William Kirstaedter
2022-Aug-31 10:05 UTC
[Samba] upgrade from samba 4.13 to 4.16 broke CIFS Server Authentication
@Ralph I was referring to this line in the /var/log/samba/log.smbd on the AD Server: [2022/08/30 17:11:39.808445,? 1, pid=8018] ../../auth/gensec/spnego.c:1341(gensec_spnego_server_negTokenInit_step) ? gensec_spnego_server_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT @Rowland Well the hammer is not an option, my colleague would cut my head off :D he likes them for their resilience and these machines are really expensive... @Louis / all heres the extracted smb.conf which compiles from several templates: root at wayland:~# cat /etc/samba/smb.conf # Warning: This file is auto-generated and might be overwritten by #????????? univention-config-registry. #????????? Please edit the following file(s) instead: # Warnung: Diese Datei wurde automatisch generiert und kann durch #????????? univention-config-registry ueberschrieben werden. #????????? Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en): # # /etc/univention/templates/files/etc/samba/smb.conf.d/10global # /etc/univention/templates/files/etc/samba/smb.conf.d/11univention-smb-service # /etc/univention/templates/files/etc/samba/smb.conf.d/21univention-samba_winbind # /etc/univention/templates/files/etc/samba/smb.conf.d/31univention-samba_password # /etc/univention/templates/files/etc/samba/smb.conf.d/41univention-samba_printing # /etc/univention/templates/files/etc/samba/smb.conf.d/51univention-samba_domain # /etc/univention/templates/files/etc/samba/smb.conf.d/61univention-samba_misc # /etc/univention/templates/files/etc/samba/smb.conf.d/71univention-samba_users # /etc/univention/templates/files/etc/samba/smb.conf.d/81univention-quota_scripts # /etc/univention/templates/files/etc/samba/smb.conf.d/90univention-samba_user_shares # /etc/univention/templates/files/etc/samba/smb.conf.d/91univention-samba_shares # /etc/univention/templates/files/etc/samba/smb.conf.d/92univention-samba_shares # /etc/univention/templates/files/etc/samba/smb.conf.d/95univention-samba_local_config # /etc/univention/templates/files/etc/samba/smb.conf.d/99univention-samba_local_shares # ; ---------------------<10global>------------------------ [global] ??????? debug level???? = 1 ??????? logging???????? = file ??????? max log size??? = 0 ??????? netbios name??? = wayland ??????? server role???? = active directory domain controller ??????? name resolve order????? = wins host bcast ??????? server string?? = Univention Corporate Server ??????? server services = -dns -smb +s3fs -nbt ??????? server role check:inhibit = yes ??????? # use nmbd; to disable set samba4/service/nmb to s4 ??????? nmbd_proxy_logon:cldap_server=127.0.0.1 ??????? workgroup?????? = FHI ??????? realm?????????? = FHI.MPG.DE ??????? tls enabled???? = yes ??????? tls keyfile???? = /etc/univention/ssl/wayland.fhi.mpg.de/private.key ??????? tls certfile??? = /etc/univention/ssl/wayland.fhi.mpg.de/cert.pem ??????? tls cafile????? = /etc/univention/ssl/ucsCA/CAcert.pem ??????? tls verify peer = ca_and_name ??????? ldap server require strong auth = allow_sasl_over_tls ??????? dsdb:schema update allowed = no ??????? max open files = 32808 ??????? interfaces????? = lo ens192 ??????? bind interfaces only??? = yes ??????? server signing? = yes ??????? ntlm auth?????? = yes ??????? machine password timeout??????? = 0 ??????? acl allow execute always = True ??????? kccsrv:samba_kcc = False ; ---------------------</10global>------------------------ ; ---------------------<smb service configuration>----------------------- ??????? debug hirestimestamp = yes ??????? debug pid = yes ; ---------------------</smb service configuration>---------------------- ??????? ; idmap/winbind ??????? winbind separator = + ??????? template shell = /bin/bash ??????? template homedir = /home/%D-%U ??????? idmap config * : backend = tdb ??????? idmap config * : range = 300000-400000 ??????? passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n *password*changed* ??????? obey pam restrictions = yes ??????? spoolss: architecture = Windows x64 ??????? ; domain service lookup related settings ??????? preferred master = yes ??????? local master = yes ??????? domain master = yes ??????? wins support = yes ??????? ; miscellaneous settings, mostly for file services ??????? oplocks = yes ??????? large readwrite = yes ??????? read raw = yes ??????? write raw = yes ??????? max xmit = 65535 ??????? acl:search = yes ??????? host msdfs = yes ??????? kernel oplocks = yes ??????? deadtime = 15 ??????? getwd cache = yes ??????? wide links = no ??????? store dos attributes = yes ??????? max protocol = smb2 ??????? client max protocol = smb2 ??????? logon home = \\wayland\%U ??????? logon drive = I: ??????? logon path = \\wayland\%U\windows-profiles\%a ??????? preserve case = yes ??????? short preserve case = yes ??????? guest account = nobody ??????? map to guest = Bad User ??????? admin users = administrator join-backup ??????? usershare max shares = 0 ; ----------------------------------------------------------------------------------------------------------- ??????? include = /etc/samba/base.conf ??????? include = /etc/samba/shares.conf ??????? include = /etc/samba/printers.conf ??????? include = /etc/samba/local.config.conf and the includes...: base.conf # Warning: This file is auto-generated and might be overwritten by #????????? univention-config-registry. #????????? Please edit the following file(s) instead: # Warnung: Diese Datei wurde automatisch generiert und kann durch #????????? univention-config-registry ueberschrieben werden. #????????? Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en): # #?????? /etc/univention/templates/files/etc/samba/base.conf # [netlogon] ??????? comment = Domain logon service ??????? path = /var/lib/samba/sysvol/fhi.mpg.de/scripts ??????? public = no ??????? preserve case = yes ??????? case sensitive = no ??????? vfs objects = dfs_samba4 acl_xattr ??????? read only = no [sysvol] ??????? path = /var/lib/samba/sysvol ??????? public = no ??????? preserve case = yes ??????? case sensitive = no ??????? vfs objects = dfs_samba4 acl_xattr ??????? read only = no ??????? acl xattr update mtime = yes [homes] ??????? comment = Heimatverzeichnisse ??????? hide files = /windows-profiles/ ??????? browsable = no ??????? read only = no ??????? create mask = 0700 ??????? directory mask = 0700 ??????? vfs objects = acl_xattr [printers] ??????? comment = Drucker ??????? browseable = no ??????? path = /tmp ??????? printable = yes ??????? public = no ??????? writable = no ??????? create mode = 0700 ??????? # use client driver = true ??????? # lpq command = lpstat -o %p ??????? # lprm command = cancel %p-%j ??????? # using windows printer drivers ??????? # print command = lpr -P %p -o raw %s -r ??????? # using cups drivers (PostScript on Windows) ??????? # print command = lpr -P %p %s [print$] ??????? comment = Printer Drivers ??????? path = /var/lib/samba/drivers ??????? browseable = yes ??????? guest ok = no ??????? read only = no ??????? write list = root, Administrator, @Printer-Admins ------------------------------------------------------------------------------ share.conf (only used for login wallpaper) [share] path = /share msdfs root = no writeable = yes browseable = yes public = yes dos filemode = no hide unreadable = no create mode = 0744 directory mode = 0755 force create mode = 00 force directory mode = 00 locking = 1 strict locking = Auto oplocks = 1 level2 oplocks = 1 fake oplocks = 0 csc policy = manual nt acl support = 1 inherit acls = 1 vfs objects = acl_xattr inherit owner = no inherit permissions = no map acl inherit = yes ------------------------------------------------------------------------------ homedirs.conf (this should not be of interest since all homes are on the netapp) [homedirs] path = /home msdfs root = no writeable = yes browseable = yes public = no dos filemode = no hide unreadable = no create mode = 0744 directory mode = 0755 force create mode = 00 force directory mode = 00 locking = 1 strict locking = Auto oplocks = 1 level2 oplocks = 1 fake oplocks = 0 csc policy = manual nt acl support = 1 inherit acls = 1 vfs objects = acl_xattr inherit owner = no inherit permissions = no map acl inherit = yes ------------------------------------------------------------------------------ global.local.config.conf (this was their fix for a previous upgrade) [global] auth methods = sam winbind sam_ignoredomain server require schannel:141.14.140.32 = no server require schannel:141.14.143.33 = no server require schannel:nap32.fhi.mpg.de = no server require schannel:nap32.rz-berlin.mpg.de = no server require schannel:nap33.fhi.mpg.de = no server require schannel:nap33.rz-berlin.mpg.de = no server schannel = yes ------------------------------------------------------------------------------ do you need more? I can also put log level to 10 and post a link to that huge file if you want to read through that... really thanks! William Kirstaedter (PP&B) Fritz-Haber-Institut der MPG Faradayweg 4-6 14195 Berlin Tel: 030 8413 5405 Mail: kirstaedter at fhi-berlin.mpg.de Am 31.08.2022 um 11:32 schrieb L. van Belle via samba:> He needs to get the smb.conf from the Univetion server and show it in the list. > Only when we see that, we can give an estimate whats going on. > > Just like the Synology, im assuming univention used "unsupported" settings.. > They work in lower samba version but the higher the samba version to more problems they wil get. > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba <samba-bounces at lists.samba.org> Namens Ralph Boehme via >> samba >> Verzonden: woensdag 31 augustus 2022 10:31 >> Aan: William Kirstaedter <kirstaedter at fhi-berlin.mpg.de>; >> samba at lists.samba.org >> Onderwerp: Re: [Samba] upgrade from samba 4.13 to 4.16 broke CIFS Server >> Authentication >> >> On 8/30/22 17:12, William Kirstaedter via samba wrote: >>> I'm now asking here because neither Univention nor Netapp seem to want >>> to help since they both say that combination is not supported / >>> recommended. no reasons given. >> ouch, so you're sitting between the chairs. :/ >> >> If you can share logs from the Samba DC and network traces of the SMB login >> with the list, with a bit of luck someone has the time to look into them. But >> given the complexity of the issue and that this is going to contain sensitive >> data, I'm not sure community support is going to cut it. >> >> If you have the option, you could consider commercial support via: >> >> https://www.samba.org/samba/support/globalsupport.html >> >> Cheers! >> -slow >> >> -- >> Ralph Boehme, Samba Team https://samba.org/ >> SerNet Samba Team Lead https://sernet.de/en/team-samba >
L. van Belle
2022-Aug-31 11:13 UTC
[Samba] upgrade from samba 4.13 to 4.16 broke CIFS Server Authentication
I suggest 1 change to start with. look If can change this from within univention somewhere.. ntlm_auth = yes to ntlm auth = mschapv2-and-ntlmv2-only Small steps in these changes since univention has here own way of setting up things. Few small things that might help a bit. netbios name = wayland to netbios name = WAYLAND And start using \\FQ.DN\share everywhere.> logon home = \\wayland\%U > logon drive = I: > logon path = \\wayland\%U\windows-profiles\%ato> logon home = \\wayland.your.dnsdomain.tld\%U > logon drive = I: > logon path = \\wayland your.dnsdomain.tld \%U\windows-profiles\%a> max protocol = smb2 > client max protocol = smb2To> max protocol = smb3 # or remove this one. > client max protocol = smb3 # or remove this one.add if possible client min protocol = smb2 Start with that, maybe Rowland has more but as said.. The setup is way out of the "normal" scope of settings. Not your doing but how its setup. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba <samba-bounces at lists.samba.org> Namens William Kirstaedter > via samba > Verzonden: woensdag 31 augustus 2022 12:06 > Aan: samba at lists.samba.org > CC: belle at samba.org > Onderwerp: Re: [Samba] upgrade from samba 4.13 to 4.16 broke CIFS Server > Authentication > > @Ralph > > I was referring to this line in the /var/log/samba/log.smbd on the AD > Server: > > [2022/08/30 17:11:39.808445, 1, pid=8018] > ../../auth/gensec/spnego.c:1341(gensec_spnego_server_negTokenInit_step > ) > gensec_spnego_server_negTokenInit_step: Could not find a suitable > mechtype in NEG_TOKEN_INIT > > @Rowland > > Well the hammer is not an option, my colleague would cut my head off :D he > likes them for their resilience and these machines are really expensive... > > @Louis / all > > heres the extracted smb.conf which compiles from several templates: > > root at wayland:~# cat /etc/samba/smb.conf > # Warning: This file is auto-generated and might be overwritten by > # univention-config-registry. > # Please edit the following file(s) instead: > # Warnung: Diese Datei wurde automatisch generiert und kann durch > # univention-config-registry ueberschrieben werden. > # Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en): > # > # /etc/univention/templates/files/etc/samba/smb.conf.d/10global > # > /etc/univention/templates/files/etc/samba/smb.conf.d/11univention-smb- > service > # > /etc/univention/templates/files/etc/samba/smb.conf.d/21univention- > samba_winbind > # > /etc/univention/templates/files/etc/samba/smb.conf.d/31univention- > samba_password > # > /etc/univention/templates/files/etc/samba/smb.conf.d/41univention- > samba_printing > # > /etc/univention/templates/files/etc/samba/smb.conf.d/51univention- > samba_domain > # > /etc/univention/templates/files/etc/samba/smb.conf.d/61univention- > samba_misc > # > /etc/univention/templates/files/etc/samba/smb.conf.d/71univention- > samba_users > # > /etc/univention/templates/files/etc/samba/smb.conf.d/81univention- > quota_scripts > # > /etc/univention/templates/files/etc/samba/smb.conf.d/90univention- > samba_user_shares > # > /etc/univention/templates/files/etc/samba/smb.conf.d/91univention- > samba_shares > # > /etc/univention/templates/files/etc/samba/smb.conf.d/92univention- > samba_shares > # > /etc/univention/templates/files/etc/samba/smb.conf.d/95univention- > samba_local_config > # > /etc/univention/templates/files/etc/samba/smb.conf.d/99univention- > samba_local_shares > # > > ; ---------------------<10global>------------------------ > [global] > debug level = 1 > logging = file > max log size = 0 > > netbios name = wayland > server role = active directory domain controller > name resolve order = wins host bcast > server string = Univention Corporate Server > server services = -dns -smb +s3fs -nbt > server role check:inhibit = yes > # use nmbd; to disable set samba4/service/nmb to s4 > nmbd_proxy_logon:cldap_server=127.0.0.1 > workgroup = FHI > realm = FHI.MPG.DE > > tls enabled = yes > tls keyfile > /etc/univention/ssl/wayland.fhi.mpg.de/private.key > tls certfile = /etc/univention/ssl/wayland.fhi.mpg.de/cert.pem > tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem > tls verify peer = ca_and_name > ldap server require strong auth = allow_sasl_over_tls > dsdb:schema update allowed = no > max open files = 32808 > interfaces = lo ens192 > bind interfaces only = yes > server signing = yes > ntlm auth = yes > machine password timeout = 0 > acl allow execute always = True > kccsrv:samba_kcc = False > > ; ---------------------</10global>------------------------ > ; ---------------------<smb service configuration>----------------------- > > debug hirestimestamp = yes > debug pid = yes > ; ---------------------</smb service configuration>---------------------- > > > ; idmap/winbind > > winbind separator = + > template shell = /bin/bash > template homedir = /home/%D-%U > > idmap config * : backend = tdb > idmap config * : range = 300000-400000 > > passwd chat = *New*password* %n\n *Re-enter*new*password* > %n\n > *password*changed* > > obey pam restrictions = yes > > spoolss: architecture = Windows x64 > > ; domain service lookup related settings > preferred master = yes > local master = yes > domain master = yes > wins support = yes > > ; miscellaneous settings, mostly for file services > oplocks = yes > large readwrite = yes > read raw = yes > write raw = yes > max xmit = 65535 > acl:search = yes > host msdfs = yes > kernel oplocks = yes > deadtime = 15 > getwd cache = yes > wide links = no > store dos attributes = yes > max protocol = smb2 > client max protocol = smb2 > logon home = \\wayland\%U > logon drive = I: > logon path = \\wayland\%U\windows-profiles\%a > preserve case = yes > short preserve case = yes > > guest account = nobody > map to guest = Bad User > admin users = administrator join-backup > > > usershare max shares = 0 > > > ; > ---------------------------------------------------------------------------------------------- > ------------- > include = /etc/samba/base.conf > > include = /etc/samba/shares.conf > include = /etc/samba/printers.conf > > include = /etc/samba/local.config.conf > > > and the includes...: > > base.conf > > # Warning: This file is auto-generated and might be overwritten by > # univention-config-registry. > # Please edit the following file(s) instead: > # Warnung: Diese Datei wurde automatisch generiert und kann durch > # univention-config-registry ueberschrieben werden. > # Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en): > # > # /etc/univention/templates/files/etc/samba/base.conf > # > > [netlogon] > comment = Domain logon service > path = /var/lib/samba/sysvol/fhi.mpg.de/scripts > public = no > preserve case = yes > case sensitive = no > vfs objects = dfs_samba4 acl_xattr > read only = no > > [sysvol] > path = /var/lib/samba/sysvol > public = no > preserve case = yes > case sensitive = no > vfs objects = dfs_samba4 acl_xattr > read only = no > acl xattr update mtime = yes > > [homes] > comment = Heimatverzeichnisse > hide files = /windows-profiles/ > browsable = no > read only = no > create mask = 0700 > directory mask = 0700 > vfs objects = acl_xattr > > > [printers] > comment = Drucker > browseable = no > path = /tmp > printable = yes > public = no > writable = no > create mode = 0700 > # use client driver = true > # lpq command = lpstat -o %p > # lprm command = cancel %p-%j > # using windows printer drivers > # print command = lpr -P %p -o raw %s -r > # using cups drivers (PostScript on Windows) > # print command = lpr -P %p %s > > [print$] > comment = Printer Drivers > path = /var/lib/samba/drivers > browseable = yes > guest ok = no > read only = no > write list = root, Administrator, @Printer-Admins > > ------------------------------------------------------------------------------ > > share.conf (only used for login wallpaper) > > [share] > path = /share > msdfs root = no > writeable = yes > browseable = yes > public = yes > dos filemode = no > hide unreadable = no > create mode = 0744 > directory mode = 0755 > force create mode = 00 > force directory mode = 00 > locking = 1 > strict locking = Auto > oplocks = 1 > level2 oplocks = 1 > fake oplocks = 0 > csc policy = manual > nt acl support = 1 > inherit acls = 1 > vfs objects = acl_xattr > inherit owner = no > inherit permissions = no > map acl inherit = yes > > ------------------------------------------------------------------------------ > > homedirs.conf (this should not be of interest since all homes are on the > netapp) > > [homedirs] > path = /home > msdfs root = no > writeable = yes > browseable = yes > public = no > dos filemode = no > hide unreadable = no > create mode = 0744 > directory mode = 0755 > force create mode = 00 > force directory mode = 00 > locking = 1 > strict locking = Auto > oplocks = 1 > level2 oplocks = 1 > fake oplocks = 0 > csc policy = manual > nt acl support = 1 > inherit acls = 1 > vfs objects = acl_xattr > inherit owner = no > inherit permissions = no > map acl inherit = yes > > ------------------------------------------------------------------------------ > > global.local.config.conf (this was their fix for a previous upgrade) > > [global] > auth methods = sam winbind sam_ignoredomain server require > schannel:141.14.140.32 = no server require schannel:141.14.143.33 = no > server require schannel:nap32.fhi.mpg.de = no server require > schannel:nap32.rz-berlin.mpg.de = no server require > schannel:nap33.fhi.mpg.de = no server require schannel:nap33.rz- > berlin.mpg.de = no server schannel = yes > > ------------------------------------------------------------------------------ > > do you need more? > > I can also put log level to 10 and post a link to that huge file if you want to > read through that... > > really thanks! > > > William Kirstaedter (PP&B) Fritz-Haber-Institut der MPG > Faradayweg 4-6 14195 Berlin > Tel: 030 8413 5405 Mail: kirstaedter at fhi-berlin.mpg.de > > Am 31.08.2022 um 11:32 schrieb L. van Belle via samba: > > He needs to get the smb.conf from the Univetion server and show it in the > list. > > Only when we see that, we can give an estimate whats going on. > > > > Just like the Synology, im assuming univention used "unsupported" > settings.. > > They work in lower samba version but the higher the samba version to > more problems they wil get. > > > > Greetz, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba <samba-bounces at lists.samba.org> Namens Ralph Boehme > via > >> samba > >> Verzonden: woensdag 31 augustus 2022 10:31 > >> Aan: William Kirstaedter <kirstaedter at fhi-berlin.mpg.de>; > >> samba at lists.samba.org > >> Onderwerp: Re: [Samba] upgrade from samba 4.13 to 4.16 broke CIFS > >> Server Authentication > >> > >> On 8/30/22 17:12, William Kirstaedter via samba wrote: > >>> I'm now asking here because neither Univention nor Netapp seem to > >>> want to help since they both say that combination is not supported / > >>> recommended. no reasons given. > >> ouch, so you're sitting between the chairs. :/ > >> > >> If you can share logs from the Samba DC and network traces of the SMB > >> login with the list, with a bit of luck someone has the time to look > >> into them. But given the complexity of the issue and that this is > >> going to contain sensitive data, I'm not sure community support is going to > cut it. > >> > >> If you have the option, you could consider commercial support via: > >> > >> https://www.samba.org/samba/support/globalsupport.html > >> > >> Cheers! > >> -slow > >> > >> -- > >> Ralph Boehme, Samba Team https://samba.org/ > >> SerNet Samba Team Lead https://sernet.de/en/team-samba > >
Rowland Penny
2022-Aug-31 11:21 UTC
[Samba] upgrade from samba 4.13 to 4.16 broke CIFS Server Authentication
On Wed, 2022-08-31 at 12:05 +0200, William Kirstaedter wrote:> @Ralph > > I was referring to this line in the /var/log/samba/log.smbd on the > AD > Server: > > [2022/08/30 17:11:39.808445, 1, pid=8018] > ../../auth/gensec/spnego.c:1341(gensec_spnego_server_negTokenInit_ste > p) > gensec_spnego_server_negTokenInit_step: Could not find a suitable > mechtype in NEG_TOKEN_INIT > > @Rowland > > Well the hammer is not an option, my colleague would cut my head off > :D > he likes them for their resilience and these machines are really > expensive...They become really expensive if they do not work with Samba and most of your computers use Samba. If I was considering buying some piece of computer equipment, one of my questions would be, 'does this work with open source programs such as Samba ?'. If the answer was no, I wouldn't buy it.> > @Louis / all > > heres the extracted smb.conf which compiles from several templates: > > root at wayland:~# cat /etc/samba/smb.conf > # Warning: This file is auto-generated and might be overwritten by > # univention-config-registry. > # Please edit the following file(s) instead: > # Warnung: Diese Datei wurde automatisch generiert und kann durch > # univention-config-registry ueberschrieben werden. > # > # /etc/univention/templates/files/etc/samba/smb.conf.d/10global > # > > ; ---------------------<10global>------------------------ > [global] > debug level = 1 > logging = file > max log size = 0 > > netbios name = wayland > server role = active directory domain controller > name resolve order = wins host bcast > server string = Univention Corporate Server > server services = -dns -smb +s3fs -nbt > server role check:inhibit = yes > # use nmbd; to disable set samba4/service/nmb to s4 > nmbd_proxy_logon:cldap_server=127.0.0.1 > workgroup = FHI > realm = FHI.MPG.DE > > tls enabled = yes > tls keyfile = > /etc/univention/ssl/wayland.fhi.mpg.de/private.key > tls certfile > /etc/univention/ssl/wayland.fhi.mpg.de/cert.pem > tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem > tls verify peer = ca_and_name > ldap server require strong auth = allow_sasl_over_tls > dsdb:schema update allowed = no > max open files = 32808 > interfaces = lo ens192 > bind interfaces only = yes > server signing = yes > ntlm auth = yes > machine password timeout = 0 > acl allow execute always = True > kccsrv:samba_kcc = False > > ; ---------------------</10global>------------------------ > ; ---------------------<smb service configuration>------------------- > ---- > > debug hirestimestamp = yes > debug pid = yes > ; ---------------------</smb service configuration>---------------- > ------ > > > ; idmap/winbind > > winbind separator = + > template shell = /bin/bash > template homedir = /home/%D-%U > > idmap config * : backend = tdb > idmap config * : range = 300000-400000 > > passwd chat = *New*password* %n\n *Re-enter*new*password* > %n\n > *password*changed* > > obey pam restrictions = yes > > spoolss: architecture = Windows x64 > > ; domain service lookup related settings > preferred master = yes > local master = yes > domain master = yes > wins support = yes > > ; miscellaneous settings, mostly for file services > oplocks = yes > large readwrite = yes > read raw = yes > write raw = yes > max xmit = 65535 > acl:search = yes > host msdfs = yes > kernel oplocks = yes > deadtime = 15 > getwd cache = yes > wide links = no > store dos attributes = yes > max protocol = smb2 > client max protocol = smb2 > logon home = \\wayland\%U > logon drive = I: > logon path = \\wayland\%U\windows-profiles\%a > preserve case = yes > short preserve case = yes > > guest account = nobody > map to guest = Bad User > admin users = administrator join-backup > > > usershare max shares = 0 > > > ; > ------------------------------------------------------------------- > ---------------------------------------- > include = /etc/samba/base.conf > > include = /etc/samba/shares.conf > include = /etc/samba/printers.conf > > include = /etc/samba/local.config.conf > > > and the includes...: > > base.conf > > # Warning: This file is auto-generated and might be overwritten by > # univention-config-registry. > # Please edit the following file(s) instead: > # Warnung: Diese Datei wurde automatisch generiert und kann durch > # univention-config-registry ueberschrieben werden. > # Bitte bearbeiten Sie an Stelle dessen die folgende(n) > Datei(en): > # > # /etc/univention/templates/files/etc/samba/base.conf > # > > [netlogon] > comment = Domain logon service > path = /var/lib/samba/sysvol/fhi.mpg.de/scripts > public = no > preserve case = yes > case sensitive = no > vfs objects = dfs_samba4 acl_xattr > read only = no > > [sysvol] > path = /var/lib/samba/sysvol > public = no > preserve case = yes > case sensitive = no > vfs objects = dfs_samba4 acl_xattr > read only = no > acl xattr update mtime = yes > > [homes] > comment = Heimatverzeichnisse > hide files = /windows-profiles/ > browsable = no > read only = no > create mask = 0700 > directory mask = 0700 > vfs objects = acl_xattr > > > [printers] > comment = Drucker > browseable = no > path = /tmp > printable = yes > public = no > writable = no > create mode = 0700 > # use client driver = true > # lpq command = lpstat -o %p > # lprm command = cancel %p-%j > # using windows printer drivers > # print command = lpr -P %p -o raw %s -r > # using cups drivers (PostScript on Windows) > # print command = lpr -P %p %s > > [print$] > comment = Printer Drivers > path = /var/lib/samba/drivers > browseable = yes > guest ok = no > read only = no > write list = root, Administrator, @Printer-Admins > > ------------------------------------------------------------------- > ----------- > > share.conf (only used for login wallpaper) > > [share] > path = /share > msdfs root = no > writeable = yes > browseable = yes > public = yes > dos filemode = no > hide unreadable = no > create mode = 0744 > directory mode = 0755 > force create mode = 00 > force directory mode = 00 > locking = 1 > strict locking = Auto > oplocks = 1 > level2 oplocks = 1 > fake oplocks = 0 > csc policy = manual > nt acl support = 1 > inherit acls = 1 > vfs objects = acl_xattr > inherit owner = no > inherit permissions = no > map acl inherit = yes > > ------------------------------------------------------------------- > ----------- > > homedirs.conf (this should not be of interest since all homes are on > the > netapp) > > [homedirs] > path = /home > msdfs root = no > writeable = yes > browseable = yes > public = no > dos filemode = no > hide unreadable = no > create mode = 0744 > directory mode = 0755 > force create mode = 00 > force directory mode = 00 > locking = 1 > strict locking = Auto > oplocks = 1 > level2 oplocks = 1 > fake oplocks = 0 > csc policy = manual > nt acl support = 1 > inherit acls = 1 > vfs objects = acl_xattr > inherit owner = no > inherit permissions = no > map acl inherit = yes > > ------------------------------------------------------------------- > ----------- > > global.local.config.conf (this was their fix for a previous upgrade) > > [global] > auth methods = sam winbind sam_ignoredomain > server require schannel:141.14.140.32 = no > server require schannel:141.14.143.33 = no > server require schannel:nap32.fhi.mpg.de = no > server require schannel:nap32.rz-berlin.mpg.de = no > server require schannel:nap33.fhi.mpg.de = no > server require schannel:nap33.rz-berlin.mpg.de = no > server schannel = yes > > ------------------------------------------------------------------- > -----------That is quite possibly the WORST smb.conf that I have ever seen, lots of default settings (I can sort of understand that), but there are things that shouldn't be set on a DC (never mind that you really shouldn't be using a DC as a fileserver). Why on Earth is nmbd being used ????> > do you need more? > > I can also put log level to 10 and post a link to that huge file if > you > want to read through that... > > really thanks!as Ralph as said, network traces might help and level 10 logs (sanitised) never hurt. Rowland