Web lists-archives.com

Re: [Samba] Using GPO to mount shares on Linux




Hello, I answer bellow.

Thanks!!

2017-10-24 16:52 GMT+02:00 L.P.H. van Belle via samba <samba@xxxxxxxxxxxxxxx
>:

> Hai,
>
> I did a re-read of you thread.
>
> First.
> If you use smblcient, with a samba installed, use -s
> /path/alternative/smbclient.conf
>

I think that Samba is not installed on this client because I'm not using
samba to join the domain. Just realmd, sssd and Kerberos. That's why
there's no smb.conf file.


>
> If i did read it correct.
> Your connecting from  xUbuntu (samba version ??) to (debian8) samba 4.2
> member
>
> How did you join the xUbuntu?
> https://docs.pagure.org/SSSD.sssd/users/ad_provider.html
> Like this setup? ^^^
>

Now I don't know the samba version of the client because I cannot access to
the computer, but looks like is the 4.5 version (xUbuntu 16.04 repository).

I've used this guide:
https://www.unixmen.com/how-to-join-an-ubuntu-desktop-into-an-active-directory-domain/



>
> > This setup is working as expected (some windows bugs hide
> > network drives, but is not samba problem).
> Not a windows bug, but probely a ACL problem on sysvol, check windows
> event logs.
> Works fine here since samba 4.2 DC's.
>

This time looks like a bug in Windows Explorer, because I've already
checked all:

   - sysvol ACL
   - GPO
   - Clients have access to GPO files
   - gpresult shows like all GPO are applied and all drives mounted
   - There's no info about the problem on event log
   - I can access all drives from CMD
   - When I try to mount the drive manually using connect on explorer I can
   see all mounted on drives list
   - I cannot mount the drive until I umount the drives using cmd
   - The problem is not always on the same drives and even sometimes all
   drives are working
   - The option to set the drive as visible in GPO is enabled
   - The problem only happens on 2 computers of about 15 that have joined
   the domain.
   - ...

Anyway, this don't care because I've already asked it on other thread ;)



>
> Now, i can only give a few advices.
> 1) upgrade the debian jessie to debian stretch, and start with samba
> 4.5.12 from debian.
> 2) tell us the xUbuntu version and the samba (smbclient) version
>

I can't do this... I had problems with the old server after upgrade Debian
to stretch, because I use xen with a Windows guest and the xen version
provided by Stretch just have a memory leak running Windows guests. The
process starts to consume memory and when host server is full the guest
machines dies...

Maybe one day I'll try to compile a newer version.


>
> If i recall correct..
> Sssd lower then 1.12 my have problems, but as Rowland also said,
> I (we) know nothing about sssd here, except what i google.
> If you did not read this one, please do.
> https://jhrozek.wordpress.com/2015/08/19/performance-tuning-
> sssd-for-large-ipa-ad-trust-deployments/
> I dont know it it helps, but it shows some good settings and its good
> explained.
> And if you get it working, please share the solution.  ;-)
>

I'm not sure about the version but I think that is higher, because I've
read about problems on sssd prior to a version and I've already checked it.

Thanks for the links. I'll take a look because all info is welcome.


>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> > Daniel Carrasco via samba
> > Verzonden: dinsdag 24 oktober 2017 15:42
> > Aan: Rowland Penny
> > CC: samba@xxxxxxxxxxxxxxx
> > Onderwerp: Re: [Samba] Using GPO to mount shares on Linux
> >
> > Hello,
> >
> > My actual setup is:
> >
> >    - 2 Domain Controller using Samba 4.7 stable (synced)
> >    - Multiple Windows Workstations that has joined the Domain without
> >    problem
> >    - 1 Linux server using Debian 8 with Samba 4.2 as Member
> > Server joined
> >    also to that Domain
> >
> > This setup is working as expected (some windows bugs hide
> > network drives,
> > but is not samba problem). All workstations are able to login
> > with domain
> > credentials, and connect to shared drives on Linux server
> > (managed by GPO
> > and ACL).
> >
> > Now I've an xUbuntu workstation that I want to join to that
> > Domain and I've
> > used realm and sssd to the job. The basic setup works fine and:
> >
> >    - I'm able to login with domain users credentials into the linux
> >    workstation
> >    - I can get the domain data like for example users and
> > groups, and even
> >    use domain data to manage autofs
> >    - I can mount shares stored on a DC using Kerberos authentication
> >    - I can connect to shares using smbclient using Kerberos
> > authentication
> >
> > My problem comes when I try to mount o connect to a share
> > that is on Member
> > server from the xUbuntu workstation, that give me the errors
> > I've commented
> > before. After your comments and research about SPN on google
> > I think that
> > maybe is the problem, but for now I'm not able to test it.
> >
> > Greetings!!
> >
> > 2017-10-24 14:40 GMT+02:00 Rowland Penny via samba
> > <samba@xxxxxxxxxxxxxxx>:
> >
> > > On Tue, 24 Oct 2017 14:11:15 +0200
> > > Daniel Carrasco <d.carrasco@xxxxxxxxx> wrote:
> > >
> > > > Thanks Rowland.
> > > >
> > > > I'll give a try to both things (WG and SPN).
> > > >
> > > > To be honest, I ask here because the sssd daemon is working as
> > > > expected allowing the authentication of the machine to the domain,
> > > > and the real problem is that I'm not able to access to a
> > shared drive
> > > > using a Kerberos authentication (cifs and smbclient) and
> > i've thought
> > > > that maybe was a misconfiguration on member server (because works
> > > > fine with domain server), and this server is configured as Samba4
> > > > member server without sssd.
> > > >
> > >
> > > Sorry, but I don't understand what you are trying to say.
> > > Do you mean that it works on a Unix domain member against a
> > Samba AD DC
> > > and the Unix domain member isn't using sssd ?
> > > Or do you mean something else, if so, please explain your set up.
> > >
> > > Rowland
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
> >
> >
> >
> > --
> > _________________________________________
> >
> >       Daniel Carrasco Marín
> >       Ingeniería para la Innovación i2TIC, S.L.
> >       Tlf:  +34 911 12 32 84 Ext: 223
> >       www.i2tic.com
> > _________________________________________
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba