Shares not accessible when using FQDN

classic Classic list List threaded Threaded
32 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Shares not accessible when using FQDN

Samba - General mailing list


Hi,


I'm facing to an issue where I cannot find solution.


Here is the test case :




    * Samba 4.7, multi-server setup (multiple DC)
    * Windows 7 and Windows 10 client (not domain member)
    * Shares can be listed but no access to them in some case



From my workstation if I access to \\myserver.domain\myshare I get an error like "//UNC// is not accessible . you might nit have permissions ... bla bla ... The parameter is incorrect"


On my samba server we can see the log below (at the end of that mail).


However, it works when I do not append domain name to the UNC : \\myserver\myshare ...
Even more strange, it works on some workstations but not all..
Client clients are OK.


Do you have any idea ?!?





==> /var/log/samba/log.smbd <==
[2017/08/29 10:59:55.925684, 4] ../source3/smbd/uid.c:384(change_to_user)
Skipping user change - already user
[2017/08/29 10:59:55.925776, 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../source3/smbd/smb2_ioctl.c:309
[2017/08/29 10:59:55.926835, 4] ../source3/smbd/uid.c:384(change_to_user)
Skipping user change - already user
[2017/08/29 10:59:55.926892, 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../source3/smbd/smb2_ioctl.c:309
[2017/08/29 10:59:56.088688, 4] ../source3/smbd/uid.c:384(change_to_user)
Skipping user change - already user
[2017/08/29 10:59:56.088746, 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../source3/smbd/smb2_ioctl.c:309
[2017/08/29 10:59:56.098659, 4] ../source3/smbd/uid.c:384(change_to_user)
Skipping user change - already user
[2017/08/29 10:59:56.098717, 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../source3/smbd/smb2_ioctl.c:309
[2017/08/29 10:59:56.104899, 4] ../source3/smbd/uid.c:384(change_to_user)
Skipping user change - already user
[2017/08/29 10:59:56.104957, 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../source3/smbd/smb2_ioctl.c:309
[2017/08/29 10:59:56.105755, 4] ../source3/smbd/uid.c:384(change_to_user)
Skipping user change - already user
[2017/08/29 10:59:56.105811, 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../source3/smbd/smb2_ioctl.c:309
[2017/08/29 10:59:56.106671, 4] ../source3/smbd/uid.c:384(change_to_user)
Skipping user change - already user
[2017/08/29 10:59:56.106727, 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../source3/smbd/smb2_ioctl.c:309
[2017/08/29 10:59:56.108001, 4] ../source3/smbd/uid.c:384(change_to_user)
Skipping user change - already user
[2017/08/29 10:59:56.108058, 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../source3/smbd/smb2_ioctl.c:309
[2017/08/29 10:59:56.109246, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/08/29 10:59:56.109401, 3] ../lib/util/access.c:361(allow_access)
Allowed connection from 10.17.253.156 (10.17.253.156)
[2017/08/29 10:59:56.109525, 3] ../source3/smbd/service.c:576(make_connection_snum)
Connect path is '/opt/fft/actran_product' for service [software]
[2017/08/29 10:59:56.109566, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
Initialising default vfs hooks
[2017/08/29 10:59:56.109581, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2017/08/29 10:59:56.109652, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [acl_xattr]
[2017/08/29 10:59:56.109668, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [dfs_samba4]
[2017/08/29 10:59:56.109691, 2] ../source3/modules/vfs_acl_xattr.c:235(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service software
[2017/08/29 10:59:56.112545, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (531, 100) - sec_ctx_stack_ndx = 0
[2017/08/29 10:59:56.112595, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/08/29 10:59:56.112642, 2] ../source3/smbd/service.c:822(make_connection_snum)
10.17.253.156 (ipv4:10.17.253.156:49202) connect to service software initially as user FFT\qa (uid=531, gid=100) (pid 23058)
[2017/08/29 10:59:56.114037, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (531, 100) - sec_ctx_stack_ndx = 0
[2017/08/29 10:59:56.114105, 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../source3/smbd/smb2_ioctl.c:309
[2017/08/29 10:59:56.114916, 4] ../source3/smbd/uid.c:384(change_to_user)
Skipping user change - already user
[2017/08/29 10:59:56.114973, 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../source3/smbd/smb2_ioctl.c:309
[2017/08/29 10:59:56.756703, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0




Thank you
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list
Hai,

Without (smb.conf) config, no, sorry, no ideas..
And educated guess, you have errors in you DNS resolving.

Whats the OS running?
Cat /etc/hosts
Cat /etc/resolv.conf
Cat /etc/smb.conf

On the windows pc. open dosbos,
ipconfig /all

Things like that, suprisly, really help us out in helping you. ;-)

Greetz,

Louis
 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Gaetan SLONGO via samba
> Verzonden: dinsdag 29 augustus 2017 11:16
> Aan: samba
> Onderwerp: [Samba] Shares not accessible when using FQDN
> Urgentie: Hoog
>
>
>
> Hi,
>
>
> I'm facing to an issue where I cannot find solution.
>
>
> Here is the test case :
>
>
>
>
>     * Samba 4.7, multi-server setup (multiple DC)
>     * Windows 7 and Windows 10 client (not domain member)
>     * Shares can be listed but no access to them in some case
>
>
>
> From my workstation if I access to \\myserver.domain\myshare
> I get an error like "//UNC// is not accessible . you might
> nit have permissions ... bla bla ... The parameter is incorrect"
>
>
> On my samba server we can see the log below (at the end of
> that mail).
>
>
> However, it works when I do not append domain name to the UNC
> : \\myserver\myshare ...
> Even more strange, it works on some workstations but not all..
> Client clients are OK.
>
>
> Do you have any idea ?!?
>
>
>
>
>
> ==> /var/log/samba/log.smbd <==
> [2017/08/29 10:59:55.925684, 4]
> ../source3/smbd/uid.c:384(change_to_user)
> Skipping user change - already user
> [2017/08/29 10:59:55.925776, 3]
> ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex:
> idx[1] status[NT_STATUS_INVALID_PARAMETER] || at
> ../source3/smbd/smb2_ioctl.c:309
> [2017/08/29 10:59:55.926835, 4]
> ../source3/smbd/uid.c:384(change_to_user)
> Skipping user change - already user
> [2017/08/29 10:59:55.926892, 3]
> ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex:
> idx[1] status[NT_STATUS_INVALID_PARAMETER] || at
> ../source3/smbd/smb2_ioctl.c:309
> [2017/08/29 10:59:56.088688, 4]
> ../source3/smbd/uid.c:384(change_to_user)
> Skipping user change - already user
> [2017/08/29 10:59:56.088746, 3]
> ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex:
> idx[1] status[NT_STATUS_INVALID_PARAMETER] || at
> ../source3/smbd/smb2_ioctl.c:309
> [2017/08/29 10:59:56.098659, 4]
> ../source3/smbd/uid.c:384(change_to_user)
> Skipping user change - already user
> [2017/08/29 10:59:56.098717, 3]
> ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex:
> idx[1] status[NT_STATUS_INVALID_PARAMETER] || at
> ../source3/smbd/smb2_ioctl.c:309
> [2017/08/29 10:59:56.104899, 4]
> ../source3/smbd/uid.c:384(change_to_user)
> Skipping user change - already user
> [2017/08/29 10:59:56.104957, 3]
> ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex:
> idx[1] status[NT_STATUS_INVALID_PARAMETER] || at
> ../source3/smbd/smb2_ioctl.c:309
> [2017/08/29 10:59:56.105755, 4]
> ../source3/smbd/uid.c:384(change_to_user)
> Skipping user change - already user
> [2017/08/29 10:59:56.105811, 3]
> ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex:
> idx[1] status[NT_STATUS_INVALID_PARAMETER] || at
> ../source3/smbd/smb2_ioctl.c:309
> [2017/08/29 10:59:56.106671, 4]
> ../source3/smbd/uid.c:384(change_to_user)
> Skipping user change - already user
> [2017/08/29 10:59:56.106727, 3]
> ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex:
> idx[1] status[NT_STATUS_INVALID_PARAMETER] || at
> ../source3/smbd/smb2_ioctl.c:309
> [2017/08/29 10:59:56.108001, 4]
> ../source3/smbd/uid.c:384(change_to_user)
> Skipping user change - already user
> [2017/08/29 10:59:56.108058, 3]
> ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex:
> idx[1] status[NT_STATUS_INVALID_PARAMETER] || at
> ../source3/smbd/smb2_ioctl.c:309
> [2017/08/29 10:59:56.109246, 4]
> ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/08/29 10:59:56.109401, 3] ../lib/util/access.c:361(allow_access)
> Allowed connection from 10.17.253.156 (10.17.253.156)
> [2017/08/29 10:59:56.109525, 3]
> ../source3/smbd/service.c:576(make_connection_snum)
> Connect path is '/opt/fft/actran_product' for service [software]
> [2017/08/29 10:59:56.109566, 3]
> ../source3/smbd/vfs.c:113(vfs_init_default)
> Initialising default vfs hooks
> [2017/08/29 10:59:56.109581, 3]
> ../source3/smbd/vfs.c:139(vfs_init_custom)
> Initialising custom vfs hooks from [/[Default VFS]/]
> [2017/08/29 10:59:56.109652, 3]
> ../source3/smbd/vfs.c:139(vfs_init_custom)
> Initialising custom vfs hooks from [acl_xattr]
> [2017/08/29 10:59:56.109668, 3]
> ../source3/smbd/vfs.c:139(vfs_init_custom)
> Initialising custom vfs hooks from [dfs_samba4]
> [2017/08/29 10:59:56.109691, 2]
> ../source3/modules/vfs_acl_xattr.c:235(connect_acl_xattr)
> connect_acl_xattr: setting 'inherit acls = true' 'dos
> filemode = true' and 'force unknown acl user = true' for
> service software
> [2017/08/29 10:59:56.112545, 4]
> ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> setting sec ctx (531, 100) - sec_ctx_stack_ndx = 0
> [2017/08/29 10:59:56.112595, 4]
> ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/08/29 10:59:56.112642, 2]
> ../source3/smbd/service.c:822(make_connection_snum)
> 10.17.253.156 (ipv4:10.17.253.156:49202) connect to service
> software initially as user FFT\qa (uid=531, gid=100) (pid 23058)
> [2017/08/29 10:59:56.114037, 4]
> ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> setting sec ctx (531, 100) - sec_ctx_stack_ndx = 0
> [2017/08/29 10:59:56.114105, 3]
> ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex:
> idx[1] status[NT_STATUS_INVALID_PARAMETER] || at
> ../source3/smbd/smb2_ioctl.c:309
> [2017/08/29 10:59:56.114916, 4]
> ../source3/smbd/uid.c:384(change_to_user)
> Skipping user change - already user
> [2017/08/29 10:59:56.114973, 3]
> ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex:
> idx[1] status[NT_STATUS_INVALID_PARAMETER] || at
> ../source3/smbd/smb2_ioctl.c:309
> [2017/08/29 10:59:56.756703, 4]
> ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>
>
>
>
> Thank you
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 29 Aug 2017 11:16:12 +0200 (CEST)
Gaetan SLONGO via samba <[hidden email]> wrote:

>
>
> Hi,
>
>
> I'm facing to an issue where I cannot find solution.
>
>
> Here is the test case :
>
>
>
>
>     * Samba 4.7, multi-server setup (multiple DC)
>     * Windows 7 and Windows 10 client (not domain member)
>     * Shares can be listed but no access to them in some case
>
>
>
> From my workstation if I access to \\myserver.domain\myshare I get an
> error like "//UNC// is not accessible . you might nit have
> permissions ... bla bla ... The parameter is incorrect"
>
>
> On my samba server we can see the log below (at the end of that
> mail).
>
>
> However, it works when I do not append domain name to the UNC :
> \\myserver\myshare ... Even more strange, it works on some
> workstations but not all.. Client clients are OK.
>
>
> Do you have any idea ?!?
>
>
>
>
>
> ==> /var/log/samba/log.smbd <==
> [2017/08/29 10:59:55.925684,
> 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> already user [2017/08/29 10:59:55.925776,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:55.926835,
> 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> already user [2017/08/29 10:59:55.926892,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.088688,
> 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> already user [2017/08/29 10:59:56.088746,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.098659,
> 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> already user [2017/08/29 10:59:56.098717,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.104899,
> 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> already user [2017/08/29 10:59:56.104957,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.105755,
> 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> already user [2017/08/29 10:59:56.105811,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.106671,
> 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> already user [2017/08/29 10:59:56.106727,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.108001,
> 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> already user [2017/08/29 10:59:56.108058,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.109246,
> 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.109401,
> 3] ../lib/util/access.c:361(allow_access) Allowed connection from
> 10.17.253.156 (10.17.253.156) [2017/08/29 10:59:56.109525,
> 3] ../source3/smbd/service.c:576(make_connection_snum) Connect path
> is '/opt/fft/actran_product' for service [software] [2017/08/29
> 10:59:56.109566, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
> Initialising default vfs hooks [2017/08/29 10:59:56.109581,
> 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs
> hooks from [/[Default VFS]/] [2017/08/29 10:59:56.109652,
> 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs
> hooks from [acl_xattr] [2017/08/29 10:59:56.109668,
> 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs
> hooks from [dfs_samba4] [2017/08/29 10:59:56.109691,
> 2] ../source3/modules/vfs_acl_xattr.c:235(connect_acl_xattr)
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
> true' and 'force unknown acl user = true' for service software
> [2017/08/29 10:59:56.112545,
> 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> ctx (531, 100) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.112595,
> 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.112642,
> 2] ../source3/smbd/service.c:822(make_connection_snum) 10.17.253.156
> (ipv4:10.17.253.156:49202) connect to service software initially as
> user FFT\qa (uid=531, gid=100) (pid 23058) [2017/08/29
> 10:59:56.114037,
> 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> ctx (531, 100) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.114105,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.114916,
> 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> already user [2017/08/29 10:59:56.114973,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.756703,
> 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0
>
>
>
>
> Thank you

Go on, I give in, how have you setup Samba ? ;-)

Or to put it another way, can you please post your smb.conf.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list
Hi guys,


Thank you for your answer. Meanwhile I have new informations, the problem also happen on a workstation in the domain.
This should not be a DNS issue. I validated that and I can authenticate and list shares. Just cannot enter into them when i'm using the FQDN o_O


Note : It works well on Linux clients.


Here is the Samba config file :


Thank you !



# Global parameters
[global]
netbios name = MOE
realm = ADS.DOMAIN.BE
workgroup = DOMAIN
netbios alias = CLUSTER
server role = active directory domain controller
kerberos method = secrets and keytab
idmap_ldb:use rfc2307 = yes
winbind use default domain = false
winbind offline logon = false
template shell = /bin/bash
template homedir = /home/%u
ntlm auth = yes
log level = 4




[netlogon]
path = /var/lib/samba/sysvol/ads.DOMAIN.be/scripts
read only = Yes
browsable = no


[sysvol]
path = /var/lib/samba/sysvol
read only = Yes
browsable = no




[software]
comment = Installed productlines
path = /opt/DOMAIN/actran_product
read only = Yes
create mask = 0660
directory mask = 0770
guest ok = No


[license]
comment = license
path = /opt/licenses/msctwo
read only = yes
guest ok = No




[homes]
comment = Home Directories
;;valid users = root @smbusers
browseable = no
read only = No
;create mask = 0640 ; Changé à la demande d'Eloi
create mask = 0600
;directory mask = 0750 ; Changé à la demande d'Eloi
directory mask = 0700
guest ok = no
printable = no
veto files =
hide dot files = no


----- Mail original -----

De: "Rowland Penny via samba" <[hidden email]>
À: [hidden email]
Envoyé: Mardi 29 Août 2017 11:31:37
Objet : Re: [Samba] Shares not accessible when using FQDN

On Tue, 29 Aug 2017 11:16:12 +0200 (CEST)
Gaetan SLONGO via samba <[hidden email]> wrote:

>
>
> Hi,
>
>
> I'm facing to an issue where I cannot find solution.
>
>
> Here is the test case :
>
>
>
>
> * Samba 4.7, multi-server setup (multiple DC)
> * Windows 7 and Windows 10 client (not domain member)
> * Shares can be listed but no access to them in some case
>
>
>
> From my workstation if I access to \\myserver.domain\myshare I get an
> error like "//UNC// is not accessible . you might nit have
> permissions ... bla bla ... The parameter is incorrect"
>
>
> On my samba server we can see the log below (at the end of that
> mail).
>
>
> However, it works when I do not append domain name to the UNC :
> \\myserver\myshare ... Even more strange, it works on some
> workstations but not all.. Client clients are OK.
>
>
> Do you have any idea ?!?
>
>
>
>
>
> ==> /var/log/samba/log.smbd <==
> [2017/08/29 10:59:55.925684,
> 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> already user [2017/08/29 10:59:55.925776,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:55.926835,
> 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> already user [2017/08/29 10:59:55.926892,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.088688,
> 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> already user [2017/08/29 10:59:56.088746,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.098659,
> 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> already user [2017/08/29 10:59:56.098717,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.104899,
> 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> already user [2017/08/29 10:59:56.104957,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.105755,
> 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> already user [2017/08/29 10:59:56.105811,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.106671,
> 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> already user [2017/08/29 10:59:56.106727,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.108001,
> 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> already user [2017/08/29 10:59:56.108058,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.109246,
> 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.109401,
> 3] ../lib/util/access.c:361(allow_access) Allowed connection from
> 10.17.253.156 (10.17.253.156) [2017/08/29 10:59:56.109525,
> 3] ../source3/smbd/service.c:576(make_connection_snum) Connect path
> is '/opt/fft/actran_product' for service [software] [2017/08/29
> 10:59:56.109566, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
> Initialising default vfs hooks [2017/08/29 10:59:56.109581,
> 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs
> hooks from [/[Default VFS]/] [2017/08/29 10:59:56.109652,
> 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs
> hooks from [acl_xattr] [2017/08/29 10:59:56.109668,
> 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs
> hooks from [dfs_samba4] [2017/08/29 10:59:56.109691,
> 2] ../source3/modules/vfs_acl_xattr.c:235(connect_acl_xattr)
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
> true' and 'force unknown acl user = true' for service software
> [2017/08/29 10:59:56.112545,
> 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> ctx (531, 100) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.112595,
> 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.112642,
> 2] ../source3/smbd/service.c:822(make_connection_snum) 10.17.253.156
> (ipv4:10.17.253.156:49202) connect to service software initially as
> user FFT\qa (uid=531, gid=100) (pid 23058) [2017/08/29
> 10:59:56.114037,
> 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> ctx (531, 100) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.114105,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.114916,
> 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> already user [2017/08/29 10:59:56.114973,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_INVALID_PARAMETER] ||
> at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.756703,
> 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0
>
>
>
>
> Thank you

Go on, I give in, how have you setup Samba ? ;-)

Or to put it another way, can you please post your smb.conf.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba 


--




www.it-optics.com
       
Gaëtan SLONGO | Head of Infrastructure Department
Boulevard Initialis, 28 - 7000 Mons, BELGIUM
Company : +32 (0)65 84 23 85
Direct : +32 (0)65 32 85 88
Fax : +32 (0)65 84 66 76
Skype ID : gslongo.pro
GPG Key : gslongo-gpg_key.asc
       

- Please consider your environmental responsibility before printing this e-mail -








--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list
If DNS is setup correct, then and your sure,
then show ipconfig /all from a working and failing pc.

And for i forget to mention.
Did you check if the time is in sync?  ( sorry must ask )

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Gaetan SLONGO via samba
> Verzonden: dinsdag 29 augustus 2017 11:47
> Aan: Rowland Penny
> CC: [hidden email]
> Onderwerp: Re: [Samba] Shares not accessible when using FQDN
>
> Hi guys,
>
>
> Thank you for your answer. Meanwhile I have new informations,
> the problem also happen on a workstation in the domain.
> This should not be a DNS issue. I validated that and I can
> authenticate and list shares. Just cannot enter into them
> when i'm using the FQDN o_O
>
>
> Note : It works well on Linux clients.
>
>
> Here is the Samba config file :
>
>
> Thank you !
>
>
>
> # Global parameters
> [global]
> netbios name = MOE
> realm = ADS.DOMAIN.BE
> workgroup = DOMAIN
> netbios alias = CLUSTER
> server role = active directory domain controller kerberos
> method = secrets and keytab idmap_ldb:use rfc2307 = yes
> winbind use default domain = false winbind offline logon =
> false template shell = /bin/bash template homedir = /home/%u
> ntlm auth = yes log level = 4
>
>
>
>
> [netlogon]
> path = /var/lib/samba/sysvol/ads.DOMAIN.be/scripts
> read only = Yes
> browsable = no
>
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = Yes
> browsable = no
>
>
>
>
> [software]
> comment = Installed productlines
> path = /opt/DOMAIN/actran_product
> read only = Yes
> create mask = 0660
> directory mask = 0770
> guest ok = No
>
>
> [license]
> comment = license
> path = /opt/licenses/msctwo
> read only = yes
> guest ok = No
>
>
>
>
> [homes]
> comment = Home Directories
> ;;valid users = root @smbusers
> browseable = no
> read only = No
> ;create mask = 0640 ; Changé à la demande d'Eloi create mask
> = 0600 ;directory mask = 0750 ; Changé à la demande d'Eloi
> directory mask = 0700 guest ok = no printable = no veto files
> = hide dot files = no
>
>
> ----- Mail original -----
>
> De: "Rowland Penny via samba" <[hidden email]>
> À: [hidden email]
> Envoyé: Mardi 29 Août 2017 11:31:37
> Objet : Re: [Samba] Shares not accessible when using FQDN
>
> On Tue, 29 Aug 2017 11:16:12 +0200 (CEST) Gaetan SLONGO via
> samba <[hidden email]> wrote:
>
> >
> >
> > Hi,
> >
> >
> > I'm facing to an issue where I cannot find solution.
> >
> >
> > Here is the test case :
> >
> >
> >
> >
> > * Samba 4.7, multi-server setup (multiple DC)
> > * Windows 7 and Windows 10 client (not domain member)
> > * Shares can be listed but no access to them in some case
> >
> >
> >
> > From my workstation if I access to
> \\myserver.domain\myshare I get an
> > error like "//UNC// is not accessible . you might nit have
> > permissions ... bla bla ... The parameter is incorrect"
> >
> >
> > On my samba server we can see the log below (at the end of that
> > mail).
> >
> >
> > However, it works when I do not append domain name to the UNC :
> > \\myserver\myshare ... Even more strange, it works on some
> > workstations but not all.. Client clients are OK.
> >
> >
> > Do you have any idea ?!?
> >
> >
> >
> >
> >
> > ==> /var/log/samba/log.smbd <==
> > [2017/08/29 10:59:55.925684,
> > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > already user [2017/08/29 10:59:55.925776,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:55.926835,
> > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > already user [2017/08/29 10:59:55.926892,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.088688,
> > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > already user [2017/08/29 10:59:56.088746,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.098659,
> > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > already user [2017/08/29 10:59:56.098717,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.104899,
> > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > already user [2017/08/29 10:59:56.104957,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.105755,
> > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > already user [2017/08/29 10:59:56.105811,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.106671,
> > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > already user [2017/08/29 10:59:56.106727,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.108001,
> > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > already user [2017/08/29 10:59:56.108058,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.109246,
> > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> > ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.109401,
> > 3] ../lib/util/access.c:361(allow_access) Allowed connection from
> > 10.17.253.156 (10.17.253.156) [2017/08/29 10:59:56.109525,
> > 3] ../source3/smbd/service.c:576(make_connection_snum) Connect path
> > is '/opt/fft/actran_product' for service [software] [2017/08/29
> > 10:59:56.109566, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
> > Initialising default vfs hooks [2017/08/29 10:59:56.109581,
> > 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising
> custom vfs
> > hooks from [/[Default VFS]/] [2017/08/29 10:59:56.109652,
> > 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising
> custom vfs
> > hooks from [acl_xattr] [2017/08/29 10:59:56.109668,
> > 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising
> custom vfs
> > hooks from [dfs_samba4] [2017/08/29 10:59:56.109691,
> > 2] ../source3/modules/vfs_acl_xattr.c:235(connect_acl_xattr)
> > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
> > true' and 'force unknown acl user = true' for service software
> > [2017/08/29 10:59:56.112545,
> > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> > ctx (531, 100) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.112595,
> > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> > ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.112642,
> > 2] ../source3/smbd/service.c:822(make_connection_snum)
> 10.17.253.156
> > (ipv4:10.17.253.156:49202) connect to service software initially as
> > user FFT\qa (uid=531, gid=100) (pid 23058) [2017/08/29
> > 10:59:56.114037,
> > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> > ctx (531, 100) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.114105,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.114916,
> > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > already user [2017/08/29 10:59:56.114973,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.756703,
> > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> > ctx (0, 0) - sec_ctx_stack_ndx = 0
> >
> >
> >
> >
> > Thank you
>
> Go on, I give in, how have you setup Samba ? ;-)
>
> Or to put it another way, can you please post your smb.conf.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba 
>
>
> --
>
>
>
>
> www.it-optics.com
>
> Gaëtan SLONGO | Head of Infrastructure Department
> Boulevard Initialis, 28 - 7000 Mons, BELGIUM
> Company : +32 (0)65 84 23 85
> Direct : +32 (0)65 32 85 88
> Fax : +32 (0)65 84 66 76
> Skype ID : gslongo.pro
> GPG Key : gslongo-gpg_key.asc
>
>
> - Please consider your environmental responsibility before
> printing this e-mail -
>
>
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list

Hi,


Time is OK
I found some more informations: it seems the problem appears when I use an alias (DNS and netbios alias). So it is working for principal names (moe, in this case). Maybe it si not related but the setup is still in 2003 mode?


CLUSTER is and alias of MOE (in the config and also in DNS servers => CNAME (resolution is OK)). And accessing to the shares using \\cluster is not working.


Regarding the ipconfig setup. Difficult to send it right now as I'm working remotely (and with a Linux workstation :)). I could make screenshots but I think I cannot paste them in the list. But maybe if you tell me what you want to validate I can do it. I assume it is the DNS search list


Thank you guys

----- Mail original -----

De: "L.P.H. van Belle via samba" <[hidden email]>
À: [hidden email]
Envoyé: Mardi 29 Août 2017 12:01:50
Objet : Re: [Samba] Shares not accessible when using FQDN

If DNS is setup correct, then and your sure,
then show ipconfig /all from a working and failing pc.

And for i forget to mention.
Did you check if the time is in sync? ( sorry must ask )

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> Gaetan SLONGO via samba
> Verzonden: dinsdag 29 augustus 2017 11:47
> Aan: Rowland Penny
> CC: [hidden email]
> Onderwerp: Re: [Samba] Shares not accessible when using FQDN
>
> Hi guys,
>
>
> Thank you for your answer. Meanwhile I have new informations,
> the problem also happen on a workstation in the domain.
> This should not be a DNS issue. I validated that and I can
> authenticate and list shares. Just cannot enter into them
> when i'm using the FQDN o_O
>
>
> Note : It works well on Linux clients.
>
>
> Here is the Samba config file :
>
>
> Thank you !
>
>
>
> # Global parameters
> [global]
> netbios name = MOE
> realm = ADS.DOMAIN.BE
> workgroup = DOMAIN
> netbios alias = CLUSTER
> server role = active directory domain controller kerberos
> method = secrets and keytab idmap_ldb:use rfc2307 = yes
> winbind use default domain = false winbind offline logon =
> false template shell = /bin/bash template homedir = /home/%u
> ntlm auth = yes log level = 4
>
>
>
>
> [netlogon]
> path = /var/lib/samba/sysvol/ads.DOMAIN.be/scripts
> read only = Yes
> browsable = no
>
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = Yes
> browsable = no
>
>
>
>
> [software]
> comment = Installed productlines
> path = /opt/DOMAIN/actran_product
> read only = Yes
> create mask = 0660
> directory mask = 0770
> guest ok = No
>
>
> [license]
> comment = license
> path = /opt/licenses/msctwo
> read only = yes
> guest ok = No
>
>
>
>
> [homes]
> comment = Home Directories
> ;;valid users = root @smbusers
> browseable = no
> read only = No
> ;create mask = 0640 ; Changé à la demande d'Eloi create mask
> = 0600 ;directory mask = 0750 ; Changé à la demande d'Eloi
> directory mask = 0700 guest ok = no printable = no veto files
> = hide dot files = no
>
>
> ----- Mail original -----
>
> De: "Rowland Penny via samba" <[hidden email]>
> À: [hidden email]
> Envoyé: Mardi 29 Août 2017 11:31:37
> Objet : Re: [Samba] Shares not accessible when using FQDN
>
> On Tue, 29 Aug 2017 11:16:12 +0200 (CEST) Gaetan SLONGO via
> samba <[hidden email]> wrote:
>
> >
> >
> > Hi,
> >
> >
> > I'm facing to an issue where I cannot find solution.
> >
> >
> > Here is the test case :
> >
> >
> >
> >
> > * Samba 4.7, multi-server setup (multiple DC)
> > * Windows 7 and Windows 10 client (not domain member)
> > * Shares can be listed but no access to them in some case
> >
> >
> >
> > From my workstation if I access to
> \\myserver.domain\myshare I get an
> > error like "//UNC// is not accessible . you might nit have
> > permissions ... bla bla ... The parameter is incorrect"
> >
> >
> > On my samba server we can see the log below (at the end of that
> > mail).
> >
> >
> > However, it works when I do not append domain name to the UNC :
> > \\myserver\myshare ... Even more strange, it works on some
> > workstations but not all.. Client clients are OK.
> >
> >
> > Do you have any idea ?!?
> >
> >
> >
> >
> >
> > ==> /var/log/samba/log.smbd <==
> > [2017/08/29 10:59:55.925684,
> > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > already user [2017/08/29 10:59:55.925776,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:55.926835,
> > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > already user [2017/08/29 10:59:55.926892,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.088688,
> > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > already user [2017/08/29 10:59:56.088746,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.098659,
> > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > already user [2017/08/29 10:59:56.098717,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.104899,
> > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > already user [2017/08/29 10:59:56.104957,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.105755,
> > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > already user [2017/08/29 10:59:56.105811,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.106671,
> > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > already user [2017/08/29 10:59:56.106727,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.108001,
> > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > already user [2017/08/29 10:59:56.108058,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.109246,
> > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> > ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.109401,
> > 3] ../lib/util/access.c:361(allow_access) Allowed connection from
> > 10.17.253.156 (10.17.253.156) [2017/08/29 10:59:56.109525,
> > 3] ../source3/smbd/service.c:576(make_connection_snum) Connect path
> > is '/opt/fft/actran_product' for service [software] [2017/08/29
> > 10:59:56.109566, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
> > Initialising default vfs hooks [2017/08/29 10:59:56.109581,
> > 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising
> custom vfs
> > hooks from [/[Default VFS]/] [2017/08/29 10:59:56.109652,
> > 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising
> custom vfs
> > hooks from [acl_xattr] [2017/08/29 10:59:56.109668,
> > 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising
> custom vfs
> > hooks from [dfs_samba4] [2017/08/29 10:59:56.109691,
> > 2] ../source3/modules/vfs_acl_xattr.c:235(connect_acl_xattr)
> > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
> > true' and 'force unknown acl user = true' for service software
> > [2017/08/29 10:59:56.112545,
> > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> > ctx (531, 100) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.112595,
> > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> > ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.112642,
> > 2] ../source3/smbd/service.c:822(make_connection_snum)
> 10.17.253.156
> > (ipv4:10.17.253.156:49202) connect to service software initially as
> > user FFT\qa (uid=531, gid=100) (pid 23058) [2017/08/29
> > 10:59:56.114037,
> > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> > ctx (531, 100) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.114105,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.114916,
> > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > already user [2017/08/29 10:59:56.114973,
> > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_INVALID_PARAMETER] ||
> > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.756703,
> > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> > ctx (0, 0) - sec_ctx_stack_ndx = 0
> >
> >
> >
> >
> > Thank you
>
> Go on, I give in, how have you setup Samba ? ;-)
>
> Or to put it another way, can you please post your smb.conf.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba 
>
>
> --
>
>
>
>
> www.it-optics.com
>
> Gaëtan SLONGO | Head of Infrastructure Department
> Boulevard Initialis, 28 - 7000 Mons, BELGIUM
> Company : +32 (0)65 84 23 85
> Direct : +32 (0)65 32 85 88
> Fax : +32 (0)65 84 66 76
> Skype ID : gslongo.pro
> GPG Key : gslongo-gpg_key.asc
>
>
> - Please consider your environmental responsibility before
> printing this e-mail -
>
>
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba 
>


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list
In reply to this post by Samba - General mailing list

Please see inline comments:

On Tue, 29 Aug 2017 11:47:17 +0200 (CEST)
Gaetan SLONGO <[hidden email]> wrote:

> Hi guys,
>
>
> Thank you for your answer. Meanwhile I have new informations, the
> problem also happen on a workstation in the domain. This should not
> be a DNS issue. I validated that and I can authenticate and list
> shares. Just cannot enter into them when i'm using the FQDN o_O
>
>
> Note : It works well on Linux clients.

You surprise me ;-)
 

>
>
> Here is the Samba config file :
>
>
> Thank you !
>
>
>
> # Global parameters
> [global]
> netbios name = MOE
> realm = ADS.DOMAIN.BE
> workgroup = DOMAIN
> netbios alias = CLUSTER

'CLUSTER' ?? why ? you cannot use a Samba AD DC in a cluster, for one
thing there is no need.
 
> server role = active directory domain controller
> kerberos method = secrets and keytab
> idmap_ldb:use rfc2307 = yes
> winbind use default domain = false
> winbind offline logon = false

You should remove the above two lines, they do nothing on an AD DC

> template shell = /bin/bash
> template homedir = /home/%u
> ntlm auth = yes
> log level = 4
>
> [netlogon]
> path = /var/lib/samba/sysvol/ads.DOMAIN.be/scripts
> read only = Yes
> browsable = no
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = Yes
> browsable = no
>
> [software]
> comment = Installed productlines
> path = /opt/DOMAIN/actran_product
> read only = Yes
> create mask = 0660
> directory mask = 0770
> guest ok = No
>
> [license]
> comment = license
> path = /opt/licenses/msctwo
> read only = yes
> guest ok = No
>
> [homes]
> comment = Home Directories
> browseable = no
> read only = No
> create mask = 0600
> directory mask = 0700
> guest ok = no
> printable = no
> veto files =
> hide dot files = no

OK several things here, put the [sysvol] & [netlogon] shares back to
what they were when the smb.conf was created. [homes] doesn't work on
a DC and you CANNOT use the old Samba3 ways of setting up shares on a
DC, you MUST use Windows ACLs, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 

and here:

https://wiki.samba.org/index.php/User_Home_Folders

Rowland


Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list
In reply to this post by Samba - General mailing list
From windows, using cmd.exe you can copy text. Then you can paste that
copied text into text file.
Then you can paste that new file content here.

2017-08-29 12:29 GMT+02:00 Gaetan SLONGO via samba <[hidden email]>:

>
> Hi,
>
>
> Time is OK
> I found some more informations: it seems the problem appears when I use an
> alias (DNS and netbios alias). So it is working for principal names (moe,
> in this case). Maybe it si not related but the setup is still in 2003 mode?
>
>
> CLUSTER is and alias of MOE (in the config and also in DNS servers =>
> CNAME (resolution is OK)). And accessing to the shares using \\cluster is
> not working.
>
>
> Regarding the ipconfig setup. Difficult to send it right now as I'm
> working remotely (and with a Linux workstation :)). I could make
> screenshots but I think I cannot paste them in the list. But maybe if you
> tell me what you want to validate I can do it. I assume it is the DNS
> search list
>
>
> Thank you guys
>
> ----- Mail original -----
>
> De: "L.P.H. van Belle via samba" <[hidden email]>
> À: [hidden email]
> Envoyé: Mardi 29 Août 2017 12:01:50
> Objet : Re: [Samba] Shares not accessible when using FQDN
>
> If DNS is setup correct, then and your sure,
> then show ipconfig /all from a working and failing pc.
>
> And for i forget to mention.
> Did you check if the time is in sync? ( sorry must ask )
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:[hidden email]] Namens
> > Gaetan SLONGO via samba
> > Verzonden: dinsdag 29 augustus 2017 11:47
> > Aan: Rowland Penny
> > CC: [hidden email]
> > Onderwerp: Re: [Samba] Shares not accessible when using FQDN
> >
> > Hi guys,
> >
> >
> > Thank you for your answer. Meanwhile I have new informations,
> > the problem also happen on a workstation in the domain.
> > This should not be a DNS issue. I validated that and I can
> > authenticate and list shares. Just cannot enter into them
> > when i'm using the FQDN o_O
> >
> >
> > Note : It works well on Linux clients.
> >
> >
> > Here is the Samba config file :
> >
> >
> > Thank you !
> >
> >
> >
> > # Global parameters
> > [global]
> > netbios name = MOE
> > realm = ADS.DOMAIN.BE
> > workgroup = DOMAIN
> > netbios alias = CLUSTER
> > server role = active directory domain controller kerberos
> > method = secrets and keytab idmap_ldb:use rfc2307 = yes
> > winbind use default domain = false winbind offline logon =
> > false template shell = /bin/bash template homedir = /home/%u
> > ntlm auth = yes log level = 4
> >
> >
> >
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/ads.DOMAIN.be/scripts
> > read only = Yes
> > browsable = no
> >
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = Yes
> > browsable = no
> >
> >
> >
> >
> > [software]
> > comment = Installed productlines
> > path = /opt/DOMAIN/actran_product
> > read only = Yes
> > create mask = 0660
> > directory mask = 0770
> > guest ok = No
> >
> >
> > [license]
> > comment = license
> > path = /opt/licenses/msctwo
> > read only = yes
> > guest ok = No
> >
> >
> >
> >
> > [homes]
> > comment = Home Directories
> > ;;valid users = root @smbusers
> > browseable = no
> > read only = No
> > ;create mask = 0640 ; Changé à la demande d'Eloi create mask
> > = 0600 ;directory mask = 0750 ; Changé à la demande d'Eloi
> > directory mask = 0700 guest ok = no printable = no veto files
> > = hide dot files = no
> >
> >
> > ----- Mail original -----
> >
> > De: "Rowland Penny via samba" <[hidden email]>
> > À: [hidden email]
> > Envoyé: Mardi 29 Août 2017 11:31:37
> > Objet : Re: [Samba] Shares not accessible when using FQDN
> >
> > On Tue, 29 Aug 2017 11:16:12 +0200 (CEST) Gaetan SLONGO via
> > samba <[hidden email]> wrote:
> >
> > >
> > >
> > > Hi,
> > >
> > >
> > > I'm facing to an issue where I cannot find solution.
> > >
> > >
> > > Here is the test case :
> > >
> > >
> > >
> > >
> > > * Samba 4.7, multi-server setup (multiple DC)
> > > * Windows 7 and Windows 10 client (not domain member)
> > > * Shares can be listed but no access to them in some case
> > >
> > >
> > >
> > > From my workstation if I access to
> > \\myserver.domain\myshare I get an
> > > error like "//UNC// is not accessible . you might nit have
> > > permissions ... bla bla ... The parameter is incorrect"
> > >
> > >
> > > On my samba server we can see the log below (at the end of that
> > > mail).
> > >
> > >
> > > However, it works when I do not append domain name to the UNC :
> > > \\myserver\myshare ... Even more strange, it works on some
> > > workstations but not all.. Client clients are OK.
> > >
> > >
> > > Do you have any idea ?!?
> > >
> > >
> > >
> > >
> > >
> > > ==> /var/log/samba/log.smbd <==
> > > [2017/08/29 10:59:55.925684,
> > > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > > already user [2017/08/29 10:59:55.925776,
> > > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > > status[NT_STATUS_INVALID_PARAMETER] ||
> > > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:55.926835,
> > > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > > already user [2017/08/29 10:59:55.926892,
> > > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > > status[NT_STATUS_INVALID_PARAMETER] ||
> > > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.088688,
> > > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > > already user [2017/08/29 10:59:56.088746,
> > > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > > status[NT_STATUS_INVALID_PARAMETER] ||
> > > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.098659,
> > > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > > already user [2017/08/29 10:59:56.098717,
> > > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > > status[NT_STATUS_INVALID_PARAMETER] ||
> > > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.104899,
> > > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > > already user [2017/08/29 10:59:56.104957,
> > > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > > status[NT_STATUS_INVALID_PARAMETER] ||
> > > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.105755,
> > > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > > already user [2017/08/29 10:59:56.105811,
> > > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > > status[NT_STATUS_INVALID_PARAMETER] ||
> > > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.106671,
> > > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > > already user [2017/08/29 10:59:56.106727,
> > > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > > status[NT_STATUS_INVALID_PARAMETER] ||
> > > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.108001,
> > > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > > already user [2017/08/29 10:59:56.108058,
> > > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > > status[NT_STATUS_INVALID_PARAMETER] ||
> > > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.109246,
> > > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> > > ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.109401,
> > > 3] ../lib/util/access.c:361(allow_access) Allowed connection from
> > > 10.17.253.156 (10.17.253.156) [2017/08/29 10:59:56.109525,
> > > 3] ../source3/smbd/service.c:576(make_connection_snum) Connect path
> > > is '/opt/fft/actran_product' for service [software] [2017/08/29
> > > 10:59:56.109566, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
> > > Initialising default vfs hooks [2017/08/29 10:59:56.109581,
> > > 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising
> > custom vfs
> > > hooks from [/[Default VFS]/] [2017/08/29 10:59:56.109652,
> > > 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising
> > custom vfs
> > > hooks from [acl_xattr] [2017/08/29 10:59:56.109668,
> > > 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising
> > custom vfs
> > > hooks from [dfs_samba4] [2017/08/29 10:59:56.109691,
> > > 2] ../source3/modules/vfs_acl_xattr.c:235(connect_acl_xattr)
> > > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
> > > true' and 'force unknown acl user = true' for service software
> > > [2017/08/29 10:59:56.112545,
> > > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> > > ctx (531, 100) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.112595,
> > > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> > > ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.112642,
> > > 2] ../source3/smbd/service.c:822(make_connection_snum)
> > 10.17.253.156
> > > (ipv4:10.17.253.156:49202) connect to service software initially as
> > > user FFT\qa (uid=531, gid=100) (pid 23058) [2017/08/29
> > > 10:59:56.114037,
> > > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> > > ctx (531, 100) - sec_ctx_stack_ndx = 0 [2017/08/29 10:59:56.114105,
> > > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > > status[NT_STATUS_INVALID_PARAMETER] ||
> > > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.114916,
> > > 4] ../source3/smbd/uid.c:384(change_to_user) Skipping user change -
> > > already user [2017/08/29 10:59:56.114973,
> > > 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > > status[NT_STATUS_INVALID_PARAMETER] ||
> > > at ../source3/smbd/smb2_ioctl.c:309 [2017/08/29 10:59:56.756703,
> > > 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec
> > > ctx (0, 0) - sec_ctx_stack_ndx = 0
> > >
> > >
> > >
> > >
> > > Thank you
> >
> > Go on, I give in, how have you setup Samba ? ;-)
> >
> > Or to put it another way, can you please post your smb.conf.
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
> > --
> >
> >
> >
> >
> > www.it-optics.com
> >
> > Gaëtan SLONGO | Head of Infrastructure Department
> > Boulevard Initialis, 28 - 7000 Mons, BELGIUM
> > Company : +32 (0)65 84 23 85
> > Direct : +32 (0)65 32 85 88
> > Fax : +32 (0)65 84 66 76
> > Skype ID : gslongo.pro
> > GPG Key : gslongo-gpg_key.asc
> >
> >
> > - Please consider your environmental responsibility before
> > printing this e-mail -
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi,
Try putting your aliases' FQDN in the netbios aliases clause of smb.conf
(provided one does not seem to contain the whole name)

Regards

Le 29/08/2017 à 12:29, Gaetan SLONGO via samba a écrit :

> Hi,
>
>
> Time is OK
> I found some more informations: it seems the problem appears when I use an alias (DNS and netbios alias). So it is working for principal names (moe, in this case). Maybe it si not related but the setup is still in 2003 mode?
>
>
> CLUSTER is and alias of MOE (in the config and also in DNS servers => CNAME (resolution is OK)). And accessing to the shares using \\cluster is not working.
>
>
> Regarding the ipconfig setup. Difficult to send it right now as I'm working remotely (and with a Linux workstation :)). I could make screenshots but I think I cannot paste them in the list. But maybe if you tell me what you want to validate I can do it. I assume it is the DNS search list
>
>
> Thank you guys

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi,


"CLUSTER" is because this server is related to a computing cluster, and is the master node of that cluster ;) No relation with Samba infrastructure, this is just a DNS/Netbios alias.
To be honnest the reason why this server is also a DC is to solve a big issue appeared when migrating from 3 to 4. We had no other choice because of a couple of reasons, however it is planed to demote it in the near future howerver at this time it needs to work


Ok thank you I will try by removing the winbind lines


Regarding the share structure I know this is not a good setup at that time, now we are in the first step : Migrating from 3 to 4, second step will be better share structure. This is needed to reduce disruptions. We always operate like this until now and it was always successful.
Why do you say homes are not working on a DC ? We have a couple of servers which are DC and fileserver at the same time (and provide homes shares)


For now, the biggest issue is shares are not working when using a DNS alias because a couple of users have network drives or shortcuts which use them


Thank you !



----- Mail original -----

De: "Rowland Penny via samba" <[hidden email]>
À: [hidden email]
Envoyé: Mardi 29 Août 2017 12:39:11
Objet : Re: [Samba] Shares not accessible when using FQDN


Please see inline comments:

On Tue, 29 Aug 2017 11:47:17 +0200 (CEST)
Gaetan SLONGO <[hidden email]> wrote:

> Hi guys,
>
>
> Thank you for your answer. Meanwhile I have new informations, the
> problem also happen on a workstation in the domain. This should not
> be a DNS issue. I validated that and I can authenticate and list
> shares. Just cannot enter into them when i'm using the FQDN o_O
>
>
> Note : It works well on Linux clients.

You surprise me ;-)

>
>
> Here is the Samba config file :
>
>
> Thank you !
>
>
>
> # Global parameters
> [global]
> netbios name = MOE
> realm = ADS.DOMAIN.BE
> workgroup = DOMAIN
> netbios alias = CLUSTER

'CLUSTER' ?? why ? you cannot use a Samba AD DC in a cluster, for one
thing there is no need.

> server role = active directory domain controller
> kerberos method = secrets and keytab
> idmap_ldb:use rfc2307 = yes
> winbind use default domain = false
> winbind offline logon = false

You should remove the above two lines, they do nothing on an AD DC

> template shell = /bin/bash
> template homedir = /home/%u
> ntlm auth = yes
> log level = 4
>
> [netlogon]
> path = /var/lib/samba/sysvol/ads.DOMAIN.be/scripts
> read only = Yes
> browsable = no
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = Yes
> browsable = no
>
> [software]
> comment = Installed productlines
> path = /opt/DOMAIN/actran_product
> read only = Yes
> create mask = 0660
> directory mask = 0770
> guest ok = No
>
> [license]
> comment = license
> path = /opt/licenses/msctwo
> read only = yes
> guest ok = No
>
> [homes]
> comment = Home Directories
> browseable = no
> read only = No
> create mask = 0600
> directory mask = 0700
> guest ok = no
> printable = no
> veto files =
> hide dot files = no

OK several things here, put the [sysvol] & [netlogon] shares back to
what they were when the smb.conf was created. [homes] doesn't work on
a DC and you CANNOT use the old Samba3 ways of setting up shares on a
DC, you MUST use Windows ACLs, see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 

and here:

https://wiki.samba.org/index.php/User_Home_Folders 

Rowland


Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba 


--




www.it-optics.com
       
Gaëtan SLONGO | Head of Infrastructure Department
Boulevard Initialis, 28 - 7000 Mons, BELGIUM
Company : +32 (0)65 84 23 85
Direct : +32 (0)65 32 85 88
Fax : +32 (0)65 84 66 76
Skype ID : gslongo.pro
GPG Key : gslongo-gpg_key.asc
       

- Please consider your environmental responsibility before printing this e-mail -








--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list
On Tue, 29 Aug 2017 16:27:46 +0200 (CEST)
Gaetan SLONGO <[hidden email]> wrote:

> Hi,
>
>
> "CLUSTER" is because this server is related to a computing cluster,
> and is the master node of that cluster ;) No relation with Samba
> infrastructure, this is just a DNS/Netbios alias. To be honnest the
> reason why this server is also a DC is to solve a big issue appeared
> when migrating from 3 to 4. We had no other choice because of a
> couple of reasons, however it is planed to demote it in the near
> future howerver at this time it needs to work

OK, but netbios doesn't really work on a DC, also what was the 'big
issue' that meant you had to use a DC ?

>
>
> Ok thank you I will try by removing the winbind lines
>
>
> Regarding the share structure I know this is not a good setup at that
> time, now we are in the first step : Migrating from 3 to 4, second
> step will be better share structure. This is needed to reduce
> disruptions. We always operate like this until now and it was always
> successful. Why do you say homes are not working on a DC ? We have a
> couple of servers which are DC and fileserver at the same time (and
> provide homes shares)

You might think [homes] is working correctly and it might appear to be
working, but it will give problems, why do think we put this:

 The [homes] feature is not supported running on a Samba Active
 Directory (AD) domain controller (DC).

on the 'Users Home Folder' wiki page ?

>
>
> For now, the biggest issue is shares are not working when using a DNS
> alias because a couple of users have network drives or shortcuts
> which use them

You will need a CNAME in dns on the DC, but all this seems a bit of an
overkill for something that is going to be demoted.
I think you need to explain what you are migrating from and what you
finally hope to end up with.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list
Hi Rowland,


The reason is long to explain but shortly it was about huge amount of data ~20TB stored on that server with unix user ID (comming from a S3/LDAP setup). On a DC mode it seems unix ID are in use instead of idmap id.
CNAME is in added indeed.
Regarding the migration as said we came from S3/LDAP and go to 4.6. The entire future structure is not fixed yet but at this time we have a DC, a Fileserver and 3 other servers which should be simple fileservers (member) but currently are DC


Thank you

----- Mail original -----

De: "Rowland Penny via samba" <[hidden email]>
À: [hidden email]
Envoyé: Mardi 29 Août 2017 17:03:59
Objet : Re: [Samba] Shares not accessible when using FQDN

On Tue, 29 Aug 2017 16:27:46 +0200 (CEST)
Gaetan SLONGO <[hidden email]> wrote:

> Hi,
>
>
> "CLUSTER" is because this server is related to a computing cluster,
> and is the master node of that cluster ;) No relation with Samba
> infrastructure, this is just a DNS/Netbios alias. To be honnest the
> reason why this server is also a DC is to solve a big issue appeared
> when migrating from 3 to 4. We had no other choice because of a
> couple of reasons, however it is planed to demote it in the near
> future howerver at this time it needs to work

OK, but netbios doesn't really work on a DC, also what was the 'big
issue' that meant you had to use a DC ?

>
>
> Ok thank you I will try by removing the winbind lines
>
>
> Regarding the share structure I know this is not a good setup at that
> time, now we are in the first step : Migrating from 3 to 4, second
> step will be better share structure. This is needed to reduce
> disruptions. We always operate like this until now and it was always
> successful. Why do you say homes are not working on a DC ? We have a
> couple of servers which are DC and fileserver at the same time (and
> provide homes shares)

You might think [homes] is working correctly and it might appear to be
working, but it will give problems, why do think we put this:

The [homes] feature is not supported running on a Samba Active
Directory (AD) domain controller (DC).

on the 'Users Home Folder' wiki page ?

>
>
> For now, the biggest issue is shares are not working when using a DNS
> alias because a couple of users have network drives or shortcuts
> which use them

You will need a CNAME in dns on the DC, but all this seems a bit of an
overkill for something that is going to be demoted.
I think you need to explain what you are migrating from and what you
finally hope to end up with.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba 


--




www.it-optics.com
       
Gaëtan SLONGO | Head of Infrastructure Department
Boulevard Initialis, 28 - 7000 Mons, BELGIUM
Company : +32 (0)65 84 23 85
Direct : +32 (0)65 32 85 88
Fax : +32 (0)65 84 66 76
Skype ID : gslongo.pro
GPG Key : gslongo-gpg_key.asc
       

- Please consider your environmental responsibility before printing this e-mail -








--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list
On Wed, 30 Aug 2017 09:35:29 +0200 (CEST)
Gaetan SLONGO <[hidden email]> wrote:

> Hi Rowland,
>
>
> The reason is long to explain but shortly it was about huge amount of
> data ~20TB stored on that server with unix user ID (comming from a
> S3/LDAP setup).
> On a DC mode it seems unix ID are in use instead of idmap id.

No, not really, it is just a different way of doing things. On a DC
idmap.ldb is used, this allocates IDs in the '3000000' range on a first
come basis, this means that users (and groups) can have different IDs
on different DCs. This can be overridden by giving users a uidNumber
attribute containing whatever ID you require, the same goes for groups,
but with gidNumber attributes.

> CNAME is in added indeed. Regarding the migration as said
> we came from S3/LDAP and go to 4.6. The entire future structure is
> not fixed yet but at this time we have a DC, a Fileserver and 3 other
> servers which should be simple fileservers (member) but currently are
> DC

If you were only a small organisation, you could use a DC as a
fileserver, but you have to be aware of the limitations and backup
everything on a regular basis, just how regular depends on how often
you change AD, if you change it hourly, you should back it up hourly.

However you seem to have large and complex requirements, so you
should have at least two DCs with as many Unix domain members running
as fileservers as you require.

With multiple DCs, you only need to backup one DC, usually the
one holding the FSMO roles. You will only need to backup the smb.conf
from the fileservers and any data etc that they hold, you do not need
to backup any other of the Samba files. You can (and should) use the
same smb.conf on all Unix domain members, just don't set the 'netbios
name' in any of them, Samba will fill this for you.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list
Hi Rowland,


Thank you for your answer.
I think I have found a solution which could solve the issue until the next migration step. It tested it on another server which is not critital :




    * Joining the server as a member and setup the shares as you suggest
    * Use nss_ldap instead of nss_winbind (idmap) which will pick my unix ids


In this setup it seems I can access to the shares with any DNS aliases/CNAME


I know it is not a very proper setup but it seem to work and we can do it quickly


What is your mind about this ?


Thanks
----- Mail original -----

De: "Rowland Penny via samba" <[hidden email]>
À: [hidden email]
Envoyé: Mercredi 30 Août 2017 10:06:20
Objet : Re: [Samba] Shares not accessible when using FQDN

On Wed, 30 Aug 2017 09:35:29 +0200 (CEST)
Gaetan SLONGO <[hidden email]> wrote:

> Hi Rowland,
>
>
> The reason is long to explain but shortly it was about huge amount of
> data ~20TB stored on that server with unix user ID (comming from a
> S3/LDAP setup).
> On a DC mode it seems unix ID are in use instead of idmap id.

No, not really, it is just a different way of doing things. On a DC
idmap.ldb is used, this allocates IDs in the '3000000' range on a first
come basis, this means that users (and groups) can have different IDs
on different DCs. This can be overridden by giving users a uidNumber
attribute containing whatever ID you require, the same goes for groups,
but with gidNumber attributes.

> CNAME is in added indeed. Regarding the migration as said
> we came from S3/LDAP and go to 4.6. The entire future structure is
> not fixed yet but at this time we have a DC, a Fileserver and 3 other
> servers which should be simple fileservers (member) but currently are
> DC

If you were only a small organisation, you could use a DC as a
fileserver, but you have to be aware of the limitations and backup
everything on a regular basis, just how regular depends on how often
you change AD, if you change it hourly, you should back it up hourly.

However you seem to have large and complex requirements, so you
should have at least two DCs with as many Unix domain members running
as fileservers as you require.

With multiple DCs, you only need to backup one DC, usually the
one holding the FSMO roles. You will only need to backup the smb.conf
from the fileservers and any data etc that they hold, you do not need
to backup any other of the Samba files. You can (and should) use the
same smb.conf on all Unix domain members, just don't set the 'netbios
name' in any of them, Samba will fill this for you.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba 




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list
On Wed, 30 Aug 2017 10:43:39 +0200 (CEST)
Gaetan SLONGO <[hidden email]> wrote:

> Hi Rowland,
>
>
> Thank you for your answer.
> I think I have found a solution which could solve the issue until the
> next migration step. It tested it on another server which is not
> critital :
>
>
>
>
>     * Joining the server as a member and setup the shares as you
> suggest
>     * Use nss_ldap instead of nss_winbind (idmap) which will pick my
> unix ids

Well 'nss_ldap' is not supported by Samba and normally anything that it
can do, can also be done by winbind. What I am wondering about is what
you are calling 'unix ids', where are these coming from ? are they
from 'uidNumber' & 'gidNumber' attributes stored in AD or
from /etc/passwd & /etc/group ?
If the later, are you aware that you cannot have a user with the same
name in AD and /etc/passwd.

I think you may be trying to 'bend' AD to fit in with the old way
Samba worked as a PDC or standalone, this is doomed to ultimate
failure in my opinion. You need to work with AD, this will make things
easier in the long run.
 
>
>
> In this setup it seems I can access to the shares with any DNS
> aliases/CNAME

You should be able do this using winbind.

>
>
> I know it is not a very proper setup but it seem to work and we can
> do it quickly

Yes, but will it be reliable in the long run ?

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list
Rowland,


Yes, I mean uidNumber and gidNumber.
I'm aware I need to work with AD but at this time I need my unix IDs (on NSS) to keep services working. Not only for files ownership, but also for some other services. Yeah, that's complex...
If I undestand well, the best way to do is to join the server using "net ads join" and use nss_winbind. This what I do but I only use the NSS LDAP backend instead of NSS (to keep correct ownership).
This will be cleaned in the future (within next migration steps) but for now I think I have no other choice beacause it seems I cannot obtain unix IDs through Winbind on a domain member (or maybe I missed the solution??).


Thanks

----- Mail original -----

De: "Rowland Penny via samba" <[hidden email]>
À: [hidden email]
Envoyé: Mercredi 30 Août 2017 11:00:18
Objet : Re: [Samba] Shares not accessible when using FQDN

On Wed, 30 Aug 2017 10:43:39 +0200 (CEST)
Gaetan SLONGO <[hidden email]> wrote:

> Hi Rowland,
>
>
> Thank you for your answer.
> I think I have found a solution which could solve the issue until the
> next migration step. It tested it on another server which is not
> critital :
>
>
>
>
> * Joining the server as a member and setup the shares as you
> suggest
> * Use nss_ldap instead of nss_winbind (idmap) which will pick my
> unix ids

Well 'nss_ldap' is not supported by Samba and normally anything that it
can do, can also be done by winbind. What I am wondering about is what
you are calling 'unix ids', where are these coming from ? are they
from 'uidNumber' & 'gidNumber' attributes stored in AD or
from /etc/passwd & /etc/group ?
If the later, are you aware that you cannot have a user with the same
name in AD and /etc/passwd.

I think you may be trying to 'bend' AD to fit in with the old way
Samba worked as a PDC or standalone, this is doomed to ultimate
failure in my opinion. You need to work with AD, this will make things
easier in the long run.

>
>
> In this setup it seems I can access to the shares with any DNS
> aliases/CNAME

You should be able do this using winbind.

>
>
> I know it is not a very proper setup but it seem to work and we can
> do it quickly

Yes, but will it be reliable in the long run ?

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list
2017-08-30 11:25 GMT+02:00 Gaetan SLONGO via samba <[hidden email]>:

> Rowland,
>
>
> Yes, I mean uidNumber and gidNumber.
> I'm aware I need to work with AD but at this time I need my unix IDs (on
> NSS) to keep services working. Not only for files ownership, but also for
> some other services. Yeah, that's complex...
> If I undestand well, the best way to do is to join the server using "net
> ads join" and use nss_winbind. This what I do but I only use the NSS LDAP
> backend instead of NSS (to keep correct ownership).
>

The best way to do is to chose correctly UID/GID and how you will manage to
have this UIDF/GID and not others UID/GID.
Two main choices:
- using uidNumber and gidNumber LDAP attributes in AD LDAP tree
- using idmap-rid which relies on Microsoft RID to generate UID/GID.

As you have some historical UID/GID usage, I would chose usage of uidNumber
and gidNumber in which you can set any number you want. As you can chose
what UID/GID you give to every AD object, you will certainly be able to
re-attribute UID/GID which are already in use.
Plus using uidNumber and gidNumber you give same UID or GID to several
different objects.

To be able to use uidNumber and gidNumber in LDAP tree you have several
choices:
- Winbind
- sssd
- nslcd
- certainly others but these 3 should be sufficient for you have what you
want.

Usage of nss_ldap and pam_ldap in old fashion don't use Kerberos...

Winbind is certainly the simpler way to proceed... if you can modify AD
schema (if not already done) to have access to "UNIX attributes" tab in
ADUC (when accessing to user properties).

If no modification of the schema is possible and you have Samba 4 DC you
can avoid modifying the schema adding "idmap_ldb:use rfc2307 = yes" in
smb.conf on your Samba DC. Please note that without modifying the schema
ADUC tool won't work when accessing to "UNIX attributes" tab in user
properties.
If no modification of the schema is possible and you have only Microsoft DC
you will have to use SSSD.



> This will be cleaned in the future (within next migration steps) but for
> now I think I have no other choice beacause it seems I cannot obtain unix
> IDs through Winbind on a domain member (or maybe I missed the solution??).
>

>
> Thanks
>
> ----- Mail original -----
>
> De: "Rowland Penny via samba" <[hidden email]>
> À: [hidden email]
> Envoyé: Mercredi 30 Août 2017 11:00:18
> Objet : Re: [Samba] Shares not accessible when using FQDN
>
> On Wed, 30 Aug 2017 10:43:39 +0200 (CEST)
> Gaetan SLONGO <[hidden email]> wrote:
>
> > Hi Rowland,
> >
> >
> > Thank you for your answer.
> > I think I have found a solution which could solve the issue until the
> > next migration step. It tested it on another server which is not
> > critital :
> >
> >
> >
> >
> > * Joining the server as a member and setup the shares as you
> > suggest
> > * Use nss_ldap instead of nss_winbind (idmap) which will pick my
> > unix ids
>
> Well 'nss_ldap' is not supported by Samba and normally anything that it
> can do, can also be done by winbind. What I am wondering about is what
> you are calling 'unix ids', where are these coming from ? are they
> from 'uidNumber' & 'gidNumber' attributes stored in AD or
> from /etc/passwd & /etc/group ?
> If the later, are you aware that you cannot have a user with the same
> name in AD and /etc/passwd.
>
> I think you may be trying to 'bend' AD to fit in with the old way
> Samba worked as a PDC or standalone, this is doomed to ultimate
> failure in my opinion. You need to work with AD, this will make things
> easier in the long run.
>
> >
> >
> > In this setup it seems I can access to the shares with any DNS
> > aliases/CNAME
>
> You should be able do this using winbind.
>
> >
> >
> > I know it is not a very proper setup but it seem to work and we can
> > do it quickly
>
> Yes, but will it be reliable in the long run ?
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 30 Aug 2017 11:25:04 +0200 (CEST)
Gaetan SLONGO <[hidden email]> wrote:

> Rowland,
>
>
> Yes, I mean uidNumber and gidNumber.
> I'm aware I need to work with AD but at this time I need my unix IDs
> (on NSS) to keep services working. Not only for files ownership, but
> also for some other services. Yeah, that's complex... If I undestand
> well, the best way to do is to join the server using "net ads join"
> and use nss_winbind. This what I do but I only use the NSS LDAP
> backend instead of NSS (to keep correct ownership). This will be
> cleaned in the future (within next migration steps) but for now I
> think I have no other choice beacause it seems I cannot obtain unix
> IDs through Winbind on a domain member (or maybe I missed the
> solution??).
>
>

If you have users in AD and if you examine a typical users object in AD
and have something like this:

uidNumber: 10000

Then yes, I would say that you have missed the solution, this is from a
Unix domain member using the winbind 'ad' backend:

getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
            ^
Notice this |

I wonder where that comes from ?
Oh I know 'uidNumber: 10000' ;-)

I think your problem may be a very common one, the 'Domain Users' group
in AD hasn't got a gidNumber attribute, if it has, then you haven't set
smb.conf up correctly, in which case post your smb.conf

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list

Hi Rowland My test SMB have several test lines and is dirty, for sure not correct :-)
Could you share your setup to achieve this ?


Thank you !

----- Mail original -----

De: "Rowland Penny via samba" <[hidden email]>
À: [hidden email]
Envoyé: Mercredi 30 Août 2017 11:56:46
Objet : Re: [Samba] Shares not accessible when using FQDN

On Wed, 30 Aug 2017 11:25:04 +0200 (CEST)
Gaetan SLONGO <[hidden email]> wrote:

> Rowland,
>
>
> Yes, I mean uidNumber and gidNumber.
> I'm aware I need to work with AD but at this time I need my unix IDs
> (on NSS) to keep services working. Not only for files ownership, but
> also for some other services. Yeah, that's complex... If I undestand
> well, the best way to do is to join the server using "net ads join"
> and use nss_winbind. This what I do but I only use the NSS LDAP
> backend instead of NSS (to keep correct ownership). This will be
> cleaned in the future (within next migration steps) but for now I
> think I have no other choice beacause it seems I cannot obtain unix
> IDs through Winbind on a domain member (or maybe I missed the
> solution??).
>
>

If you have users in AD and if you examine a typical users object in AD
and have something like this:

uidNumber: 10000

Then yes, I would say that you have missed the solution, this is from a
Unix domain member using the winbind 'ad' backend:

getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
^
Notice this |

I wonder where that comes from ?
Oh I know 'uidNumber: 10000' ;-)

I think your problem may be a very common one, the 'Domain Users' group
in AD hasn't got a gidNumber attribute, if it has, then you haven't set
smb.conf up correctly, in which case post your smb.conf

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba 


--




www.it-optics.com
       
Gaëtan SLONGO | Head of Infrastructure Department
Boulevard Initialis, 28 - 7000 Mons, BELGIUM
Company : +32 (0)65 84 23 85
Direct : +32 (0)65 32 85 88
Fax : +32 (0)65 84 66 76
Skype ID : gslongo.pro
GPG Key : gslongo-gpg_key.asc
       

- Please consider your environmental responsibility before printing this e-mail -








--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Shares not accessible when using FQDN

Samba - General mailing list
In reply to this post by Samba - General mailing list

Thank you for your answer Mathias.


Unix attributes are OK in the Samba 4 DB ("Unix Attributes" tab also OK in ADUC). What I cannot do is to ask to winbind to use uidNumber and gidNumber on a member server setup (in DC mode it is OK) instead of "mapped ids" (idmap range)


Regards,




----- Mail original -----

De: "mathias dufresne" <[hidden email]>
À: "Gaetan SLONGO" <[hidden email]>
Cc: "Rowland Penny" <[hidden email]>, "samba" <[hidden email]>
Envoyé: Mercredi 30 Août 2017 11:54:07
Objet : Re: [Samba] Shares not accessible when using FQDN






2017-08-30 11:25 GMT+02:00 Gaetan SLONGO via samba < [hidden email] > :


Rowland,


Yes, I mean uidNumber and gidNumber.
I'm aware I need to work with AD but at this time I need my unix IDs (on NSS) to keep services working. Not only for files ownership, but also for some other services. Yeah, that's complex...
If I undestand well, the best way to do is to join the server using "net ads join" and use nss_winbind. This what I do but I only use the NSS LDAP backend instead of NSS (to keep correct ownership).





The best way to do is to chose correctly UID/GID and how you will manage to have this UIDF/GID and not others UID/GID.

Two main choices:
- using uidNumber and gidNumber LDAP attributes in AD LDAP tree

- using idmap-rid which relies on Microsoft RID to generate UID/GID.


As you have some historical UID/GID usage, I would chose usage of uidNumber and gidNumber in which you can set any number you want. As you can chose what UID/GID you give to every AD object, you will certainly be able to re-attribute UID/GID which are already in use.

Plus using uidNumber and gidNumber you give same UID or GID to several different objects.


To be able to use uidNumber and gidNumber in LDAP tree you have several choices:

- Winbind

- sssd

- nslcd

- certainly others but these 3 should be sufficient for you have what you want.


Usage of nss_ldap and pam_ldap in old fashion don't use Kerberos...


Winbind is certainly the simpler way to proceed... if you can modify AD schema (if not already done) to have access to "UNIX attributes" tab in ADUC (when accessing to user properties).



If no modification of the schema is possible and you have Samba 4 DC you can avoid modifying the schema adding "idmap_ldb:use rfc2307 = yes" in smb.conf on your Samba DC. Please note that without modifying the schema ADUC tool won't work when accessing to "UNIX attributes" tab in user properties.

If no modification of the schema is possible and you have only Microsoft DC you will have to use SSSD.




<blockquote>
This will be cleaned in the future (within next migration steps) but for now I think I have no other choice beacause it seems I cannot obtain unix IDs through Winbind on a domain member (or maybe I missed the solution??).

</blockquote>

<blockquote>


Thanks

----- Mail original -----

De: "Rowland Penny via samba" < [hidden email] >
À: [hidden email]
Envoyé: Mercredi 30 Août 2017 11:00:18
Objet : Re: [Samba] Shares not accessible when using FQDN



On Wed, 30 Aug 2017 10:43:39 +0200 (CEST)
Gaetan SLONGO < [hidden email] > wrote:

> Hi Rowland,
>
>
> Thank you for your answer.
> I think I have found a solution which could solve the issue until the
> next migration step. It tested it on another server which is not
> critital :
>
>
>
>
> * Joining the server as a member and setup the shares as you
> suggest
> * Use nss_ldap instead of nss_winbind (idmap) which will pick my
> unix ids

Well 'nss_ldap' is not supported by Samba and normally anything that it
can do, can also be done by winbind. What I am wondering about is what
you are calling 'unix ids', where are these coming from ? are they
from 'uidNumber' & 'gidNumber' attributes stored in AD or
from /etc/passwd & /etc/group ?
If the later, are you aware that you cannot have a user with the same
name in AD and /etc/passwd.

I think you may be trying to 'bend' AD to fit in with the old way
Samba worked as a PDC or standalone, this is doomed to ultimate
failure in my opinion. You need to work with AD, this will make things
easier in the long run.

>
>
> In this setup it seems I can access to the shares with any DNS
> aliases/CNAME

You should be able do this using winbind.

>
>
> I know it is not a very proper setup but it seem to work and we can
> do it quickly

Yes, but will it be reliable in the long run ?

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba 


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba 
</blockquote>




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
12