It looks like I'm having a serious problem with passwords and domain credentials. After joining the office Windows workstations as domain members to the new AD, I used ADUC to set everyone's password to some value so I could verify their apps got updated when logging in. After doing that, I again used ADUC to check the box requiring everyone to change their passsword when logging in. The next day when users arrived, they got the message to change their password, but the system would not accept the new password. I had to go back into ADUC and un-set that checkbox. Then users could log in with the password I had set and change it with Ctrl-Alt-DEL. As an additional experiment, I used samba-tool to set one of the users to have his password expire in two days. Which it did today. He got no message leading up to this telling him his password was about to expire, as used to happen, but it did expire today and prevented him from logging in at all, and did not prompt him to set a new password. I went to ADUC and set his profile to never expire the password, then set the password itself to some values. He still could not log in. I then used samba-tool to set his password. He could not and still cannot log in. What's up here? This user is now completely unable to log into his workstation at all, not can it be logged into remotely. The RDC dialog says "credentials failed". As admin I don't seem to have the ability to let him in. I am concerned as to what will happen when the other users' password time limite expires. The Windows workstations are the exact same ones that were connected to the previous Samba 4.8.2 domain. All that has changed is they have been unjoined then rejoined to the new 4.8.19 domain. Any ideas? --Mark
Mark Foley
2024-Jan-26 20:14 UTC
[Samba] Samba file server share sets Windows Hidden attribute
I'm having a very odd problem. I have a domain member running Samba 4.18.9,
just
installed last weekend. It is a file server for the office who use Windows 10
and have a "drive" mapped to this host.
When users scan/append to existing PDF files on this mapped drive, they
disappear. Viewed on Windows, the H (hidden attribute) gets set. The user can
scan a new file to their mapped drive and it is visible. The user can
alternatively scan/append/save this modified file to their Desktop, then copy it
back (overwrite) it on the Samba share and it is visible.
Here's the odd thing, scan/appending to their Desktop works, but the Desktop
is
also a Samba share on another host, the DC! Same Samba version.
The smb.conf on the domain member (where the problem is):
=========================[global]
max log size = 10000
realm = HPRS.LOCAL
security = ADS
server role = member server
server string = HPRS NAS server
template homedir = /home/%U
template shell = /bin/bash
workgroup = HPRS
idmap config hprs : range = 10000-999999
idmap config hprs : backend = rid
idmap config * : range = 3000-7999
idmap config * : backend = tdb
vfs objects = acl_xattr
map acl inherit = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
usershare allow guests = Yes
usershare max shares = 10
[public]
comment = OHPRS main file and document repository
path = /mnt/RAID/public
hide files = /Outlook/outlook/~*/
readonly = no
locking = yes
public = yes
printable = no
create mask = 0660
force user = user
force group = group
force create mode = 0660
directory mask = 2771
==========================
Other than the new 'vfs objects = acl_xattr' and 'map acl inherit =
yes', the
stuff in [public] is unchanged from before the Samba upgrade. In addition to
setting the Windows 'H' attribute on appended scanned PDF, new files of
any kind
(.pdf, .docx, ...) are create with permission 0771, not 0660, as prescribed in
the smb.conf.
The smb.conf on the DC defining the Desktop is:
========================[Users]
path = /redirectedFolders/Users
comment = user folders for redirection
read only = No
=======================
In addition, the \\mail.hprs.local\Users has:
CREATOR OWNER:Full control:Subfolders and files only
Domain Admins:Full control:This folder, subfolders and files
Authenticated Users:Traverse Folder/Execute file,List folder/read data,Read
Attributes, Create folders/append data:This folder only
SYSTEM:Full Control:This folder, subfolders and files
In summary, users scanning/appending to PDF files on domain member share:
[public] end up with the files set to Windows attribute Hidden. The Linux
attributes are set to 0771, not 0660 as prescribed in the smb.conf.
Users scanning/appending to PDF files on their Desktop on domain controller
share: [Users] end up with the file NOT hidden, and the Linux permissions
set to 0770.
Creating new files of any type have no problem with the hidden attribute.
Scanning/appending personnel files is the main task of employees at this
organization, so this is really a problem!
Why is this happening and how do I fix it?
Thanks --Mark
On Wed, 2024-01-24 at 16:02 -0500, Mark Foley via samba wrote:> It looks like I'm having a serious problem with passwords and domain > credentials. > After joining the office Windows workstations as domain members to > the new AD, Iused ADUC to set everyone's password to some value so I > could verify their appsgot updated when logging in. After doing > that, I again used ADUC to check thebox requiring everyone to change > their passsword when logging in. > The next day when users arrived, they got the message to change their > password,but the system would not accept the new password. I had to > go back into ADUCand un-set that checkbox. Then users could log in > with the password I had setand change it with Ctrl-Alt-DEL. > As an additional experiment, I used samba-tool to set one of the > users to havehis password expire in two days. Which it did > today. He got no message leadingup to this telling him his password > was about to expire, as used to happen, butit did expire today and > prevented him from logging in at all, and did not prompthim to set a > new password. > I went to ADUC and set his profile to never expire the password, then > set thepassword itself to some values. He still could not log in. > I then used samba-tool to set his password. He could not and still > cannot login. > What's up here? This user is now completely unable to log into his > workstationat all, not can it be logged into remotely. The RDC > dialog says "credentialsfailed". As admin I don't seem to have the > ability to let him in. I amconcerned as to what will happen when the > other users' password time limiteexpires. > The Windows workstations are the exact same ones that were connected > to theprevious Samba 4.8.2 domain. All that has changed is they have > been unjoinedthen rejoined to the new 4.8.19 domain.Is this a Samba 4.19 domain? Can you clarify the version? What is in the server logs? This is meant to work, and we do have tests for this area, but perhaps something hasn't been covered. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
Mandi! Mark Foley via samba In chel di` si favelave...> The next day when users arrived, they got the message to change their password, > but the system would not accept the new password. I had to go back into ADUC > and un-set that checkbox. Then users could log in with the password I had set > and change it with Ctrl-Alt-DEL.This is effectively strange.> As an additional experiment, I used samba-tool to set one of the users to have > his password expire in two days. Which it did today. He got no message leading > up to this telling him his password was about to expire, as used to happen, but > it did expire today and prevented him from logging in at all, and did not prompt > him to set a new password.This is normal. You have set 'account expiration', not 'password expiration'. Password expiration get setted via policy (GPO for client, passwordpolicy for samba). -- La tua tana sta in collina, Dr. Dobermann, seimilioni a metro quadro e tua moglie sembra proprio una regina, pero` e` la moglie di un ladro. (F. De Gregori)