problem with sessions

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

problem with sessions

Samba - General mailing list
Hi i got a pdc with samba 4.5.1 with ldap backend for autentication

The users can login into domain and everythings fine, after some days, the
resources of the networks in this case the shares directory, can't be
access by anyone, even them directory in common to everyone.

i found this message with the same problem

https://lists.samba.org/archive/samba/2014-March/179632.html

and i applied on the samba.conf and krb5.conf but still lossing sessions
with samba-pdc, i applied the configs on sunday, but today after 2 days the
problem persist.

i restart again the services and logout & login again and i can access to
the shares on server.

exist some parameters to avoid this issue?

exist some comunication with kerberos to windows 7 can't renegotiate that
session and expire?

I can notice, windows users are standard users they aren't administrator on
the local machine if help.

it's shoking this problem and have to restart the pc and service to access
again into directories shared by the dc.

thanks so much.


Tony

--
perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'

Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
<https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on>
Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problem with sessions

Samba - General mailing list
On Wed, 1 Mar 2017 13:25:56 +0100
Tony Peña via samba <[hidden email]> wrote:

> Hi i got a pdc with samba 4.5.1 with ldap backend for autentication

Is it a PDC or an AD DC ?

>
> The users can login into domain and everythings fine, after some
> days, the resources of the networks in this case the shares
> directory, can't be access by anyone, even them directory in common
> to everyone.
>
> i found this message with the same problem
>
> https://lists.samba.org/archive/samba/2014-March/179632.html

That refers to an AD DC, a PDC is something entirely different.

>
> and i applied on the samba.conf and krb5.conf but still lossing
> sessions with samba-pdc, i applied the configs on sunday, but today
> after 2 days the problem persist.
>

I think you need to show us your smb.conf and /etc/krb5.conf (if the
later exists, which it wont do if it is a PDC)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problem with sessions

Samba - General mailing list
On Wed, 1 Mar 2017 16:24:36 +0100
Tony Peña <[hidden email]> wrote:

> Hi thanks by answer quickly
>
> yes is a ad pdc, i refers to PDC i think will be the same, now i saw
> isn't. anyway, this is the smb.conf and krb5.conf

I suggest you change your smb.conf to:

[global]
    workgroup = sambadc
    realm = SAMBADC.LCL
    netbios name = samba-dc
    server string = SAMBA DC
    server role = active directory domain controller
    server services = -dns
    ldap server require strong auth = no
    idmap_ldb:use rfc2307 = yes

    interfaces = lo,ens160
    bind interfaces only = yes

    log level = 3
    log file = /var/log/samba/samba.log
    max log size = 100000

    include = /etc/samba/shares.conf

[netlogon]
    path = /var/lib/samba/sysvol/sambadc.lcl/scripts
    read only = no

[sysvol]
    path = /var/lib/samba/sysvol
    read only = no

and change /etc/krb5.conf to:

[libdefaults]
    default_realm = SERVERDC.LCL
    dns_lookup_kdc = true
    dns_lookup_realm = false


I noticed you have this in smb.conf:

    include = /etc/samba/shares.conf

What is in there ?

You also seem to be using Bind9 instead of the internal DNS server, how
have you set this up ?

what is in /etc/hosts and /etc/resolv.conf ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problem with sessions

Samba - General mailing list
On Wed, 1 Mar 2017 17:48:47 +0100
Tony Peña <[hidden email]> wrote:

>     server role = dc
>     server role = active directory domain controller
> i'm correct ?

Nearly, but you should only have one 'server role' line and the second
line is the correct one.
 

>
> ----
>
> on include shares.conf is all share directorys...i got 47 shares...
> so .. i just paste here 1 as example,, the rest are equals just
> changing the path
>
> [library]
>     comment = Library in common
>     path = /home/samba/shares/Library
>     browseable = Yes
>     read only = No
>     force create mode = 0660
>     force directory mode = 0660
>     vfs objects = acl_xattr full_audit
>     full_audit:failure = connect opendir disconnect unlink mkdir
> rmdir open rename

I take it you haven't read this wiki page:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server

You cannot use POSIX ACLs on a Samba AD DC, so your share should be
something like this:

[library]
    comment = Library in common
    path = /home/samba/shares/Library
    read only = No
    vfs objects = full_audit
    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename

You also had 'browseable = yes', this the default setting, but it has
no affect on a DC, there is no browsing on a Samba AD DC.

Once you have changed the share, you will need to read this wiki page:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
>
> the filesystem is with acl,
>
> the filesystem on thouse are:    user : group : others
>
> drwxrwx---+   9 SERVERDC\administrator adm
> 4,0K mar 1 14:26 Library

You will probably need to change this to root:domain admins

Talking of which, I hope you haven't given Administrator a uidNumber.

>
> on resolv.conf
>
> root@server-dc:~# cat /etc/resolv.conf
>
> nameserver 127.0.0.1
> nameserver 8.8.8.8
> nameserver 8.8.4.4
> search serverdc.lcl

You should remove the google nameservers, they should be set as
forwarders in your bind9 conf files.

>
> the bind is ok,

I didn't ask if it was 'ok', I asked how you have set it up, I think
you need to post your bind9 conf files.

> i register PC into domain and it's added into ldap
> so i can ping NAME_OF_PC and pinging normally and see it using
> pdbedit. this is somethings i can't understand in some how...
> normally i use openldap, but int this case is samba (simulate ldap) ?
> because i see samba run process to can see from my ldap client the
> whole directory

Yes, Samba 4 running as an AD DC does use its own ldap and the DNS info
is stored in AD, but you need to use 'samba_dlz' to connect to it. You
also need to setup bind9 correctly.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problem with sessions

Samba - General mailing list
Am 01.03.2017 um 18:26 schrieb Rowland Penny via samba:
> You also had 'browseable = yes', this the default setting, but it has
> no affect on a DC, there is no browsing on a Samba AD DC.

You accidentally mixed network browsing with browsing the list of shares
on a host.

The "browseable" parameter controls if a share is visible or not when
you e. g. enter \\hostname\ and it also works on Samba AD DCs. See:
http://picpaste.de/pics/screenshot-ryQ0HeLa.1488395577.png

Network browsing (network neighbourhood) is currently not implemented in
Samba AD DCs. The nmbd service is responsible for this job.


Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problem with sessions

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi again.

the users work usually in this way, browsing the network to find a serverdc
using \\serverdc on explorer file. and after that them choose the correct
share and working on inside with their files need it.

someone set that share as mapped unit with letter Z or Y. but they normally
work in this way daily.

so, i can't set browseable = No because the users need to be see the shares
on the server, else them turn crazy

Ok i restart samba-ad-dc with this settings

root@server-dc:/etc/samba# cat smb.conf
[global]
    workgroup = serverdc
    realm = SERVERDC.LCL
    netbios name = server-dc
    server string = Server DC
    server role = active directory domain controller
    server services = -dns
    server signing = auto
    ldap server require strong auth = no
    idmap_ldb:use rfc2307 = yes

    winbind enum users = yes
    winbind enum groups = yes

    interfaces = lo,ens160
    bind interfaces only = yes

    map to guest = Bad User

    log level = 3
    log file = /var/log/samba/samba.log
    max log size = 100000


    include = /etc/samba/shares.conf

[netlogon]
    path = /var/lib/samba/sysvol/serverdc.lcl/scripts
    browseable = no
    read only = yes

[sysvol]
    path = /var/lib/samba/sysvol
    read only = no

--------

shares.conf

47 shares like

[FooBar]
    comment = FooBar
    path = /home/samba/shares/foobar
    browseable = Yes    # users need to browse the network because them
working in this way for many years.
    read only = No
    force create mode = 0660
    force directory mode = 0660
    vfs objects = acl_xattr full_audit
    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open
rename

-----

resolv.conf

nameserver 127.0.0.1
search serverdc.lcl

-----

krb5.conf

[libdefaults]
    default_realm = SERVERDC.LCL
    dns_lookup_kdc = true
    dns_lookup_realm = false


-------

all bind files

root@server-dc:/etc/samba# cat /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/keys";

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

include "/etc/bind/named.conf.local";

--------
named.conf.default-zones

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

-------------------------------
named.conf.local

// Generated by Zentyal

acl "trusted" {
    localhost;
    localnets;
};

acl "internal-local-nets" {
    192.168.100.0/22;
};

dlz "AD DNS Zone" {
    database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";

};



zone "100.168.192.in-addr.arpa" {
    type master;
    file "/var/lib/bind/db.100.168.192";
    update-policy {
        // The only allowed dynamic updates are PTR records
        grant serverdc.lcl. subdomain 100.168.192.in-addr.arpa. PTR TXT;
        // Grant from localhost
        grant local-ddns zonesub any;
    };
};

zone "0.168.192.in-addr.arpa" {
    type master;
    file "/var/lib/bind/db.0.168.192";
    update-policy {
        // The only allowed dynamic updates are PTR records
        grant serverdc.lcl. subdomain 0.168.192.in-addr.arpa. PTR TXT;
        // Grant from localhost
        grant local-ddns zonesub any;
    };
};

zone "10.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "16.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "17.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "18.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "19.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "20.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "21.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "22.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "23.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "24.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "25.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "26.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "27.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "28.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "29.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "30.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "31.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};


----------
named.conf.options

options {
     sortlist {
            { 192.168.100.0/22 ;{ 192.168.100.0/22 ; };};
    };
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you might need to uncomment the query-source
    // directive below.  Previous versions of BIND always asked
    // questions using port 53, but BIND 8.1 and later use an unprivileged
    // port by default.

    //query-source address * port 53;
    //transfer-source * port 53;
    //notify-source * port 53;


    tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

    auth-nxdomain no;    # conform to RFC1035

    allow-query { any; };
    allow-recursion { trusted; };
    allow-query-cache { trusted; };
    allow-transfer { internal-local-nets; };
};

logging { category lame-servers { null; }; };

------------
after change on smb.conf and krb5.conf with suggestions.
I can on the pc client logout and login into the domain,
can browse the \\server-dc and user Library Ok, but FooBar no (is fine in
this way for this users logged) because the ACL working with filesystem and
is ok....

but my problem from the beginning.... how can i know if i don't lose the
access into (e.g Library share) after 2/3 days ?

exist some tools/command to show if the time expire to the share access? or
with this settings is ok and not happend again?

because my big problem is that! the acl of the share are working ok. it's
just i don't know why after days lose the access and need to restart
services and logout & login again :(

2017-03-01 18:26 GMT+01:00 Rowland Penny via samba <[hidden email]>:

> On Wed, 1 Mar 2017 17:48:47 +0100
> Tony Peña <[hidden email]> wrote:
>
> >     server role = dc
> >     server role = active directory domain controller
> > i'm correct ?
>
> Nearly, but you should only have one 'server role' line and the second
> line is the correct one.
>
> >
> > ----
> >
> > on include shares.conf is all share directorys...i got 47 shares...
> > so .. i just paste here 1 as example,, the rest are equals just
> > changing the path
> >
> > [library]
> >     comment = Library in common
> >     path = /home/samba/shares/Library
> >     browseable = Yes
> >     read only = No
> >     force create mode = 0660
> >     force directory mode = 0660
> >     vfs objects = acl_xattr full_audit
> >     full_audit:failure = connect opendir disconnect unlink mkdir
> > rmdir open rename
>
> I take it you haven't read this wiki page:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_
> Active_Directory_Domain_Controller#Using_the_Domain_
> Controller_as_a_File_Server
>
> You cannot use POSIX ACLs on a Samba AD DC, so your share should be
> something like this:
>
> [library]
>     comment = Library in common
>     path = /home/samba/shares/Library
>     read only = No
>     vfs objects = full_audit
>     full_audit:failure = connect opendir disconnect unlink mkdir rmdir
> open rename
>
> You also had 'browseable = yes', this the default setting, but it has
> no affect on a DC, there is no browsing on a Samba AD DC.
>
> Once you have changed the share, you will need to read this wiki page:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >
> >
> > the filesystem is with acl,
> >
> > the filesystem on thouse are:    user : group : others
> >
> > drwxrwx---+   9 SERVERDC\administrator adm
> > 4,0K mar 1 14:26 Library
>
> You will probably need to change this to root:domain admins
>
> Talking of which, I hope you haven't given Administrator a uidNumber.
>
> >
> > on resolv.conf
> >
> > root@server-dc:~# cat /etc/resolv.conf
> >
> > nameserver 127.0.0.1
> > nameserver 8.8.8.8
> > nameserver 8.8.4.4
> > search serverdc.lcl
>
> You should remove the google nameservers, they should be set as
> forwarders in your bind9 conf files.
>
> >
> > the bind is ok,
>
> I didn't ask if it was 'ok', I asked how you have set it up, I think
> you need to post your bind9 conf files.
>
> > i register PC into domain and it's added into ldap
> > so i can ping NAME_OF_PC and pinging normally and see it using
> > pdbedit. this is somethings i can't understand in some how...
> > normally i use openldap, but int this case is samba (simulate ldap) ?
> > because i see samba run process to can see from my ldap client the
> > whole directory
>
> Yes, Samba 4 running as an AD DC does use its own ldap and the DNS info
> is stored in AD, but you need to use 'samba_dlz' to connect to it. You
> also need to setup bind9 correctly.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'

Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
<https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on>
Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problem with sessions

Samba - General mailing list
On Thu, 2 Mar 2017 12:40:46 +0100
Tony Peña <[hidden email]> wrote:

>
> so, i can't set browseable = No because the users need to be see the
> shares on the server, else them turn crazy

I never said to set it to 'no', I pointed out that what you had is the
default and as such, it doesn't need to be set.

>
> Ok i restart samba-ad-dc with this settings
>
>
> shares.conf
>
> 47 shares like
>
> [FooBar]
>     comment = FooBar
>     path = /home/samba/shares/foobar
>     browseable = Yes    # users need to browse the network because
> them working in this way for many years.

'YES' is the default so you don't need it

>     read only = No
>     force create mode = 0660
>     force directory mode = 0660

This doesn't work on a DC, read the wiki pages I pointed you to!

>     vfs objects = acl_xattr full_audit

'acl_xattr' is built into Samba when running as a DC, so it shouldn't be
set here.


> all bind files
>

OK, these are my bind conf files and I have been using them for the
last 5 years without problems ;-)

/etc/bind/named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

/etc/bind/named.conf.options

options {
        directory "/var/cache/bind";
        version "0.0.7";
        notify no;
        empty-zones-enable no;
        allow-query { 127.0.0.1; 192.168.0.0/24; };
        allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
        forwarders { 8.8.8.8; };
        allow-transfer { none; };
        dnssec-validation no;
        dnssec-enable no;

        listen-on-v6 { none; };
        listen-on port 53 { 192.168.0.2; 127.0.0.1; };
        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};

/etc/bind/named.conf.local

include "/usr/local/samba/private/named.conf";

/etc/bind/name.conf.default-zones

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};


> ------------
> after change on smb.conf and krb5.conf with suggestions.
> I can on the pc client logout and login into the domain,
> can browse the \\server-dc and user Library Ok, but FooBar no (is
> fine in this way for this users logged) because the ACL working with
> filesystem and is ok....

You are trying to use the OS permissions on a Samba AD DC, this NOT
supported.

>
> but my problem from the beginning.... how can i know if i don't lose
> the access into (e.g Library share) after 2/3 days ?

I think your problem is down to your DNS setup, it seems to be using
flatfiles and this is NOT supported by Samba.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problem with sessions

Samba - General mailing list
On Thu, 2 Mar 2017 18:48:47 +0100
Tony Peña <[hidden email]> wrote:

> hi Rowland,
>
> ok a refix the other lines above but..
>
> what means "I think your problem is down to your DNS setup, it seems
> to be using
> flatfiles" and this is NOT supported by Samba.
>
>
>

OK, you have things like this in your bind conf files:

zone "0.168.192.in-addr.arpa" {
    type master;
    file "/var/lib/bind/db.0.168.192";
    update-policy {
        // The only allowed dynamic updates are PTR records
        grant serverdc.lcl. subdomain 0.168.192.in-addr.arpa. PTR TXT;
        // Grant from localhost
        grant local-ddns zonesub any;
    };
};

This is a 'flatfile'

If this a reverse zone for the DC domain, it should be in AD and you
don't update it as you are trying to do.

If it isn't a reverse zone, then it shouldn't be in your bind conf
files.

If I run 'samba-tool dns zonelist 127.0.0.1' on the DC, I get this:

samba-tool dns zonelist 127.0.0.1 -Uadministrator
Password for [SAMDOM\administrator]:
  3 zone(s) found

  pszZoneName                 : 0.168.192.in-addr.arpa
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
  pszDpFqdn                   : DomainDnsZones.samdom.example.com

  pszZoneName                 : samdom.example.com
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
  pszDpFqdn                   : DomainDnsZones.samdom.example.com

  pszZoneName                 : _msdcs.samdom.example.com
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
  pszDpFqdn                   : ForestDnsZones.samdom.example.com

The reverse zone, the forward zone and the forest zone.

If you need to add the reverse zone to AD, see 'samba-tool dns
zonecreate --help'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problem with sessions

Samba - General mailing list
On Fri, 3 Mar 2017 08:33:24 +0100
Tony Peña <[hidden email]> wrote:

>
>
> about the reverse zone, onf bind files,
> my network is setup to 192.168.100.0/22 and the PTR file for that
> network exist with all pc clients wrote inside correctly.
>
> That 0 reverse zone is because to this 192.168.100.0/22 network we
> need connect it and must be joined into domain 1 PC outside of this
> location, and that pc use 192.168.0.50 that's why i got on the
> reverse file zone "0.168.192.in-addr.arpa"
>
> what can i do then?

You have seen my reverse zone, just add the reverse zone to AD.


>
> when you said: "You are trying to use the OS permissions on a Samba
> AD DC, this NOT
> supported."
>
> ok i can understand that is not supported but browsing into shares.
>
> using the account test. i can access into that file because using acl
> into filesystem allowed
>

This is what the wiki page says:

Using the Domain Controller as a File Server

The Samba Active Directory (AD) domain controller (DC) is able to provide file shares, just like all other installation modes. However, the Samba team does not recommend using a DC as a file server because the DC smbd process has some limitations compared with the service in non-DC setups. For example, the auto-enabled acl_xattr virtual file system (VFS) object enables you to only configure shares with Windows access control lists (ACL). Running shares with POSIX ACLs on a Samba DC is not supported.

For 'not supported' read, 'this may look like it works, but it will
ultimately come back and bite you!'

I suggest you set the ACLs from a Windows machine, this will actually
give you better control.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: problem with sessions

Samba - General mailing list
On Mon, 13 Mar 2017 14:43:11 +0100
Tony Peña <[hidden email]> wrote:

> Hi Rowland,
>
> zentyal in this case is installed as ad-dc and in his interface web i
> can create the directories settings acl...

It all depends just how zentyal is setting the ACLs, if it setting the
normal Unix 'UGO' permissions, or if it is setting the permissions in
smb.conf, then this will not work correctly. It may be using
'setfacl', but even this is not the same as setting the file
permissions from Windows.
 
>
> if that above say not is recommended... how it's possible this
> works ?

It may be that it just appears to work, until something goes wrong...

>.. any way.. thinking to left only ad and move all share
> creating a new server as fileserver.
> i need to send all files from actual-ad-dc to the other ones .... put
> the fileserver as member domain and read acl from the ad-dc ?.

I think you are suggesting creating a Unix domain member and using this
as a fileserver, this would be a good idea.

>
> my problem is creating a second as fileserver i can't manage the
> interface on second to create a share or I do when on AD-DC setup by
> interface web and replication config send to fileserver to create
> that share. its possible ?.

Creating a share is easy, just follow the information on the Samba
wiki. It just a case of adding something to smb.conf, then creating the
required directory for the share and finally moving to a windows
machine and setting required permissions.

>
> my problem occurs 1 time at week, very nears on wednesday at noon. :(
> my only result for now is rebooting every day the server at 7.30am
> before all clients join into clients pc.
>
>

This is strange, does something happen every Wednesday ? Is there
anything in the logs ?? perhaps raising the log level in smb.conf will
throw light on the problem.
 
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...