samba - Dec 2023 - Samba share not quite working on Domain Controller

On Fri, 15 Dec 2023 02:36:33 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:
> On Thu Dec 14 22:49:33 2023 Mark Foley via samba
> <samba at lists.samba.org> wrote:
> >
> > On Thu Dec 14 19:27:29 2023 Matt Savin <matt at tegers.com>
wrote:
> > >
I do not know who 'Matt Savin' is, but would he please reply to the
list and not directly to the OP, it is awfully hard to follow a thread
when you are only getting half of the conversation ;-)

The nameserver that any AD client uses must be able to resolve the AD
zones, that is, if you ask it for a DCs record, it can return it. If
your Windows clients are pointing at a nameserver that doesn't know
where your AD nameservers are, it will return NXDOMAIN.

There are two ways around this, you set your external nameserver to
forward all requests for your AD domain to a DC, or you use a DC as
your Windows clients nameserver.

Rowland

I don't know if this is a Windows, Linux or Samba problem. I've posted
this
issue to both Windows and Linux forums, but no one seem to have any idea so far.

Note that this works on my current/old DC version 4.8.2 provisioned with
BIND9_FLATFILE. The "new" DC is version 4.18.8 provisioned with
SAMBA_INTERNAL.
I don't know if this matters or not. My smb.conf is:

[global]
        dns forwarder = 192.168.0.1
        netbios name = DC1
        realm = HPRS.LOCL
        server role = active directory domain controller
        workgroup = HPRS
        idmap_ldb:use rfc2307 = yes
        interfaces = lo, eth0
        bind interfaces only = Yes
               
[Users]
    path = /redirectedFolders/Users
    comment = user folders for redirection
    read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/hprs.locl/scripts
        read only = No

All but the [Users] section was auto-generated by the provision command. Yes, I
know putting a Share on the DC is not recommended, but I've used that for
the
redirected folders on the old DC for the past 10 years and, although not
recommended, it's not actually "forbidden". 

I have successfully joined a Windows 10 workstation as a domain members. In
Windows Explorer (as DC Administrator), I can open the share with
\\dc1.hprs.locl, and I see my folders. The folder in question is 'Users'
I can
put files into that folder from Windows, no problem. However if I right-click
on 'Users > Properties > Security', Explorer crashes. This does
not happen
doing the same thing on the other two folders (sysvol and netlogin). I find
nothing in the Linux log files. The Windows event log gives:

-----------------------
- System  
 - Provider  
  [ Name]  Windows Error Reporting  
 - EventID 1001  
  [ Qualifiers]  0  
  Version 0  
  Level 4  
  Task 0  
  Opcode 0  
  Keywords 0x80000000000000  
 
 - TimeCreated  
  [ SystemTime]  2023-12-16T17:11:01.0393392Z  
  EventRecordID 86110  
  Correlation  
 
 - Execution  
  [ ProcessID]  0  
  [ ThreadID]  0  
 
  Channel Application  
  Computer doris.hprs.locl  
  Security  

- EventData  
  1935668344092221582  
  4  
  APPCRASH  
  Not available  
  0  
  explorer.exe  
  10.0.19041.3758  
  bf79d152  
  StackHash_7047  
  10.0.19041.3636  
  9b64aa6f  
  c0000374  
  PCH_BD_FROM_ntdll+0x000000000009DB34  
    
 
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERF6C4.tmp.WERInternalMetadata.xml
 
\\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_explorer.exe_d4d12b826a305761b6bd859c52427f8942c15b2_6609badb_bc335dbb-a943-4c33-8a8f-e3db68dd5f27
    
  0  
  4f823e91-a71f-49cd-93c3-351731eb5759  
  268435456  
  f22130602afd3cca5adce01a7495e08e  
  0
-----------------------

Permissions on the DC share are:

-----------------------
# ls -l -R /redirectedFolders/
/redirectedFolders/:
total 4
drwxrwxr-x 2 root root 4096 2023-12-16 11:47 Users/

/redirectedFolders/Users:
total 8
-rwxrwxr-x+ 1 3000000 users 17 2023-12-16 11:47 testing.txt*
-----------------------

Note that the testing.txt file is one I created from the Windows computer, so it
would appear at least write permissions exist. 

Any idea what's up with this?

Thanks --Mark

I've moved my new DC from one location to another test location within the
office where it will be deployed.  The new test location connects to subnet
192.168.0.1 rather than 192.168.0 as I used when doing the initial setup. 

I've been going through the wiki verifying zones, rDNS, etc. On the A record
test I get:

# host -t A dc1.hprs.locl
dc1.hprs.locl has address 192.168.0.2
dc1.hprs.locl has address 24.142.169.13
dc1.hprs.locl has address 192.168.0.126
dc1.hprs.locl has address 192.168.1.60

The first 3 of these are wrong/obsolete.  The /etc/hosts file has the last entry
(1.60) which is correct.  My DNS backend is Samba Internal. 

How do I remove these other A records?

Thanks --Mark