On Fri, 4 Oct 2024 10:11:37 +0200 Emmanuel Florac <eflorac at intellique.com> wrote:> Le Thu, 3 Oct 2024 21:35:04 +0100 > Rowland Penny via samba <samba at lists.samba.org> ?crivait: > > > > Yes, I mean Windows 11 or WIndows Server 2022 machines that are > > > registered into the AD. A Win11 PC which isn't AD-connected (but > > > in the same IP network) can connect just fine using the server IP > > > address and credentials from one of the domain user accounts. > > > > Ah, start upgrading ;-) > > > > There was a problem with win11 and a date problem, this has been > > fixed in a later version (cannot just remember which version). > > Using the IP uses RPC which works. > > OK, I'll try first the 4.17 version from the backports, and if it's > not enough I'll upgrade to 4.20.I would upgrade to bookworm with Samba from backports, but its your domain ;-)> > Do you recommend a different configuration maybe ? As I'm about to > overhaul the whole setup :) >Your smb.conf looks okay, but you might want to read 'man smb.conf', you don't really need some of the parameters (defaults etc). Rowland
Le Fri, 4 Oct 2024 09:27:12 +0100 Rowland Penny via samba <samba at lists.samba.org> ?crivait:> > > > OK, I'll try first the 4.17 version from the backports, and if it's > > not enough I'll upgrade to 4.20. > > I would upgrade to bookworm with Samba from backports, but its your > domain ;-)I've just upgraded to bookworm, I'll check how it goes with 4.17 and if it still doesn't work, I'll try the 4.20 from backports. -- ------------------------------------------------------------------------ Emmanuel Florac | Direction technique ------------------------------------------------------------------------ https://intellique.com +33 6 16 30 15 95 ------------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: Signature digitale OpenPGP URL: <http://lists.samba.org/pipermail/samba/attachments/20241004/c85b6c38/attachment.sig>
Le Fri, 4 Oct 2024 09:27:12 +0100 Rowland Penny via samba <samba at lists.samba.org> ?crivait:> > > > OK, I'll try first the 4.17 version from the backports, and if it's > > not enough I'll upgrade to 4.20. > > I would upgrade to bookworm with Samba from backports, but its your > domain ;-)Well I've upgraded up to 4.20, but no dice :( No machine from within the Here is the output from testparm -s, and winbind seems happy as a clam too : ~# testparm -s Load smb config files from /etc/samba/smb.conf Loaded services file OK. Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback) Server role: ROLE_DOMAIN_MEMBER # Global parameters [global] dedicated keytab file = /etc/krb5.keytab disable spoolss = Yes domain master = No host msdfs = No kerberos method = secrets and keytab load printers = No local master = No map to guest = Bad User preferred master = No printcap name = /dev/null realm = EXAMPLE.LAN reset on zero vc = Yes security = ADS server string = Data %h smb1 unix extensions = No template homedir = /home/EXAMPLE/%U template shell = /bin/bash username map = /etc/samba/[user.map](http://user.map) winbind expand groups = 4 winbind normalize names = Yes winbind nss info = rfc2307 winbind offline logon = Yes winbind refresh tickets = Yes winbind use default domain = Yes workgroup = EXAMPLE idmap config example : range = 10000-999999 idmap config example : backend = rid idmap config *:range = 2000-9999 idmap config * : backend = tdb hide unreadable = Yes map acl inherit = Yes printing = bsd veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ vfs objects = acl_xattr [RAID] path = /mnt/raid read only = No ~# systemctl status winbind.service ? winbind.service - Samba Winbind Daemon Loaded: loaded (/lib/systemd/system/winbind.service; enabled; preset: enabled) Active: active (running) since Fri 2024-10-04 13:05:45 UTC; 3s ago Docs: man:winbindd(8) man:samba(7) man:smb.conf(5) Process: 5677 ExecCondition=/usr/share/samba/is-configured winbind (code=exited, status=0/SUCCESS) Main PID: 5679 (winbindd) Status: "winbindd: ready to serve connections..." Tasks: 5 (limit: 154370) Memory: 13.0M CPU: 671ms CGroup: /system.slice/winbind.service ??5679 /usr/sbin/winbindd --foreground --no-process-group ??5682 "winbindd: domain child [SERVER-2]" ??5683 "winbindd: domain child [EXAMPLE]" ??5685 /usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=23 --np-helper --debuglevel=0 ??5695 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=3 --worker-index=5 --debuglevel=0 Oct 04 13:05:45 SERVER-2 winbindd[5679]: [2024/10/04 13:05:45.154727, 0] source3/winbindd/winbindd.c:1450(main) Oct 04 13:05:45 SERVER-2 winbindd[5679]: winbindd version 4.20.5-Debian-4.20.5+dfsg-1~bpo12+1 started. Oct 04 13:05:45 SERVER-2 winbindd[5679]: Copyright Andrew Tridgell and the Samba Team 1992-2024 Oct 04 13:05:45 SERVER-2 systemd[1]: Started winbind.service - Samba Winbind Daemon. Oct 04 13:05:45 SERVER-2 samba-dcerpcd[5685]: [2024/10/04 13:05:45.228787, 0] source3/rpc_server/rpc_host.c:2905(main) Oct 04 13:05:45 SERVER-2 samba-dcerpcd[5685]: samba-dcerpcd version 4.20.5-Debian-4.20.5+dfsg-1~bpo12+1 started. Oct 04 13:05:45 SERVER-2 samba-dcerpcd[5685]: Copyright Andrew Tridgell and the Samba Team 1992-2024 Oct 04 13:05:45 SERVER-2 rpcd_lsad[5695]: [2024/10/04 13:05:45.338125, 0] source3/rpc_server/rpc_worker.c:1155(rpc_worker_main) Oct 04 13:05:45 SERVER-2 rpcd_lsad[5695]: rpcd_lsad version 4.20.5-Debian-4.20.5+dfsg-1~bpo12+1 started. Oct 04 13:05:45 SERVER-2 rpcd_lsad[5695]: Copyright Andrew Tridgell and the Samba Team 1992-2024 -- ------------------------------------------------------------------------ Emmanuel Florac | Direction technique ------------------------------------------------------------------------ https://intellique.com +33 6 16 30 15 95 ------------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: Signature digitale OpenPGP URL: <http://lists.samba.org/pipermail/samba/attachments/20241004/6ab6853d/attachment.sig>
Le Fri, 4 Oct 2024 09:27:12 +0100 Rowland Penny via samba <samba at lists.samba.org> ?crivait:> > Do you recommend a different configuration maybe ? As I'm about to > > overhaul the whole setup :) > > > > Your smb.conf looks okay, but you might want to read 'man smb.conf', > you don't really need some of the parameters (defaults etc).Well finally there was no problem from the windows side, and actually it would probably work just fine with Samba 4.13 or 4.17. The main problem was that I had mapped the domain Administrator to root (uid 0) in the user.map, so I had to add min domain uid = 0 in smb.conf, and all was fine from there. This is a particularly tricky one, because there aren't any clear error message either on windows or in samba logs. What made me find the source of the problem was using "net use \\server\share", which at last gave me a message that I could search for : NT_STATUS_INVALID_TOKEN Geez, that one was pretty tough. -- ------------------------------------------------------------------------ Emmanuel Florac | Direction technique ------------------------------------------------------------------------ https://intellique.com ------------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: Signature digitale OpenPGP URL: <http://lists.samba.org/pipermail/samba/attachments/20241004/06dbe7c6/attachment.sig>