Web lists-archives.com

Re: [Samba] User Permissions issue




Hi Harsh,

Thanks for your advise I will not use these wordings here.

thanks!

Please check the result below when I run the command on the DC-1 when
DC-2 is off or on
smbclient -k //IUMSVRAPP01/Pastel12 -d 9
> ...
session setup failed: NT_STATUS_INVALID_PARAMETER_MIX

Looking at this message, I would start with doing some cleanup in your smb.conf. I would trim your smb.conf like below:

*Here is the smb.conf dump from DC-1:*
# Global parameters
[global]
         workgroup = IUMNET
         realm = IUMNET.EDU.NA
         netbios name = IUMDCDP01
         server role = active directory domain controller
         dns forwarder = 172.16.10.254
         allow dns updates = nonsecure and secure
         ntlm auth = yes
         client use spnego = no
         client ldap sasl wrapping = sign
         ldap server require strong auth = no
         full_audit:prefix = %u|%I|%m|%S
         full_audit:failure = connect
         full_audit:success = connect disconnect
         log level = 9 dns:0

[netlogon]
         path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
         read only = No
         browsable = no

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

You'd better switch your DNS to Bind-DLZ. Internal DNS is not that good for larger site (looking at your DNS domain name, I guess it might be a university). You can take a look there [1]

And I wouldn't store anything else than AD stuff on an AD like below:

[softshare]
       path = /home/administrator/ad
       read only = No



*When I ran the same command on DC-2 ( Samba 4.7.4) *

smbclient -k //172.16.10.21/Pastel12 -d 9

When doing Kerberos authentication, you shouldn't use ip address, otherwise kerberos won't work. Try it again with real DNS name.

> ...
got OID=1.2.840.48018.1.2.2
Kerberos auth with 'administrator@xxxxxxxxxxxxx
<mailto:administrator@xxxxxxxxxxxxx>' (IUMNET\root) to access
'172.16.10.21' not possible
SPNEGO login failed: {Access Denied} A process has requested access to
an object but has not been granted those access rights.
session setup failed: NT_STATUS_ACCESS_DENIED


You can cleanup your smb.conf the same way as pointed before.

*Here is the smb.conf dump from DC-2:*

# Global parameters
[global]
        netbios name = IUMSVRPDC
        realm = IUMNET.EDU.NA <http://IUMNET.EDU.NA>
        workgroup = IUMNET
        server role = active directory domain controller
        dns forwarder = 172.16.10.254
#       server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
        allow dns updates = nonsecure and secure
        ntlm auth = yes
        ldap server require strong auth = no
        time server = Yes
        template shell = /bin/bash
        template homedir = /home/%U
#       idmap config * : backend = tdb
#       idmap config *:range = 50000-1000000
        full_audit:prefix = %u|%I|%m|%S
        full_audit:failure = connect
        full_audit:success = connect disconnect
        tls enabled = yes
        tls keyfile  = tls/key.pem
        tls certfile = tls/cert.pem
        tls cafile   = tls/ca.pem
        log level = 9 dns:0

[netlogon]
        path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
        read only = No
         browsable = no

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

*samba-tool drs showrepl on DC-1 is replicating successfully except for
below under INBOUND NEIGHBOR: *

DC=iumnet,DC=edu,DC=na
        Default-First-Site-Name\IUMSVRPDC via RPC
                DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
                Last attempt @ Tue Jan 16 14:24:05 2018 WAST failed,
result 58 (WERR_BAD_NET_RESP)
                17863 consecutive failure(s).
                Last success @ Sat Jan 13 23:16:52 2018 WAST


This is probably your error. Replication of your main partition is not working. Domain members are changing their machine password one a month. If it has been changed on one of the server, but the replication didn't went throught to the other, it is normal to get the failure you are having.

You should look at your samba log when trying replication for that partition. There is probably a corrupted entry somewhere that is preventing replication.


*samba-tool drs showrepl on DC-2 is replicating successfully except for
below under INBOUND NEIGHBOR: *

CN=Configuration,DC=iumnet,DC=edu,DC=na
        Default-First-Site-Name\IUMDCDP01 via RPC
                DSA object GUID: 8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe
                Last attempt @ Tue Jan 16 14:26:56 2018 CAT failed,
result 58 (WERR_BAD_NET_RESP)
                1926 consecutive failure(s).
                Last success @ Tue Jan  9 14:15:43 2018 CAT

this is not good either, and should be resolved too.

Cheers,

Denis

[1] it is in French, but your favorite search engine should be able to translate it for you : https://dev.tranquil.it/wiki/SAMBA_-_Integration_avec_bind9




*Harsh Kukreja *Systems Administrator

**International University of Namibia* *Tel: 061-4336000 -
E-mail: h.kukreja@xxxxxxxxxx
<mailto:h.kukreja@xxxxxxxxxx> - Web: _http://www.ium.edu.na
<http://www.ium.edu.na/>
_Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
Windhoek, NAMIBIA

____

	


	





On Tue, Jan 16, 2018 at 11:49 AM, Denis Cardon <dcardon@xxxxxxxxxxx
<mailto:dcardon@xxxxxxxxxxx>> wrote:

    Hi Harsh,


        I have two Samba 4 DC’s as below
        server-1 with all FSMO roles running Samba 4.6.12 on Ubuntu 12.04
        server-2 joined to server-1 as a DC running Samba 4.7.4 Ubuntu
        16.04

        The problem is when I share files from my Windows 2008 file
        sharing server
        which shows it is logged on to Server-2 DC and the  client PC
        which logs on
        to the server-1 DC cannot access the shared folder and gives an
        error Logon
        Failure: The target account name is incorrect.


    Windows error messages are not very sysadmin friendly. Could you
    please use instead smbclient command line from a domain member linux
    client to do your debugging:
     kinit myusername
     smbclient -k //win2k8server/sharename -d 9

    And do it with both with dc1 on and off.

        To fix the problem I have to shutdown server-2 DC and restart my
        Windows
        File server which logs on to the server-1 and then the client
        can access
        the shared folder.


    Could you check if replication is working properly?
     samba-tool drs showrepl

        Please assist to fix this issue as I have to run both the DC’s
        in the
        network.


    You should avoid wordings like "please assist for fix". It is deemed
    rude (at least in my culture) to give orders to people who don't owe
    you anything... They are many kind people on this mailing list that
    would be happy to help, but this kind of wording just make them
    dismiss your message directly.

    Cheers,

    Denis


        *Harsh Kukreja *Systems Administrator
        *International University of Namibia *Tel: 061-4336000 - E-mail:
        h.kukreja
        @ium.edu.na <http://ium.edu.na> - Web:
        *http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag
        14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek,
        NAMIBIA


    --
    Denis Cardon
    Tranquil IT Systems
    Les Espaces Jules Verne, bâtiment A
    12 avenue Jules Verne
    44230 Saint Sébastien sur Loire
    tel : +33 (0) 2.40.97.57.55 <tel:%2B33%20%280%29%202.40.97.57.55>
    http://www.tranquil-it-systems.fr <http://www.tranquil-it-systems.fr>



--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba