[Samba] NT4-Style Auth & Roaming Profiles Only?

Discussion:

Jim Seymour

2016-07-26 14:31:42 UTC

Hi There,

Tried a Samba AD. Didn't work out. Please do not suggest. Thanks!

Here's what we have:

Ubuntu Linux 14.04.4 LTS
Samba 4.3.9-Ubuntu

Using OpenLDAP for authentication
Using nscd to speed things up

*Not* running winbind
*Not* running Kerberos

The problem is the company purchased a product that, *despite* the
vendor being told "We don't have a Windows network. There is no AD,"
and them assuring us that would not be a problem, they're running into
deployment trouble.

I *think* having just NT4-style network authentication *may* address
the issues.

I successfully got my MS-Win 7 Pro lapttop to join the domain. And I
can actually do a domain login. But it takes a well over a minute to
complete and I always end-up with a temporary profile.

I can see \\Server\Profiles\username.V2 being created, but it never
gets any content.

Tried every hint and solution I could find. I'm wondering if the lack
of winbind might be the problem? I'm wondering if I can solve it with
sssd?

Any other thoughts?

Thanks,
Jim

--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

2016-07-26 15:06:58 UTC

Permalink

Ok try set the profiles folder on 777
And add :
valid users = %u @"Domain Administrators"

greetz,

Louis

-----Oorspronkelijk bericht-----
Verzonden: dinsdag 26 juli 2016 16:32
Onderwerp: [Samba] NT4-Style Auth & Roaming Profiles Only?
Hi There,
Tried a Samba AD. Didn't work out. Please do not suggest. Thanks!
Ubuntu Linux 14.04.4 LTS
Samba 4.3.9-Ubuntu
Using OpenLDAP for authentication
Using nscd to speed things up
*Not* running winbind
*Not* running Kerberos
The problem is the company purchased a product that, *despite* the
vendor being told "We don't have a Windows network. There is no AD,"
and them assuring us that would not be a problem, they're running into
deployment trouble.
I *think* having just NT4-style network authentication *may* address
the issues.
I successfully got my MS-Win 7 Pro lapttop to join the domain. And I
can actually do a domain login. But it takes a well over a minute to
complete and I always end-up with a temporary profile.
I can see \\Server\Profiles\username.V2 being created, but it never
gets any content.
Tried every hint and solution I could find. I'm wondering if the lack
of winbind might be the problem? I'm wondering if I can solve it with
sssd?
Any other thoughts?
Thanks,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Jim Seymour

2016-07-26 15:55:00 UTC

Permalink

On Tue, 26 Jul 2016 17:06:58 +0200

Post by L.P.H. van Belle
Ok try set the profiles folder on 777

[snip]

Thanks for the follow-up, Louis.

The "Profiles" directory was already 1777. Made no difference. I even
made one of the users' primary GID "Domain Users." No differance.
Made the changes you suggested. No difference.

Regards,
Jim

Jim Seymour

2016-07-26 15:59:51 UTC

Permalink

On Tue, 26 Jul 2016 16:09:10 +0100

Post by Jim Seymour
Hi There,
Tried a Samba AD. Didn't work out. Please do not suggest.
Thanks!

Why didn't Samba AD work, what problems did you have, it might be
easier to fix them.

It's a long and ugly story, which I'm not going to recount. If you're
really interested, I'm sure you can find the answer in the archives.
[snip]

Have you tried just running winbindd ? you don't have to configure it.

Can't run winbind and nscd. sssd does a better job of what nscd does
than does winbind. Thus the sssd question.

It might help if you could post your smb.conf file.

[snip]

Very well. I'll trim out the cruft and so so.

Thanks,
Jim

Jim Seymour

2016-07-26 17:25:51 UTC

Permalink

On Tue, 26 Jul 2016 17:40:47 +0100
Rowland penny <***@samba.org> wrote:

[snip]

https://lists.samba.org/archive/samba/2015-September/194047.html) and
it could have been the longest running thread on here and you still
couldn't get it to work.

More accurately: Couldn't get it to work the way *we* needed it to work.
[snip]

Don't bother on my account with the smb.conf, as I will not be
wasting any more time on your posts. I spent too much time last time.

I don't blame you. Trust me: I really don't want to be approaching
this, again, either :/

I actually had domain logins & roaming profiles working, at one point.
But that was before I ripped-out everything that wasn't necessary for
straight workgroup serving. Now I'm wondering just how much I'd have
to put back, essentially.

Regards,
Jim

Jim Seymour

2016-07-26 18:05:08 UTC

Permalink

On Tue, 26 Jul 2016 18:45:15 +0100
Rowland penny <***@samba.org> wrote:

[snip]

a workgroup != NT4-style domain != AD domain

I know this.

Find out just what your new program requires and then alter your
setup to match these requirements,

Would that I could.

It's actually a set of servers, providing services, and clientware.
Believe-it-or-not, the vendor's people really don't seem to understand
how it all works. All they seem to know is they're used to operating in
a MS AD environment. Now stuff isn't working and they appear to be
lost.

My *guess* (which I'll bet is better than their guesses) is that
domain-level auth is the missing piece that's causing them grief. I
figured that, if I could get that going, easily, to test my theory, I
would.

don't try and make Samba act in a
way it isn't meant to.

Oh, no. Tried that once. I'm not ever going to try to go there again.

Thing is: Whatever I do is now on a live system. Anything I try,
beyond trivial config changes, will have to be done on "my own" time,
and I cannot afford to break the server too badly.

I think that, if I want to figure out what I have to do, I'll have to
set up a new test server on my test network and play.

Regards,
Jim

Dale Schroeder

2016-07-26 17:37:51 UTC

Permalink

Post by Jim Seymour
Hi There,
Tried a Samba AD. Didn't work out. Please do not suggest. Thanks!
Ubuntu Linux 14.04.4 LTS
Samba 4.3.9-Ubuntu
Using OpenLDAP for authentication
Using nscd to speed things up
*Not* running winbind
*Not* running Kerberos
The problem is the company purchased a product that, *despite* the
vendor being told "We don't have a Windows network. There is no AD,"
and them assuring us that would not be a problem, they're running into
deployment trouble.
I *think* having just NT4-style network authentication *may* address
the issues.
I successfully got my MS-Win 7 Pro lapttop to join the domain. And I
can actually do a domain login. But it takes a well over a minute to
complete and I always end-up with a temporary profile.
I can see \\Server\Profiles\username.V2 being created, but it never
gets any content.
Tried every hint and solution I could find. I'm wondering if the lack
of winbind might be the problem? I'm wondering if I can solve it with
sssd?
Any other thoughts?
Thanks,
Jim

Jim,

This may be your problem: Samba 4.3.9

Upgrading my NT4 domain from 4.2.x to 4.3.x and beyond broke it, and no
combination of configuration parameters could put it back together again.

I wish you better luck.

Dale

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Jim Seymour

2016-07-26 18:08:55 UTC

Permalink

On Tue, 26 Jul 2016 12:37:51 -0500
Dale Schroeder <***@BriannasSaladDressing.com> wrote:

[snip]

Post by Dale Schroeder
Jim,
This may be your problem: Samba 4.3.9
Upgrading my NT4 domain from 4.2.x to 4.3.x and beyond broke it, and
no combination of configuration parameters could put it back together
again.
I wish you better luck.

Yikes!

Thanks for mentioning that, Dale. You may have just saved me a *lot*
of wasted time.

Current stable is 4.4.5. I hate to get this server out of the
repository cycle, but... How far "forward" did you go?

Maybe I'll get the last 4.2.x stable release, and 4.4.5, see if I can
get working what I want on 4.2.x, then see if I can jump to 4.4.5.

Thanks,
Jim

Dale Schroeder

2016-07-26 18:40:59 UTC

Permalink

Post by Jim Seymour
On Tue, 26 Jul 2016 12:37:51 -0500
[snip]

Yikes!
Thanks for mentioning that, Dale. You may have just saved me a *lot*
of wasted time.
Current stable is 4.4.5. I hate to get this server out of the
repository cycle, but... How far "forward" did you go?
Maybe I'll get the last 4.2.x stable release, and 4.4.5, see if I can
get working what I want on 4.2.x, then see if I can jump to 4.4.5.
Thanks,
Jim

I cannot let this go by without commenting, when the badlock patches
were released, they also introduced several regressions. All of these
regressions (hopefully) have now been dealt with, so as long as you
are running 4.2.12, 4.3.9 or 4.4.3 at least, you should be okay.
Rowland

Sorry Rowland, but the break happened before the badlock patches when
Debian jumped from 4.1.x to 4.3.x, skipping 4.2.x altogether. I have a
Mint LMDE system at 4.2 that can still talk to the domain, so that's all
good. Win7 systems can log in, so the ldap auth is still working, but
cannot access shares. Because the domain was already not working, I
never had the opportunity to see what effect the badlock patches might
have had. And so it goes.

Jim, currently at Debian 4.4.5. If you search this list, you will find
others who have had the same thing happen. To my knowledge, none have
come back to say that their NT4 domain is working again post-4.2.x. I
will gladly try the smb.conf of someone who has a working Samba4 + ldap
NT4 domain, if provided.

Dale

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Jim Seymour

2016-07-27 16:18:14 UTC

Permalink

On Tue, 26 Jul 2016 13:40:59 -0500
Dale Schroeder <***@BriannasSaladDressing.com> wrote:

[snip]

Post by Dale Schroeder
Sorry Rowland, but the break happened before the badlock patches when
Debian jumped from 4.1.x to 4.3.x, skipping 4.2.x altogether.

[snip]

Post by Dale Schroeder
Jim, currently at Debian 4.4.5. If you search this list, you will
find others who have had the same thing happen. To my knowledge,
none have come back to say that their NT4 domain is working again
post-4.2.x.

[snip]

What was the nature/symtoms of the failure(s), Dale?

What I'm seeing is that network authentication works, but login takes
an inordinate amount of time: About 40 seconds until I see "Preparing
your desktop" and another 20 seconds until "You have been logged on
with a temporary profile."

It doesn't appear to be a network auth problem. If I put in an invalid
username or password, I get "The user name or password is incorrect"
*instantly*.

It's not permissions. Once logged-in, I can access the Profiles share,
the user's network home directory, and anything else to which the user
should have access. And I can write to those places to which I should
be able.

At least I don't *think* it's permissions. In perusing the logs, with
debug turned up, I see things like

smbd_check_access_rights: file username.V2 requesting 0x20080
returning 0x20000 (NT_STATUS_OK)
smbd_check_access_rights: file username3.V2 requesting 0x80
returning 0x0 (NT_STATUS_OK)

which makes me wonder if the code's not broken. (The thing's lying.
The user's id is "Domain User", the directory is group "Domain User"
and the permissions were "rwxrwxrwt".)

I find more than a little disquieting is that nobody seems able to
actually *troubleshoot* issues like this. Somebody ought to be able to
look at logfiles and say "Oh, well, *this* is what's you're doing
wrong" or "Ah! The code's broken because of <this>", or whatever.

Regards,
Jim

l***@gmail.com

2016-07-27 16:42:32 UTC

Permalink

Post by Jim Seymour
On Tue, 26 Jul 2016 13:40:59 -0500
[snip]

Post by Dale Schroeder
Sorry Rowland, but the break happened before the badlock patches when
Debian jumped from 4.1.x to 4.3.x, skipping 4.2.x altogether.

[snip]

[snip]
What was the nature/symtoms of the failure(s), Dale?
What I'm seeing is that network authentication works, but login takes
an inordinate amount of time: About 40 seconds until I see "Preparing
your desktop" and another 20 seconds until "You have been logged on
with a temporary profile."
It doesn't appear to be a network auth problem. If I put in an invalid
username or password, I get "The user name or password is incorrect"
*instantly*.
It's not permissions. Once logged-in, I can access the Profiles share,
the user's network home directory, and anything else to which the user
should have access. And I can write to those places to which I should
be able.
At least I don't *think* it's permissions. In perusing the logs, with
debug turned up, I see things like
smbd_check_access_rights: file username.V2 requesting 0x20080
returning 0x20000 (NT_STATUS_OK)
smbd_check_access_rights: file username3.V2 requesting 0x80
returning 0x0 (NT_STATUS_OK)
which makes me wonder if the code's not broken. (The thing's lying.
The user's id is "Domain User", the directory is group "Domain User"
and the permissions were "rwxrwxrwt".)
I find more than a little disquieting is that nobody seems able to
actually *troubleshoot* issues like this. Somebody ought to be able to
look at logfiles and say "Oh, well, *this* is what's you're doing
wrong" or "Ah! The code's broken because of <this>", or whatever.
Regards,
Jim

Are you by chance using client specific logging on Samba?

https://wiki.samba.org/index.php/Client_specific_logging

Do the windows logs display anything relevant?

--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Jim Seymour

2016-07-27 17:16:54 UTC

Permalink

On Wed, 27 Jul 2016 12:42:32 -0400
"***@gmail.com" <***@gmail.com> wrote:

[snip]

Post by l***@gmail.com
Are you by chance using client specific logging on Samba?
https://wiki.samba.org/index.php/Client_specific_logging

Yes, but not that way. I simply have

log file = /var/log/samba/by-workstation/log.%m
log level = 10

Post by l***@gmail.com
Do the windows logs display anything relevant?

If I check the "Administrative Events", the detail reads:

Windows could not load your roaming profile and is attempting to
log you on with your local profile. Changes to the profile will not
be copied to the server when you log off. Windows could not load
your profile because a server copy of the profile folder already
exists that does not have the correct security. Either the current
user or the Administrators group must be the owner of the folder.

every time I log in. (Hand-transcribed from the MS-Win laptop.)

That's what caused me to notice the "OK but maybe not ok" messages in
Samba's logfile.

Regards,
Jim

Dale Schroeder

2016-07-27 18:30:46 UTC

Permalink

Post by Jim Seymour
On Tue, 26 Jul 2016 13:40:59 -0500
[snip]

Post by Dale Schroeder
Sorry Rowland, but the break happened before the badlock patches when
Debian jumped from 4.1.x to 4.3.x, skipping 4.2.x altogether.

[snip]

[snip]
What was the nature/symtoms of the failure(s), Dale?

Jim,

My domain errors were different than yours. That's why I used the
phrase "may be your problem" in my initial response. I was not dealing
with profiles, just ordinary share access attempts returning
"NT_STATUS_NO_LOGON_SERVERS. Win7 users can access shares on a Mint
member system with 4.2.x post-badlock. Systems with any version above
4.2 failed, pre- and post-. So, it seemed to me that if basic domain
shares in an NT4 domain >= 4.3.0 failed, then other domain features
(e.g. roaming profiles) could be broken, too. I think you get my reasoning.

To avoid hijacking your thread, if you wish, you can view the details of
my very short thread at:
https://lists.samba.org/archive/samba/2016-March/198582.html It has
the relevant log snippets, etc. (Note that this time period is before
the badlock patches were issued.)

I did read the Release Notes and applied the parameter changes for NT4
members and controllers listed in the 4.2.0 notes
(https://www.samba.org/samba/history/samba-4.2.0.html).

Like I mentioned previously, no one has yet supplied a working smb.conf
for a Samba >= 4.3.0 NT4 + LDAP domain. I'm not currently aware that
it's possible.

As before, I wish you better luck than I've had.

Dale

Post by Jim Seymour
What I'm seeing is that network authentication works, but login takes
an inordinate amount of time: About 40 seconds until I see "Preparing
your desktop" and another 20 seconds until "You have been logged on
with a temporary profile."
It doesn't appear to be a network auth problem. If I put in an invalid
username or password, I get "The user name or password is incorrect"
*instantly*.
It's not permissions. Once logged-in, I can access the Profiles share,
the user's network home directory, and anything else to which the user
should have access. And I can write to those places to which I should
be able.
At least I don't *think* it's permissions. In perusing the logs, with
debug turned up, I see things like
smbd_check_access_rights: file username.V2 requesting 0x20080
returning 0x20000 (NT_STATUS_OK)
smbd_check_access_rights: file username3.V2 requesting 0x80
returning 0x0 (NT_STATUS_OK)
which makes me wonder if the code's not broken. (The thing's lying.
The user's id is "Domain User", the directory is group "Domain User"
and the permissions were "rwxrwxrwt".)
I find more than a little disquieting is that nobody seems able to
actually *troubleshoot* issues like this. Somebody ought to be able to
look at logfiles and say "Oh, well, *this* is what's you're doing
wrong" or "Ah! The code's broken because of <this>", or whatever.
Regards,
Jim

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba