Can NS Samba DC serve a mixed network?

Can shared folders be shared, with auth, in a mixed network of Win pro (domain), Win home (workgroup) machines and Linux workstations?

Given a shared folder with NS 7b and Samba DC I cannot access (failed logon) the (visible in explorer) folder with a non joined machine, unfortunately, there is little (nothing) in any of the samba logs including logs with the machines IP or domain name, meaning the logs are created but empty.

This includes with Guest access enabled with rw, client gives error dialog of no permission, does not give login dialog.

1 Like

What Windows version exactly? Are they updated to latest security patches?

I’ve been testing with a win 10 pro, win 7 pro and win vista home, all up to date.

Most of my clients have mixed networks, generally more home ver workgroup from the local store… trying to get them all up to pro is… not really in the cards, so that’s why I need to know if I can use the samba dc, otherwise I’ll just leave them as workgroups.

Note though, that this ns7b is pretty beat up, I just had to uninstall and reinstall Nextcould (successfully, I might add) because it trashed the ldap config after applying the dc patch.

Did you install NethServer on a VM?

often virtualization solutions block ARP traffic. As a result, the Samba Active Directory container isn’t visible from hosts inside the LAN.

http://docs.nethserver.org/en/v7b/accounts.html#installing-on-a-virtual-machine

Can you run a port scan of the Domain Controller IP address (nsdc) from any of your clients?

@davidep It’s in vbox and the single adapter is set for promisc all.

LDAP server: 192.168.124.228 LDAP server name: nsdc-server7c.ad.test.lab.local Realm: AD.TEST.LAB.LOCAL Bind Path: dc=AD,dc=TEST,dc=LAB,dc=LOCAL LDAP port: 389 Server time: Mon, 12 Sep 2016 15:05:02 MST KDC server: 192.168.124.228 Server time offset: 0 Join is OK

Hi Fasttech,
From what i know, the home versions of windows do not support DC environment. Meaning that you can’t have users roaming or logon to AD.
On the other hand there should be no problem to access shares if you provide Domain\username at the credential box or in the script.

Also there are some hacks to make win home more AD friendly but this is not reliable…

2 Likes

that’s the way to go

1 Like

Sorry, I overlooked it! So the share access from machines that were joined to the domain works correctly?

I made my alpha-stage tests with smbclient, both Kerberos and password authentication were successful. IIRC they needed the “WORKGROUP” parameter to be specified. I agree with @Stefano_Zamboni and @Ctek: try to specify the workgroup name when connecting the share. IIRC the “connect network drive” feature in Windows Explorer allows specifying it… Maybe @Hunv @flatspin can help us! /cc @quality_team

It should not be an issue, however I’d prefer a clean environment to reproduce the problems :wink:

I tested with a machine not joined.

I tried to access a shared folder with permissions, but didn’t work.
I gave credential DOMAIN\user and password and suddendly the home directory of this user appeared and I got access to it. But no access to the shared folder I wanted? :confused: The user is in acl of the shared folder.
If shared folder has “allow to everyone” access is granted to every machine no matter if joined or not.

I did: net use z: \\xxx.xxx.xxx.xxx\user@domain.lan /user:DOAMIN\user password and the user home directory was created and access was granted.
@davidep But we know now, that the user home directory is created with first login. I checked before that the home directory didn’t exist.

Why I don’t get access to the shared folder I don’t know.
Will do some tests later.

4 Likes

Ouch

The Samba team does not recommend using a Samba-based Domain Controller as a file server, and recommend that users run a separate Domain Member with file shares.

1 Like

I started again from scratch with the latest updates, base install has samba 4.2, I installed file server first to see what would happen, this added the ns module to allow a share to be created though no users could be created, I was able to access the share from a win 10 client without auth obviously, then I added samba dc and set up, user, group, acl, at that point access to the shared folder was lost, what bothers me is that while there are logs created under /samba for local machines, there are no entries… blank logs for nmbd, smbd, /samba.log.ip, /samba/log.hostname… all blank.

I had hoped to setup a samba dc in one of the offices, be able to make shares available to users like in the nt4 pdc type user/password of 6.7/6.8 and begin migrating the users onto win pro machines and AD auth without disrupting access to resources but I don’t see how I’ll be able to do that without a separate file server, that defeats the all in one machine concept here for using the samba dc instead of local auth of ldap.

Hi,

It’s OK on NS!

Please see this answers:
NethServer 7.2 alpha 3 - "First Blood" - #19 by mark_nl
NethServer 7.2 alpha 3 - "First Blood" - #21 by davidep

1 Like

Please see this:

NethServer 7.2 alpha 3 - "First Blood" - #4 by GG_jr
NethServer 7.2 alpha 3 - "First Blood" - #6 by GG_jr

I think you already got the answers.

1 Like

What credentials did you provide? Could you show us some examples?

Did you try connecting with smbclient and reproduce the problem? Any error message from it?

IIRC the username provided to Samba must be different from the Unix (sssd) one! It does not have the @domain suffix. As said, the other required parameter is the workgroup/domain name.

This should not be a requirement because after “Start DC” button is pressed any package already present on the system is reconfigured.

1 Like

@fasttech I managed to access a shared folder on a NS7 beta 2 VM.

I created shared folder

no netry in acl.

my users name is user1@ns7.lan

I gave in Windowsexplorer as credential: NS7\user1 and the password and got access the folder above from a Win7 Pro machine nopn joined. I can copy a file to the folder and delete it.

So I think it’s possible to serve a mixed network of joined and non joined machines.

Thanks to @davidep for the hint abut IIRC. In smb.conf there is the entry workgroup = NS7.
So workgroup\user are the right I think. At least in my case they were. :slight_smile:

6 Likes

If I enable an ACL RW for my user, “DPNET\davidep”, I get an error:

Domain=[DPNET] OS=[Windows 6.1] Server=[Samba 4.2.10]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*

I guess we have a problem here :sweat:

BTW, I think Windows Explorer does not help to understand what’s happening. I prefer smbclient! :broken_heart:

2 Likes

Holy mouse droppings! Success! With a Vista machine no less. Removed the acl entry. Used domain\user.

1 Like

I went through every samba and sssd log, the following is all I could find regarding these actions in the log messages… no log entries for resource access is bad, yes?

Sep 14 08:57:47 server7c /sbin/e-smith/db[10415]: /var/lib/nethserver/db/accounts: OLD files=ibay|AclRead|staff@neth.test.local|AclWrite|staff@neth.test.local|Description|files|GroupAccess|rw|OtherAccess|r|OwningGroup|staff@neth.test.local|SmbGuestAccessType|none|SmbRecycleBinStatus|disabled|SmbShareBrowseable|enabled Sep 14 08:57:47 server7c /sbin/e-smith/db[10415]: /var/lib/nethserver/db/accounts: NEW files=ibay|AclRead||AclWrite|staff@neth.test.local|Description|files|GroupAccess|rw|OtherAccess|r|OwningGroup|staff@neth.test.local|SmbGuestAccessType|none|SmbRecycleBinStatus|disabled|SmbShareBrowseable|enabled Sep 14 08:57:47 server7c /sbin/e-smith/db[10415]: /var/lib/nethserver/db/accounts: OLD files=ibay|AclRead||AclWrite|staff@neth.test.local|Description|files|GroupAccess|rw|OtherAccess|r|OwningGroup|staff@neth.test.local|SmbGuestAccessType|none|SmbRecycleBinStatus|disabled|SmbShareBrowseable|enabled Sep 14 08:57:47 server7c /sbin/e-smith/db[10415]: /var/lib/nethserver/db/accounts: NEW files=ibay|AclRead||AclWrite||Description|files|GroupAccess|rw|OtherAccess|r|OwningGroup|staff@neth.test.local|SmbGuestAccessType|none|SmbRecycleBinStatus|disabled|SmbShareBrowseable|enabled Sep 14 08:57:47 server7c esmith::event[10420]: Event: ibay-modify files Sep 14 08:57:47 server7c esmith::event[10420]: expanding /etc/samba/smb.conf Sep 14 08:57:47 server7c esmith::event[10420]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.153088] Sep 14 08:57:48 server7c esmith::event[10420]: Action: /etc/e-smith/events/ibay-modify/S20nethserver-ibays-set-permissions SUCCESS [0.087635] Sep 14 08:57:48 server7c systemd: Reloading. Sep 14 08:57:48 server7c systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Sep 14 08:57:48 server7c esmith::event[10420]: [INFO] service smb reload Sep 14 08:57:48 server7c smbd[10443]: [2016/09/14 08:57:48.411221, 0] ../source3/printing/print_cups.c:151(cups_connect) Sep 14 08:57:48 server7c smbd[10443]: Unable to connect to CUPS server localhost:631 - Transport endpoint is not connected Sep 14 08:57:48 server7c smbd[1093]: [2016/09/14 08:57:48.411960, 0] ../source3/printing/print_cups.c:529(cups_async_callback) Sep 14 08:57:48 server7c smbd[1093]: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL Sep 14 08:57:48 server7c systemd: Reloaded Samba SMB Daemon. Sep 14 08:57:48 server7c esmith::event[10420]: [INFO] smb reload Sep 14 08:57:48 server7c esmith::event[10420]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.351805] Sep 14 08:57:48 server7c esmith::event[10420]: Event: ibay-modify SUCCESS Sep 14 08:59:22 server7c systemd: Created slice user-804801104.slice. Sep 14 08:59:22 server7c systemd: Starting user-804801104.slice. Sep 14 08:59:22 server7c systemd-logind: New session c1 of user service@neth.test.local. Sep 14 08:59:22 server7c systemd: Started Session c1 of user service@neth.test.local. Sep 14 08:59:22 server7c systemd: Starting Session c1 of user service@neth.test.local. Sep 14 08:59:22 server7c oddjobd: Error org.freedesktop.DBus.Error.SELinuxSecurityContextUnknown: Could not determine security context for ':1.78'. Sep 14 09:01:01 server7c systemd: Created slice user-0.slice. Sep 14 09:01:01 server7c systemd: Starting user-0.slice. Sep 14 09:01:01 server7c systemd: Started Session 19 of user root. Sep 14 09:01:01 server7c systemd: Starting Session 19 of user root. Sep 14 09:01:01 server7c systemd: Removed slice user-0.slice. Sep 14 09:01:01 server7c systemd: Stopping user-0.slice.