Rescue Samba4 AD after 7.4 update

samba4
centos
activedirectory
v7

(Gordon) #1

NethServer Version: 7.4
Module: fully updated
Hi
Hope this is simpler to fix than it appears.

I am starting a new thread as it seems the 7.4 update had multiple issues and what is described below is just one and I suspect the last hurdle to get the AD operating again.
Our system now appears to be running (ie) systemctl status
State: running
Jobs: 0 queued
Failed: 0 units
Since: Fri 2017-09-15 21:51:47 AEST; 10h ago
From the server and the ad to DC reports correctly.

From the AD 192.168.35.2
bash-4.2# net ads info
LDAP server: 192.168.35.2
LDAP server name: nsdc-srv.ad.compsos.com.au
Realm: AD.COMPSOS.COM.AU
Bind Path: dc=AD,dc=COMPSOS,dc=COM,dc=AU
LDAP port: 389
Server time: Sat, 16 Sep 2017 07:42:00 AEST
KDC server: 192.168.35.2
Server time offset: 0
Last machine account password change: Fri, 15 Sep 2017 21:21:30 AEST

From the server 192.168.35.1
[root@srv ~]# net ads info
LDAP server: 192.168.35.2
LDAP server name: nsdc-srv.ad.compsos.com.au
Realm: AD.COMPSOS.COM.AU
Bind Path: dc=AD,dc=COMPSOS,dc=COM,dc=AU
LDAP port: 389
Server time: Sat, 16 Sep 2017 07:53:31 AEST
KDC server: 192.168.35.2
Server time offset: 0
Last machine account password change: Fri, 15 Sep 2017 21:21:42 AEST

From the Server-manager
NetBIOS domain name: COMPSOS
LDAP server: 192.168.35.2
LDAP server name: nsdc-srv.ad.compsos.com.au
Realm: AD.COMPSOS.COM.AU
Bind Path: dc=AD,dc=COMPSOS,dc=COM,dc=AU
LDAP port: 389
Server time: Sat, 16 Sep 2017 07:56:48 AEST
KDC server: 192.168.35.2
Server time offset: 0
Last machine account password change: Fri, 15 Sep 2017 21:21:42 AEST

Join is OK
name: SRV
objectSid: S-1-5-21-915336450-4202079503-2260003411-1103
accountExpires: 9223372036854775807
sAMAccountName: SRV$
pwdLastSet: 131499481020205070
whenChanged: 20170915112142.0Z
dNSHostName: srv.compsos.com.au
servicePrincipalName: HOST/SRV
servicePrincipalName: HOST/srv.compsos.com.au
lastLogon: 131499862086881840
distinguishedName: CN=SRV,CN=Computers,DC=ad,DC=compsos,DC=com,DC=au

We can join a Windows machine to the AD and login. And get to the “scripts” via \nsdc-srv\netlogon but not to the home shares or ibays. The AD does not accecpt the username passwords. Where can we trap the error? Is there a log for this?


(Gordon) #2

Just noticed that the default “Domain Users” is missing in the Server Manager.

Group name
first letter, than only lower letters, numbers and symbols like “-” and “_”

But it is in the RST tools with the correct listing of users

nethserver-samba-2.0.8-1.2.g6cc7f0b.ns7.noarch
The ownership of the home directories and their contents has gone to
(eg) 322001109 322000513
Trying to change it back to user@domain.com:user@domain.com fails with ‘invalid group’


(Gordon) #3

Might have something. It seems that all the permissions on the home directories are invalid.
Is there a list of what they should be or a method of resetting?


(Markus Neuberger) #4

Hi @compsos,

https://itefix.net/content/fix-reset-windows-home-folder-permissions

ACL and extended attributes are not working, that’s the reason for the problems with “Windows share” permissions…

https://wiki.samba.org/index.php/File_System_Support


(Gordon) #5

@mrmarkuz
Thanks.
Those scripts are windows versions? Any descriptions for the Linux cli on the NS7?


(Markus Neuberger) #6

Oh, wrong system… :slight_smile:
Here it is for setting it in Linux:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#File_System_ACLs_in_the_Back_End


(Gordon) #7

Have tried the latest nethserver-samba.noarch 0:2.0.8-1.2.g6cc7f0b.ns7 and kinit the list of users OK but still no go with logging in from windows client.

The specified network password is not correct.


(Gordon) #8

Solution here by @dnutan
http://community.nethserver.org/t/centos-7-4-1708-do-not-upgrade-if-using-samba-shared-folders/7801/36