.
> >>>>>>
> >>>>>> Rowland
> >>>>>>
> >>>>>>
> >>>>>>      
> >>>>> I followed the Samba guide to setup everything but a
lot of
> >>>>> things doesn't works for me.
> >>>>> Now I'm able to create the share and set
permissions (using the
> >>>>> patch) but I'm unable to enter to the Windows
client with new
> >>>>> users.  
> >>>> Enrico, please do not think I am trying to get at you,
perhaps I
> >>>> could have worded that better, but I just dashed off a
reply.
> >>>>
> >>>> The problem is that I am not the one who has control? of
your
> >>>> network and can only offer advice from a distance. As I
said, I
> >>>> cannot get the latest Win10 to crash and Windows has
admitted
> >>>> that this is their problem if it does crash.  
> >>> For the moment as I wrote more times, the problem isn't
the crash
> >>> (that I solved with the patch) but the impossibility to login
in
> >>> the Windows client with new user created on Samba server.  
> >>>> Can you please download this:
> >>>>
https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
> >>>>
> >>>> Run it on the Samba machine that you are trying to connect
> >>>> Windows to and the post the output, do not attach it to
the
> >>>> post, this list strips attachments.
> >>>>
> >>>> Perhaps you have some small setting wrong :-(
> >>>>
> >>>> Rowland
> >>>>
> >>>>
> >>>>  
> >>> This is the output of the script:
> >>>
> >>> Collected config  --- 2020-07-08-10:53 -----------
> >>>
> >>> Hostname: fiorgen7
> >>> DNS Domain: cerm.unifi.it
> >>> FQDN: fiorgen7.cerm.unifi.it
> >>> ipaddress: 150.217.146.76 2001:760:2c05:146:222:64ff:feb9:9a88
> >>>
> >>> -----------
> >>>
> >>> WARNING: kinit Administrator will fail and this needs to be
fixed
> >>> first. unable to verify DNS kerberos._tcp SRV records
> >>>    
> >>> Server:		150.217.1.32
> >>> Address:	150.217.1.32#53
> >>>
> >>> ** server can't find _kerberos._tcp.cerm.unifi.it:
NXDOMAIN
> >> That looks like a dns problem, try my attached version of the
> >> script, it reports the above and carries on.
> >>
> >> Rowland
> >>
> >>
> >>  
> > I don't know, the DNS works fine. I'm able to resolve hostname
and
> > the reverse.  
> 
> Please run the script I supplied, it will help to prove it, one way
> or another ;-)
> 
> Rowland
> 
The output of the script I downloaded from github is what you see after
Collect config.

I hadn't find other scripts :-(
> 
> 


-- 
-----------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------

On 08/07/2020 14:39, Enrico Morelli wrote:
> On Wed, 8 Jul 2020 13:50:06 +0100
> Rowland penny via samba <samba at lists.samba.org> wrote:
>
>> On 08/07/2020 13:28, Enrico Morelli wrote:
>>> On Wed, 8 Jul 2020 11:36:50 +0100
>>> Rowland penny via samba <samba at lists.samba.org> wrote:
>>>   
>>>> On 08/07/2020 09:57, Enrico Morelli wrote:
>>>>> On Wed, 8 Jul 2020 09:13:37 +0100
>>>>> Rowland penny via samba <samba at lists.samba.org>
wrote:
>>>>>   
>>>>>> On 08/07/2020 08:06, Enrico Morelli wrote:
>>>>>>> On Wed, 1 Jul 2020 13:03:50 +0100
>>>>>>> Rowland penny via samba <samba at
lists.samba.org> wrote:
>>>>>>>       
>>>>>>>> The problem from my point of view is, I cannot
recreate the
>>>>>>>> crash. My feelings are that the OP hasn't
set up the share
>>>>>>>> correctly, or hasn't mapped root to
Administrator. I am testing
>>>>>>>> using a share on a raspberrypi and even if I
change the
>>>>>>>> directory owner to 'pi', it does not
crash Windows explorer.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>
>>>>>>>>       
>>>>>>> I followed the Samba guide to setup everything but
a lot of
>>>>>>> things doesn't works for me.
>>>>>>> Now I'm able to create the share and set
permissions (using the
>>>>>>> patch) but I'm unable to enter to the Windows
client with new
>>>>>>> users.
>>>>>> Enrico, please do not think I am trying to get at you,
perhaps I
>>>>>> could have worded that better, but I just dashed off a
reply.
>>>>>>
>>>>>> The problem is that I am not the one who has control?
of your
>>>>>> network and can only offer advice from a distance. As I
said, I
>>>>>> cannot get the latest Win10 to crash and Windows has
admitted
>>>>>> that this is their problem if it does crash.
>>>>> For the moment as I wrote more times, the problem isn't
the crash
>>>>> (that I solved with the patch) but the impossibility to
login in
>>>>> the Windows client with new user created on Samba server.
>>>>>> Can you please download this:
>>>>>>
https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
>>>>>>
>>>>>> Run it on the Samba machine that you are trying to
connect
>>>>>> Windows to and the post the output, do not attach it to
the
>>>>>> post, this list strips attachments.
>>>>>>
>>>>>> Perhaps you have some small setting wrong :-(
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>>>   
>>>>> This is the output of the script:
>>>>>
>>>>> Collected config  --- 2020-07-08-10:53 -----------
>>>>>
>>>>> Hostname: fiorgen7
>>>>> DNS Domain: cerm.unifi.it
>>>>> FQDN: fiorgen7.cerm.unifi.it
>>>>> ipaddress: 150.217.146.76
2001:760:2c05:146:222:64ff:feb9:9a88
>>>>>
>>>>> -----------
>>>>>
>>>>> WARNING: kinit Administrator will fail and this needs to be
fixed
>>>>> first. unable to verify DNS kerberos._tcp SRV records
>>>>>     
>>>>> Server:		150.217.1.32
>>>>> Address:	150.217.1.32#53
>>>>>
>>>>> ** server can't find _kerberos._tcp.cerm.unifi.it:
NXDOMAIN
>>>> That looks like a dns problem, try my attached version of the
>>>> script, it reports the above and carries on.
>>>>
>>>> Rowland
>>>>
>>>>
>>>>   
>>> I don't know, the DNS works fine. I'm able to resolve
hostname and
>>> the reverse.
>> Please run the script I supplied, it will help to prove it, one way
>> or another ;-)
>>
>> Rowland
>>
> The output of the script I downloaded from github is what you see after
> Collect config.
>
> I hadn't find other scripts :-(
>
>>
>
>
Strange, I attached it to an email to you, lets try again ;-)

Rowland

On 08/07/2020 15:09, Enrico Morelli wrote:
> On Wed, 8 Jul 2020 14:43:06 +0100
> Rowland penny via samba <samba at lists.samba.org> wrote:
>
>> On 08/07/2020 14:39, Enrico Morelli wrote:
>>> On Wed, 8 Jul 2020 13:50:06 +0100
>>> Rowland penny via samba <samba at lists.samba.org> wrote:
>>>
>>>> On 08/07/2020 13:28, Enrico Morelli wrote:
>>>>> On Wed, 8 Jul 2020 11:36:50 +0100
>>>>> Rowland penny via samba <samba at lists.samba.org>
wrote:
>>>>>    
>>>>>> On 08/07/2020 09:57, Enrico Morelli wrote:
>>>>>>> On Wed, 8 Jul 2020 09:13:37 +0100
>>>>>>> Rowland penny via samba <samba at
lists.samba.org> wrote:
>>>>>>>    
>>>>>>>> On 08/07/2020 08:06, Enrico Morelli wrote:
>>>>>>>>> On Wed, 1 Jul 2020 13:03:50 +0100
>>>>>>>>> Rowland penny via samba <samba at
lists.samba.org> wrote:
>>>>>>>>>        
>>>>>>>>>> The problem from my point of view is, I
cannot recreate the
>>>>>>>>>> crash. My feelings are that the OP
hasn't set up the share
>>>>>>>>>> correctly, or hasn't mapped root to
Administrator. I am
>>>>>>>>>> testing using a share on a raspberrypi
and even if I change
>>>>>>>>>> the directory owner to 'pi', it
does not crash Windows
>>>>>>>>>> explorer.
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>        
>>>>>>>>> I followed the Samba guide to setup
everything but a lot of
>>>>>>>>> things doesn't works for me.
>>>>>>>>> Now I'm able to create the share and
set permissions (using
>>>>>>>>> the patch) but I'm unable to enter to
the Windows client with
>>>>>>>>> new users.
>>>>>>>> Enrico, please do not think I am trying to get
at you, perhaps
>>>>>>>> I could have worded that better, but I just
dashed off a reply.
>>>>>>>>
>>>>>>>> The problem is that I am not the one who has
control? of your
>>>>>>>> network and can only offer advice from a
distance. As I said, I
>>>>>>>> cannot get the latest Win10 to crash and
Windows has admitted
>>>>>>>> that this is their problem if it does crash.
>>>>>>> For the moment as I wrote more times, the problem
isn't the
>>>>>>> crash (that I solved with the patch) but the
impossibility to
>>>>>>> login in the Windows client with new user created
on Samba
>>>>>>> server.
>>>>>>>> Can you please download this:
>>>>>>>>
https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
>>>>>>>>
>>>>>>>> Run it on the Samba machine that you are trying
to connect
>>>>>>>> Windows to and the post the output, do not
attach it to the
>>>>>>>> post, this list strips attachments.
>>>>>>>>
>>>>>>>> Perhaps you have some small setting wrong :-(
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>
>>>>>>>>    
>>>>>>> This is the output of the script:
>>>>>>>
>>>>>>> Collected config  --- 2020-07-08-10:53 -----------
>>>>>>>
>>>>>>> Hostname: fiorgen7
>>>>>>> DNS Domain: cerm.unifi.it
>>>>>>> FQDN: fiorgen7.cerm.unifi.it
>>>>>>> ipaddress: 150.217.146.76
2001:760:2c05:146:222:64ff:feb9:9a88
>>>>>>>
>>>>>>> -----------
>>>>>>>
>>>>>>> WARNING: kinit Administrator will fail and this
needs to be
>>>>>>> fixed first. unable to verify DNS kerberos._tcp SRV
records
>>>>>>>      
>>>>>>> Server:		150.217.1.32
>>>>>>> Address:	150.217.1.32#53
>>>>>>>
>>>>>>> ** server can't find
_kerberos._tcp.cerm.unifi.it: NXDOMAIN
>>>>>> That looks like a dns problem, try my attached version
of the
>>>>>> script, it reports the above and carries on.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>>>    
>>>>> I don't know, the DNS works fine. I'm able to
resolve hostname and
>>>>> the reverse.
>>>> Please run the script I supplied, it will help to prove it, one
way
>>>> or another ;-)
>>>>
>>>> Rowland
>>>>
>>> The output of the script I downloaded from github is what you see
>>> after Collect config.
>>>
>>> I hadn't find other scripts :-(
>>>
>>>
>> Strange, I attached it to an email to you, lets try again ;-)
>>
>> Rowland
>>
>>
> Config collected --- 2020-07-08-16:08 -----------
>
> Hostname:   fiorgen7
> DNS Domain: cerm.unifi.it
> Realm:      CERM.UNIFI.IT
> FQDN:       fiorgen7.cerm.unifi.it
> ipaddress:  150.217.146.76 2001:760:2c05:146:222:64ff:feb9:9a88
>
> -----------
>
> This computer is running Debian 10.4 x86_64
>
> -----------
>
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000 link/loopback 00:00:00:00:00:00 brd
> 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo
>      inet6 ::1/128 scope host
> 2: enp63s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state
> UP group default qlen 1000 link/ether 00:22:64:b9:9a:88 brd
> ff:ff:ff:ff:ff:ff inet 150.217.146.76/24 brd 150.217.146.255 scope
> global enp63s0 inet6 2001:760:2c05:146:222:64ff:feb9:9a88/64 scope
> global dynamic mngtmpaddr valid_lft 2591994sec preferred_lft 604794sec
>      inet6 fe80::222:64ff:feb9:9a88/64 scope link
>
> -----------
>
> Checking file: /etc/hosts
>
> 127.0.0.1	localhost
> 127.0.1.1	fiorgen7.cerm.unifi.it	fiorgen7
>
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> search cerm.unifi.it
> domain cerm.unifi.it
> nameserver 150.217.1.32
> nameserver 150.217.1.135
>
> -----------
>
> WARNING: 'kinit Administrator' will fail, you need to fix this.
> Unable to verify DNS kerberos._tcp SRV records
>
> -----------
>
> 'kinit Administrator' checked successfully.
>
> -----------
>
> Samba is running as an AD DC
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> 	default_realm = CERM.UNIFI.IT
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
> [realms]
> 	CERM.UNIFI.IT = {
> 		kdc = fiorgen7.cerm.unifi.it
> 		admin_server = fiorgen7.cerm.unifi.it
> 	}
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
installed,
> try: # `info libc "Name Service Switch"' for information
about this
> file.
>
> passwd:         files systemd
> group:          files systemd
> shadow:         files
> gshadow:        files
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
> -----------
>
> Warning,  does not exist
>
> -----------
>
> This DC is not being used as a fileserver
>
>
> BIND_DLZ not detected in smb.conf
>
> -----------
>
>
> Time on the DC with PDC Emulator role is: 2020-07-08T16:08:27
>
>
> Time on this computer is:                 2020-07-08T16:08:29
>
>
> Time verified ok, within the allowed 300sec margin.
> Time offset is currently : 0 seconds
>
> -----------
>
> Installed packages:
> ii  acl
> 2.2.53-4                            amd64        access control list -
> utilities ii  attr
> 1:2.4.48-4                          amd64        utilities for
> manipulating filesystem extended attribute s ii
> krb5-config                        2.6
> all          Configuration files for Kerberos Version 5 ii
> krb5-user                          1.17-3
> amd64        basic programs to authenticate using MIT Kerberos ii
> libacl1:amd64                      2.2.53-4
> amd64        access control list - shared library ii
> libattr1:amd64                     1:2.4.48-4
> amd64        extended attribute handling - shared library ii
> libgssapi-krb5-2:amd64             1.17-3
> amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
> ii  libkrb5-3:amd64
> 1.17-3                              amd64        MIT Kerberos runtime
> libraries ii  libkrb5support0:amd64
> 1.17-3                              amd64        MIT Kerberos runtime
> libraries - Support library ii  libnss-winbind:amd64
> 2:4.9.5+dfsg-5+deb10u1.1            amd64        Samba nameservice
> integration plugins ii  libnss-winbind-dbgsym:amd64
> 2:4.9.5+dfsg-5+deb10u1.1            amd64        debug symbols for
> libnss-winbind ii  libpam-winbind:amd64
> 2:4.9.5+dfsg-5+deb10u1.1            amd64        Windows domain
> authentication integration plugin ii
> libpam-winbind-dbgsym:amd64        2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for libpam-winbind ii
> libsmbclient:amd64                 2:4.9.5+dfsg-5+deb10u1.1
> amd64        shared library for communication with SMB/CIFS servers ii
> libsmbclient-dbgsym:amd64          2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for libsmbclient ii
> libsmbclient-dev:amd64             2:4.9.5+dfsg-5+deb10u1.1
> amd64        development files for libsmbclient ii
> libwbclient-dev:amd64              2:4.9.5+dfsg-5+deb10u1.1
> amd64        Samba winbind client library - development files ii
> libwbclient0:amd64                 2:4.9.5+dfsg-5+deb10u1.1
> amd64        Samba winbind client library ii
> python-samba                       2:4.9.5+dfsg-5+deb10u1.1
> amd64        Python bindings for Samba ii
> python-samba-dbgsym                2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for python-samba ii
> python3-attr                       18.2.0-1
> all          Attributes without boilerplate (Python 3) ii
> python3-xattr                      0.9.6-1
> amd64        module for manipulating filesystem extended attributes -
> Python 3 ii  samba
> 2:4.9.5+dfsg-5+deb10u1.1            amd64        SMB/CIFS file, print,
> and login server for Unix ii  samba-common
> 2:4.9.5+dfsg-5+deb10u1.1            all          common files used by
> both the Samba server and client ii  samba-common-bin
> 2:4.9.5+dfsg-5+deb10u1.1            amd64        Samba common files
> used by both the server and the clien t ii
> samba-common-bin-dbgsym            2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for samba-common-bin ii
> samba-dbgsym                       2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for samba ii
> samba-dev:amd64                    2:4.9.5+dfsg-5+deb10u1.1
> amd64        tools for extending Samba ii
> samba-dsdb-modules:amd64           2:4.9.5+dfsg-5+deb10u1.1
> amd64        Samba Directory Services Database ii
> samba-dsdb-modules-dbgsym:amd64    2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for samba-dsdb-modules ii
> samba-libs:amd64                   2:4.9.5+dfsg-5+deb10u1.1
> amd64        Samba core libraries ii
> samba-libs-dbgsym:amd64            2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for samba-libs ii
> samba-testsuite                    2:4.9.5+dfsg-5+deb10u1.1
> amd64        test suite from Samba ii
> samba-testsuite-dbgsym             2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for samba-testsuite ii
> samba-vfs-modules:amd64            2:4.9.5+dfsg-5+deb10u1.1
> amd64        Samba Virtual FileSystem plugins ii
> samba-vfs-modules-dbgsym:amd64     2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for samba-vfs-modules ii
> smbclient                          2:4.9.5+dfsg-5+deb10u1.1
> amd64        command-line SMB/CIFS clients for Unix ii
> smbclient-dbgsym                   2:4.9.5+dfsg-5+deb10u1.1
> amd64        debug symbols for smbclient ii
> winbind                            2:4.9.5+dfsg-5+deb10u1.1
> amd64        service to resolve user and group information from Windo
> ws NT servers ii  winbind-dbgsym
> 2:4.9.5+dfsg-5+deb10u1.1            amd64        debug symbols for
> winbind ii  xattr
> 0.9.6-1                             amd64        tool for manipulating
> filesystem extended attributes
>
> -----------
>
>
Enrico, your dns appears to be borked, you are running Samba 4.9.5 as an 
AD DC with what appears to an IP of '150.217.146.76', but your 
/etc/hosts contains this:

127.0.0.1??? localhost
127.0.1.1??? fiorgen7.cerm.unifi.it??? fiorgen7

# The following lines are desirable for IPv6 capable hosts
::1???? localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

This may be okay but I personally would turn off whatever requires the 
'127.0.1,1' and then replace it with '150.217.146.76'

This is your /etc/resolv.conf:

search cerm.unifi.it
domain cerm.unifi.it
nameserver 150.217.1.32
nameserver 150.217.1.135

Remove the 'domain' line and replace '150.217.1.32' with 
'150.217.146.76' (the DC's own ipaddress)

Remove these lines from /etc/krb5.conf:

[realms]
 ???? CERM.UNIFI.IT = {
 ??? ??? kdc = fiorgen7.cerm.unifi.it
 ???? ??? admin_server = fiorgen7.cerm.unifi.it
 ??? }

The script could not find your smb.conf, can you please post its 
contents and tell us where it is.

Rowland