Can NS Samba DC serve a mixed network?

Please see this:

NethServer 7.2 alpha 3 - "First Blood" - #4 by GG_jr
NethServer 7.2 alpha 3 - "First Blood" - #6 by GG_jr

I think you already got the answers.

1 Like

What credentials did you provide? Could you show us some examples?

Did you try connecting with smbclient and reproduce the problem? Any error message from it?

IIRC the username provided to Samba must be different from the Unix (sssd) one! It does not have the @domain suffix. As said, the other required parameter is the workgroup/domain name.

This should not be a requirement because after “Start DC” button is pressed any package already present on the system is reconfigured.

1 Like

@fasttech I managed to access a shared folder on a NS7 beta 2 VM.

I created shared folder

no netry in acl.

my users name is user1@ns7.lan

I gave in Windowsexplorer as credential: NS7\user1 and the password and got access the folder above from a Win7 Pro machine nopn joined. I can copy a file to the folder and delete it.

So I think it’s possible to serve a mixed network of joined and non joined machines.

Thanks to @davidep for the hint abut IIRC. In smb.conf there is the entry workgroup = NS7.
So workgroup\user are the right I think. At least in my case they were. :slight_smile:

6 Likes

If I enable an ACL RW for my user, “DPNET\davidep”, I get an error:

Domain=[DPNET] OS=[Windows 6.1] Server=[Samba 4.2.10]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*

I guess we have a problem here :sweat:

BTW, I think Windows Explorer does not help to understand what’s happening. I prefer smbclient! :broken_heart:

2 Likes

Holy mouse droppings! Success! With a Vista machine no less. Removed the acl entry. Used domain\user.

1 Like

I went through every samba and sssd log, the following is all I could find regarding these actions in the log messages… no log entries for resource access is bad, yes?

Sep 14 08:57:47 server7c /sbin/e-smith/db[10415]: /var/lib/nethserver/db/accounts: OLD files=ibay|AclRead|staff@neth.test.local|AclWrite|staff@neth.test.local|Description|files|GroupAccess|rw|OtherAccess|r|OwningGroup|staff@neth.test.local|SmbGuestAccessType|none|SmbRecycleBinStatus|disabled|SmbShareBrowseable|enabled Sep 14 08:57:47 server7c /sbin/e-smith/db[10415]: /var/lib/nethserver/db/accounts: NEW files=ibay|AclRead||AclWrite|staff@neth.test.local|Description|files|GroupAccess|rw|OtherAccess|r|OwningGroup|staff@neth.test.local|SmbGuestAccessType|none|SmbRecycleBinStatus|disabled|SmbShareBrowseable|enabled Sep 14 08:57:47 server7c /sbin/e-smith/db[10415]: /var/lib/nethserver/db/accounts: OLD files=ibay|AclRead||AclWrite|staff@neth.test.local|Description|files|GroupAccess|rw|OtherAccess|r|OwningGroup|staff@neth.test.local|SmbGuestAccessType|none|SmbRecycleBinStatus|disabled|SmbShareBrowseable|enabled Sep 14 08:57:47 server7c /sbin/e-smith/db[10415]: /var/lib/nethserver/db/accounts: NEW files=ibay|AclRead||AclWrite||Description|files|GroupAccess|rw|OtherAccess|r|OwningGroup|staff@neth.test.local|SmbGuestAccessType|none|SmbRecycleBinStatus|disabled|SmbShareBrowseable|enabled Sep 14 08:57:47 server7c esmith::event[10420]: Event: ibay-modify files Sep 14 08:57:47 server7c esmith::event[10420]: expanding /etc/samba/smb.conf Sep 14 08:57:47 server7c esmith::event[10420]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.153088] Sep 14 08:57:48 server7c esmith::event[10420]: Action: /etc/e-smith/events/ibay-modify/S20nethserver-ibays-set-permissions SUCCESS [0.087635] Sep 14 08:57:48 server7c systemd: Reloading. Sep 14 08:57:48 server7c systemd: Configuration file /usr/lib/systemd/system/auditd.service is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway. Sep 14 08:57:48 server7c esmith::event[10420]: [INFO] service smb reload Sep 14 08:57:48 server7c smbd[10443]: [2016/09/14 08:57:48.411221, 0] ../source3/printing/print_cups.c:151(cups_connect) Sep 14 08:57:48 server7c smbd[10443]: Unable to connect to CUPS server localhost:631 - Transport endpoint is not connected Sep 14 08:57:48 server7c smbd[1093]: [2016/09/14 08:57:48.411960, 0] ../source3/printing/print_cups.c:529(cups_async_callback) Sep 14 08:57:48 server7c smbd[1093]: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL Sep 14 08:57:48 server7c systemd: Reloaded Samba SMB Daemon. Sep 14 08:57:48 server7c esmith::event[10420]: [INFO] smb reload Sep 14 08:57:48 server7c esmith::event[10420]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.351805] Sep 14 08:57:48 server7c esmith::event[10420]: Event: ibay-modify SUCCESS Sep 14 08:59:22 server7c systemd: Created slice user-804801104.slice. Sep 14 08:59:22 server7c systemd: Starting user-804801104.slice. Sep 14 08:59:22 server7c systemd-logind: New session c1 of user service@neth.test.local. Sep 14 08:59:22 server7c systemd: Started Session c1 of user service@neth.test.local. Sep 14 08:59:22 server7c systemd: Starting Session c1 of user service@neth.test.local. Sep 14 08:59:22 server7c oddjobd: Error org.freedesktop.DBus.Error.SELinuxSecurityContextUnknown: Could not determine security context for ':1.78'. Sep 14 09:01:01 server7c systemd: Created slice user-0.slice. Sep 14 09:01:01 server7c systemd: Starting user-0.slice. Sep 14 09:01:01 server7c systemd: Started Session 19 of user root. Sep 14 09:01:01 server7c systemd: Starting Session 19 of user root. Sep 14 09:01:01 server7c systemd: Removed slice user-0.slice. Sep 14 09:01:01 server7c systemd: Stopping user-0.slice.

The credentials that are successful with a non-joined win vista home are not successful with a non-joined win 10 pro or a ubuntu machine using nautilus.

edit;
I found that the win 10 pro and the ubuntu machine both are successful accessing the share when using the server’s ip, but not the hostname, unlike the vista machine which is successful using the hostname.
@davidep

and this is all I have for logs… in messages, nothing to be found in /samba/*

Sep 15 14:16:37 server7c systemd-logind: New session c3 of user service@neth.test.local. Sep 15 14:16:37 server7c systemd: Started Session c3 of user service@neth.test.local. Sep 15 14:16:37 server7c systemd: Starting Session c3 of user service@neth.test.local. Sep 15 14:17:18 server7c systemd-logind: New session c4 of user service@neth.test.local. Sep 15 14:17:18 server7c systemd: Started Session c4 of user service@neth.test.local. Sep 15 14:17:18 server7c systemd: Starting Session c4 of user service@neth.test.local.

How you did that?? I cant start DC. Could you post ALL the step you did from the beginning? THX

1 Like

Hi @Auto_Bitacora I’ll try to help.

Installation on dedicated hardware or VM?

1 Like

dedicated hw
red network static ip from my provider
green 192.168.200.1 /24
Only active DNS an DHCP (no other modules activated)
Trying to install Samba Account provider (different ip and checked create bridge) finish with a error about not installed dc, switch almost instantly to a YUM update cache request.
Change to dashboard showing a yellow advice to “change administrator password” When i click there webgui stop working at all.

You can try a factory reset.
http://docs.nethserver.org/projects/nethserver-devel/en/v7b/nethserver-dc.html#factory-reset

Make sure the IP is not used in your network.
Install all updates.
If you get a yum error try yum check-update on commandline to get a clue what’s wrong.
You have to give the server a FQDN (I gave ns7test.ns7.lan)
Make sure, that sssd service is running.

Take a look at messages.log for info.

What I did:
I did a unattended installation, changed the dhcp on green interface to static.
Installed all updates.
Installed nethserver-dc and gave nsdc a static IP not used in local network.
Bridged interface to green interface.
Return to dashboard an set the admin password.
Installed file-server and created a shared folder as discirbed above.
As mentioned: no entry in acl. Use credentials DOMAIN\user + password.
All worked as expected out of the box.

Sorry, but at the moment I can’t giveyou more advice.

Thanks a lot. Maybe my hw is broken or something because that is exactly what i did in one of my test with no results…
A couple of questions:
You create only root account during O.S. installation? (i also create an administrador -spanish for administrator-)
Is this necessary to install LDAP account provider before Samba account provider?

Don’t do that. Samba DC install creates an administrator account. Make sure you apply any updates and reboot and make sure you create a good fqdn, before installing samba dc. Install samba dc before creating any accounts.

If you get the yum cache fail, look at messages in the logs and post the yum error.

Please dont shoot me, I had a look at this and we had this same problem at a client…

This does not work, i have actually converted our client entirely over to centos & ubuntu desktop machines… YES… :gift: :tada:

The thing is try6 and do this with a windows server - 2003, 2008, 2010 or 2013. It doesnt work their either. the problem is simple…

You are violating MI#crosofts user license, home should not be used in a domain enviroment. Why buy a home user license if you at work, you must pay more to use bills monopoly…

This doesnt even work with an ubuntu / debian server.

you cant use a mixture.

Sorry

@quality_team, do you confirm @clinton advice?

I think it’s a matter of what’s the goal.

A win home machine never can join a domain, so it’s not ment to be a part of a domain.
If you just want to give this machine internet access with a transparent proxy and some shared folders, maybe a shared calender with sogo and a printer, a mixed network is possible. This “workgroupsetup” is for many small businesses enough to satisfy their needs.

If you want a more compex setup with serverhosted profiles, grouppolicys and all this stuff, it’s the wrong way to buy a home machine.

So IMO @clinton 's advice is true for domain enviroment, but not for a simple workgroup-setup.

4 Likes

I’m at a dead stop with anything NS related because I’m wasting a lot of time I simply don’t have on this.
I managed to get access to the shared folder files using the file explorer browsing dialogs with all my test machines as posted above and thought this was solved, now, after shutting the instance down for a while, bringing it back up and updating it, I can no longer log into the share with any machines and can’t find anything in any logs.

Let me try to narrow this down so I can get a simple yes or no and can then move on to precisely how.

A standalone nethserver 7 install,
vm or not,
with a single nic,
Not !!! a gateway,
Not the dhcp nor dns server.
with only 2 modules installed,

  1. Samba Active Directory
  2. File Server
    no machines joined to the domain
    a single folder created in shared folders,
    a user created
    a Windows 7 home machine

Is it possible for a user on the win 7 home machine to access the shared folder on the nethserver machine using only the username and password created in Users and Groups under samba ad?

Here’s why, many users I know need a file server… many users have windows home machines, whether they’re home or office… most are used to access files in shared folders… so that’s a lot of users that can’t join an active directory… @giacomo says NS openldap doesn’t support authenticated shares anymore… that leaves samba ad… or unsecure shares…

So either I have a very broken, though up to date install, or we’re offering a somewhat short of functionality distro. either way, we need to be up front about what is possible and how it can be done, we need to know if non domain joined machines can access file shares or not.

2 Likes

AFAIK yes. I just verified it against smbclient and a Win 10 pro machine …but it is not up-to-date with security patches. Does anybody confirm it? /cc @quality_team

EDIT: verified also against Win 10 pro up-to-date

Windows 10 showed a dialog box, asking for username and password. The username must contain the NetBIOS domain name followed by a backslash "" followed by the user name without the domain suffix.

For instance, if my FQDN is vm8.dpnet.nethesis.it and the Unix account is first.user@dpnet.nethesis.it the resulting username must be

DPNET\first.user

Is it the LAN DNS? I’m not sure, but I suspect it is a requirement also for non joined machines…

While attempting to reproduce your problem two things come to my mind:

  • The bug fix for #5111 solves the problem for new Shared folders. Existing ones require a “reset permissions” action on them.
  • If you install Samba Active Directory and File Server at the same time, any Shared folder created before “START DC” has the default guest access enabled.

I hope it helps!

Time to install from scratch? :wink:

Please help us to improve it!

2 Likes

Does this (also) mean: Not dhcp/dns server of the lan?

2 Likes