Can NS Samba DC serve a mixed network?

I tested with a machine not joined.

I tried to access a shared folder with permissions, but didn’t work.
I gave credential DOMAIN\user and password and suddendly the home directory of this user appeared and I got access to it. But no access to the shared folder I wanted? :confused: The user is in acl of the shared folder.
If shared folder has “allow to everyone” access is granted to every machine no matter if joined or not.

I did: net use z: \\xxx.xxx.xxx.xxx\user@domain.lan /user:DOAMIN\user password and the user home directory was created and access was granted.
@davidep But we know now, that the user home directory is created with first login. I checked before that the home directory didn’t exist.

Why I don’t get access to the shared folder I don’t know.
Will do some tests later.

4 Likes

Ouch

The Samba team does not recommend using a Samba-based Domain Controller as a file server, and recommend that users run a separate Domain Member with file shares.

1 Like

I started again from scratch with the latest updates, base install has samba 4.2, I installed file server first to see what would happen, this added the ns module to allow a share to be created though no users could be created, I was able to access the share from a win 10 client without auth obviously, then I added samba dc and set up, user, group, acl, at that point access to the shared folder was lost, what bothers me is that while there are logs created under /samba for local machines, there are no entries… blank logs for nmbd, smbd, /samba.log.ip, /samba/log.hostname… all blank.

I had hoped to setup a samba dc in one of the offices, be able to make shares available to users like in the nt4 pdc type user/password of 6.7/6.8 and begin migrating the users onto win pro machines and AD auth without disrupting access to resources but I don’t see how I’ll be able to do that without a separate file server, that defeats the all in one machine concept here for using the samba dc instead of local auth of ldap.

Hi,

It’s OK on NS!

Please see this answers:
NethServer 7.2 alpha 3 - "First Blood" - #19 by mark_nl
NethServer 7.2 alpha 3 - "First Blood" - #21 by davidep

1 Like

Please see this:

NethServer 7.2 alpha 3 - "First Blood" - #4 by GG_jr
NethServer 7.2 alpha 3 - "First Blood" - #6 by GG_jr

I think you already got the answers.

1 Like

What credentials did you provide? Could you show us some examples?

Did you try connecting with smbclient and reproduce the problem? Any error message from it?

IIRC the username provided to Samba must be different from the Unix (sssd) one! It does not have the @domain suffix. As said, the other required parameter is the workgroup/domain name.

This should not be a requirement because after “Start DC” button is pressed any package already present on the system is reconfigured.

1 Like

@fasttech I managed to access a shared folder on a NS7 beta 2 VM.

I created shared folder

no netry in acl.

my users name is user1@ns7.lan

I gave in Windowsexplorer as credential: NS7\user1 and the password and got access the folder above from a Win7 Pro machine nopn joined. I can copy a file to the folder and delete it.

So I think it’s possible to serve a mixed network of joined and non joined machines.

Thanks to @davidep for the hint abut IIRC. In smb.conf there is the entry workgroup = NS7.
So workgroup\user are the right I think. At least in my case they were. :slight_smile:

6 Likes

If I enable an ACL RW for my user, “DPNET\davidep”, I get an error:

Domain=[DPNET] OS=[Windows 6.1] Server=[Samba 4.2.10]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*

I guess we have a problem here :sweat:

BTW, I think Windows Explorer does not help to understand what’s happening. I prefer smbclient! :broken_heart:

2 Likes

Holy mouse droppings! Success! With a Vista machine no less. Removed the acl entry. Used domain\user.

1 Like

I went through every samba and sssd log, the following is all I could find regarding these actions in the log messages… no log entries for resource access is bad, yes?

Sep 14 08:57:47 server7c /sbin/e-smith/db[10415]: /var/lib/nethserver/db/accounts: OLD files=ibay|AclRead|staff@neth.test.local|AclWrite|staff@neth.test.local|Description|files|GroupAccess|rw|OtherAccess|r|OwningGroup|staff@neth.test.local|SmbGuestAccessType|none|SmbRecycleBinStatus|disabled|SmbShareBrowseable|enabled Sep 14 08:57:47 server7c /sbin/e-smith/db[10415]: /var/lib/nethserver/db/accounts: NEW files=ibay|AclRead||AclWrite|staff@neth.test.local|Description|files|GroupAccess|rw|OtherAccess|r|OwningGroup|staff@neth.test.local|SmbGuestAccessType|none|SmbRecycleBinStatus|disabled|SmbShareBrowseable|enabled Sep 14 08:57:47 server7c /sbin/e-smith/db[10415]: /var/lib/nethserver/db/accounts: OLD files=ibay|AclRead||AclWrite|staff@neth.test.local|Description|files|GroupAccess|rw|OtherAccess|r|OwningGroup|staff@neth.test.local|SmbGuestAccessType|none|SmbRecycleBinStatus|disabled|SmbShareBrowseable|enabled Sep 14 08:57:47 server7c /sbin/e-smith/db[10415]: /var/lib/nethserver/db/accounts: NEW files=ibay|AclRead||AclWrite||Description|files|GroupAccess|rw|OtherAccess|r|OwningGroup|staff@neth.test.local|SmbGuestAccessType|none|SmbRecycleBinStatus|disabled|SmbShareBrowseable|enabled Sep 14 08:57:47 server7c esmith::event[10420]: Event: ibay-modify files Sep 14 08:57:47 server7c esmith::event[10420]: expanding /etc/samba/smb.conf Sep 14 08:57:47 server7c esmith::event[10420]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.153088] Sep 14 08:57:48 server7c esmith::event[10420]: Action: /etc/e-smith/events/ibay-modify/S20nethserver-ibays-set-permissions SUCCESS [0.087635] Sep 14 08:57:48 server7c systemd: Reloading. Sep 14 08:57:48 server7c systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Sep 14 08:57:48 server7c esmith::event[10420]: [INFO] service smb reload Sep 14 08:57:48 server7c smbd[10443]: [2016/09/14 08:57:48.411221, 0] ../source3/printing/print_cups.c:151(cups_connect) Sep 14 08:57:48 server7c smbd[10443]: Unable to connect to CUPS server localhost:631 - Transport endpoint is not connected Sep 14 08:57:48 server7c smbd[1093]: [2016/09/14 08:57:48.411960, 0] ../source3/printing/print_cups.c:529(cups_async_callback) Sep 14 08:57:48 server7c smbd[1093]: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL Sep 14 08:57:48 server7c systemd: Reloaded Samba SMB Daemon. Sep 14 08:57:48 server7c esmith::event[10420]: [INFO] smb reload Sep 14 08:57:48 server7c esmith::event[10420]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.351805] Sep 14 08:57:48 server7c esmith::event[10420]: Event: ibay-modify SUCCESS Sep 14 08:59:22 server7c systemd: Created slice user-804801104.slice. Sep 14 08:59:22 server7c systemd: Starting user-804801104.slice. Sep 14 08:59:22 server7c systemd-logind: New session c1 of user service@neth.test.local. Sep 14 08:59:22 server7c systemd: Started Session c1 of user service@neth.test.local. Sep 14 08:59:22 server7c systemd: Starting Session c1 of user service@neth.test.local. Sep 14 08:59:22 server7c oddjobd: Error org.freedesktop.DBus.Error.SELinuxSecurityContextUnknown: Could not determine security context for ':1.78'. Sep 14 09:01:01 server7c systemd: Created slice user-0.slice. Sep 14 09:01:01 server7c systemd: Starting user-0.slice. Sep 14 09:01:01 server7c systemd: Started Session 19 of user root. Sep 14 09:01:01 server7c systemd: Starting Session 19 of user root. Sep 14 09:01:01 server7c systemd: Removed slice user-0.slice. Sep 14 09:01:01 server7c systemd: Stopping user-0.slice.

The credentials that are successful with a non-joined win vista home are not successful with a non-joined win 10 pro or a ubuntu machine using nautilus.

edit;
I found that the win 10 pro and the ubuntu machine both are successful accessing the share when using the server’s ip, but not the hostname, unlike the vista machine which is successful using the hostname.
@davidep

and this is all I have for logs… in messages, nothing to be found in /samba/*

Sep 15 14:16:37 server7c systemd-logind: New session c3 of user service@neth.test.local. Sep 15 14:16:37 server7c systemd: Started Session c3 of user service@neth.test.local. Sep 15 14:16:37 server7c systemd: Starting Session c3 of user service@neth.test.local. Sep 15 14:17:18 server7c systemd-logind: New session c4 of user service@neth.test.local. Sep 15 14:17:18 server7c systemd: Started Session c4 of user service@neth.test.local. Sep 15 14:17:18 server7c systemd: Starting Session c4 of user service@neth.test.local.

How you did that?? I cant start DC. Could you post ALL the step you did from the beginning? THX

1 Like

Hi @Auto_Bitacora I’ll try to help.

Installation on dedicated hardware or VM?

1 Like

dedicated hw
red network static ip from my provider
green 192.168.200.1 /24
Only active DNS an DHCP (no other modules activated)
Trying to install Samba Account provider (different ip and checked create bridge) finish with a error about not installed dc, switch almost instantly to a YUM update cache request.
Change to dashboard showing a yellow advice to “change administrator password” When i click there webgui stop working at all.

You can try a factory reset.
http://docs.nethserver.org/projects/nethserver-devel/en/v7b/nethserver-dc.html#factory-reset

Make sure the IP is not used in your network.
Install all updates.
If you get a yum error try yum check-update on commandline to get a clue what’s wrong.
You have to give the server a FQDN (I gave ns7test.ns7.lan)
Make sure, that sssd service is running.

Take a look at messages.log for info.

What I did:
I did a unattended installation, changed the dhcp on green interface to static.
Installed all updates.
Installed nethserver-dc and gave nsdc a static IP not used in local network.
Bridged interface to green interface.
Return to dashboard an set the admin password.
Installed file-server and created a shared folder as discirbed above.
As mentioned: no entry in acl. Use credentials DOMAIN\user + password.
All worked as expected out of the box.

Sorry, but at the moment I can’t giveyou more advice.

Thanks a lot. Maybe my hw is broken or something because that is exactly what i did in one of my test with no results…
A couple of questions:
You create only root account during O.S. installation? (i also create an administrador -spanish for administrator-)
Is this necessary to install LDAP account provider before Samba account provider?

Don’t do that. Samba DC install creates an administrator account. Make sure you apply any updates and reboot and make sure you create a good fqdn, before installing samba dc. Install samba dc before creating any accounts.

If you get the yum cache fail, look at messages in the logs and post the yum error.

Please dont shoot me, I had a look at this and we had this same problem at a client…

This does not work, i have actually converted our client entirely over to centos & ubuntu desktop machines… YES… :gift: :tada:

The thing is try6 and do this with a windows server - 2003, 2008, 2010 or 2013. It doesnt work their either. the problem is simple…

You are violating MI#crosofts user license, home should not be used in a domain enviroment. Why buy a home user license if you at work, you must pay more to use bills monopoly…

This doesnt even work with an ubuntu / debian server.

you cant use a mixture.

Sorry