Bug 7180 - Group policys Samba4 ad server.
Summary: Group policys Samba4 ad server.
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: Other Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Andrew Tridgell
QA Contact: samba4-qa@samba.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-02-25 10:15 UTC by Anton
Modified: 2010-05-15 02:23 UTC (History)
3 users (show)

See Also:


Attachments
tcpdump (294.09 KB, application/octet-stream)
2010-02-26 07:45 UTC, Anton
no flags Details
new tcpdump. (392.55 KB, application/octet-stream)
2010-03-01 02:35 UTC, Anton
no flags Details
third tcpdump (41.55 KB, application/octet-stream)
2010-03-01 06:28 UTC, Anton
no flags Details
keytab for the next tcpdump capture (1.15 KB, application/octet-stream)
2010-03-02 01:21 UTC, Matthieu Patou
no flags Details
Tcpdump capture from the login up to the "login/password error dialog box" (547.28 KB, application/octet-stream)
2010-03-02 01:23 UTC, Matthieu Patou
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Anton 2010-02-25 10:15:03 UTC
Im running s4 alpha12, i got it with rsync this monday. Its running fine in some aspects. But i have some trouble with managing the group polycis. Before i had the problem that when i pressed the windows settings tab, i got this error http://img692.imageshack.us/img692/8893/testgo.png now insted, after some changes, i get this error http://img693.imageshack.us/img693/4119/fungera.png (it says bad username/password). Wireshark shows:

NT Create AndX Request, Path: \test.lan\Policies\{34225C12-7AE2-4612-A638-B731BA2ECA64}\User\Registry.pol
NT Create AndX Response, FID: 0x0000, Error: STATUS_OBJECT_NAME_NOT_FOUND
NT Create AndX Request, Path: \test.lan\Policies\{34225C12-7AE2-4612-A638-B731BA2ECA64}\Machine\Registry.pol
NT Create AndX Request, Path: \test.lan\Policies\{34225C12-7AE2-4612-A638-B731BA2ECA64}\Machine\Registry.pol
Comment 1 Matthieu Patou 2010-02-25 14:38:51 UTC
Anton,
Can you attach a trace file because it will be just convinient for us to analyse !
The best is to start the capture at the logon of the user and stop at the error message.

Thks.

Matthieu
Comment 2 Anton 2010-02-25 15:22:17 UTC
(In reply to comment #1)
> Anton,
> Can you attach a trace file because it will be just convinient for us to
> analyse !
> The best is to start the capture at the logon of the user and stop at the error
> message.
> 
> Thks.
> 
> Matthieu
> 

You mean start s4 with something like this?
./samba -i -d3 -M single 
Comment 3 Matthias Dieter Wallnöfer 2010-02-25 16:20:56 UTC
Well, I must admit that I tried GPOs only in my Win2k VM and there they worked and on Windows XP they should work too. Are you Anton using Windows Vista or 7 as client (according to the screenshots - or is the GPO editor launched from a Windows Server)?.

So it could definitely be that we aren't compatible with newer GPO formats yet. It would be nice if someone else who tried GPOs with such newer Windows clients could post his experiences.

One other question: did you only try to modify the two existing GPOs or did you try to create a new one and customise it afterwards?
Comment 4 Anton 2010-02-25 16:28:38 UTC
(In reply to comment #3)
> Well, I must admit that I tried GPOs only in my Win2k VM and there they worked
> and on Windows XP they should work too. Are you Anton using Windows Vista or 7
> as client (according to the screenshots - or is the GPO editor launched from a
> Windows Server)?.
> 
> So it could definitely be that we aren't compatible with newer GPO formats yet.
> It would be nice if someone else who tried GPOs with such newer Windows clients
> could post his experiences.
> 
> One other question: did you only try to modify the two existing GPOs or did you
> try to create a new one and customise it afterwards?
> 
Im using windows 7, 
i tried both modify existing gpos and create new ones. And, if you se one of the screenshots, pressing field that says "principer" works.
Comment 5 Anton 2010-02-26 07:45:20 UTC
Created attachment 5426 [details]
tcpdump
Comment 6 Matthieu Patou 2010-02-26 15:12:54 UTC
Anton,
The capture indicates that the file
 \cuebid.lan\Policies\{34225C12-7AE2-4612-A638-B731BA2ECA64}\User\Registry.pol
was not found (as you noted).
Can you go with the windows explorer and create 2 empty files:
 \cuebid.lan\Policies\{34225C12-7AE2-4612-A638-B731BA2ECA64}\User\Registry.pol
 \cuebid.lan\Policies\{34225C12-7AE2-4612-A638-B731BA2ECA64}\Machine\Registry.pol

Can you also try to create a new policy and see if you have the same errors ?
Comment 7 Anton 2010-03-01 02:35:54 UTC
Created attachment 5432 [details]
new tcpdump.

I did al that, same error.
New policys created by me, looks like this
drwxr-xr-x 4 3000008 users 4096 Mar  1 09:32 {F2AB91C9-265C-4214-B100-F43E11DCE095}

while the other policy looks like this, 
drwxr-xr-x 4 root    wheel 4096 Feb 26 15:40 {3A8715B8-81DB-45DE-8389-33E0DBA4602D}

I dont know if this is normal, but if i do
./wbinfo --name-to-sid Administrator

and then ./wbinfo --sid-to-uid (administrator sid) i get the answer
0
Comment 8 Anton 2010-03-01 06:28:17 UTC
Created attachment 5434 [details]
third tcpdump
Comment 9 Matthieu Patou 2010-03-01 06:32:46 UTC
The third dump is for "bad username and password" associated to this screenshot http://img693.imageshack.us/img693/4119/fungera.png
 right ? 
Comment 10 Anton 2010-03-01 06:46:46 UTC
(In reply to comment #9)
> The third dump is for "bad username and password" associated to this screenshot
> http://img693.imageshack.us/img693/4119/fungera.png
>  right ? 
> 
Yes sir
Comment 11 Matthieu Patou 2010-03-02 01:21:56 UTC
Created attachment 5438 [details]
keytab for the next tcpdump capture

to be used with wireshark (ie. wireshark -k keytab tjock)
Comment 12 Matthieu Patou 2010-03-02 01:23:00 UTC
Created attachment 5439 [details]
Tcpdump capture from the login up to the "login/password error dialog box"
Comment 13 Matthieu Patou 2010-03-02 01:26:34 UTC
In the third capture I noticed that we had an unknown principal on cifs/local.cuebin.lan. This is due to our lack of implementation of DFS share for sysvol and netlogon.

So I asked anton to add this principal on his domain controller.

It didn't seems to help much as w7 start requesting this principal at packet 2022, and reask it 5 times (2051, 2064, 2077, 2090, 2118) (so 6 requests in total).
Comment 14 Anton 2010-03-03 10:49:57 UTC
This may have something to do with this problem. I did some experiment with AD users and acl. It seems that for the mapping to work, i need to have a possix user created, with the same name as the ad user Before creating the AD user. Otherwise even if i set the user to have full permissons to the folder, it fails.
(Still working on a try with xp/wk8)
Comment 15 Matthieu Patou 2010-03-03 15:05:51 UTC
Can you reexplain the ACL problem ?
Comment 16 Anton 2010-03-03 16:30:47 UTC
(In reply to comment #15)
> Can you reexplain the ACL problem ?
> 

Will try,
If i create a AD user (with ./bin/net newuser foo123) i need to have a posix user with the same name, for the mapping to work. Otherwise, if i from windows add a user http://docs.hp.com/en/B8725-90063/img/gfx10.gif in this kind of meny, i can search, find and add the user (for example foo123). But if i give the user full permissons on the folder, and login with that user in windows it wont work, i wont have any permissons.

But, if say i create an posix user named foo123 before i run the ./bin/net/ newuser foo123, its gonna work as expected..
Tommorow im gonna be able to send a trace/screenshot if you are interested.
Comment 17 Matthieu Patou 2010-03-03 17:25:34 UTC
Anton,

As for what you just described I would say that it's "normal": Samba use unix account at the end to resolve access to filesystem so for a user to have access to a file/folder (or to be able to add/remove it) it must have unix rights and NT acls rights.
S4 embed a server call winbind that allocate dynamically uid/gid to windows users so you don't have to create unix user and groups manually. But still your user must have the access to the file/directory. You can do a test: add a new share to your S4 server and give the right 777 on the folder exported. You'll be able to create files/dir in this share even without creating manually the user.

If you go then in this folder you will see that the owner and the group are numerical and not names (like root/adm ...).
In order to make it simple I am working on winbind patches for s4 that will allow this. You can already take benefit of some of them:
copy the libnss_winbind.so in /lib then edit /etc/nsswitch to add winbind after file (or compat) in the line passwd (like here: http://pastie.org/852625).

Then getent passwd should show your Windows users and ls -l on files should be more friendly.

After you have to figure out what is the gid for domain users and give your shared directory correct right at the group level.
Comment 18 Anton 2010-03-04 03:48:37 UTC
ok i see, well i dont get the getent passwd to show my AD user, just my posix users. And ls -l shows
-rw-r--r-- 1 3000013 users   0 Mar  4 10:39 text.txt
when i have a file created with a AD only user. But i guess its not that important(?). I just thought i came up with something that would be a help in the bug.

(In reply to comment #17)
> Anton,
> 
> As for what you just described I would say that it's "normal": Samba use unix
> account at the end to resolve access to filesystem so for a user to have access
> to a file/folder (or to be able to add/remove it) it must have unix rights and
> NT acls rights.
> S4 embed a server call winbind that allocate dynamically uid/gid to windows
> users so you don't have to create unix user and groups manually. But still your
> user must have the access to the file/directory. You can do a test: add a new
> share to your S4 server and give the right 777 on the folder exported. You'll
> be able to create files/dir in this share even without creating manually the
> user.
> 
> If you go then in this folder you will see that the owner and the group are
> numerical and not names (like root/adm ...).
> In order to make it simple I am working on winbind patches for s4 that will
> allow this. You can already take benefit of some of them:
> copy the libnss_winbind.so in /lib then edit /etc/nsswitch to add winbind after
> file (or compat) in the line passwd (like here: http://pastie.org/852625).
> 
> Then getent passwd should show your Windows users and ls -l on files should be
> more friendly.
> 
> After you have to figure out what is the gid for domain users and give your
> shared directory correct right at the group level.
> 

Comment 19 Matthias Dieter Wallnöfer 2010-03-04 15:46:40 UTC
ekacnet, Anton, so does this problem still persist? Or was it only due to winbind misconfiguration?
Comment 20 Anton 2010-03-04 16:17:39 UTC
(In reply to comment #19)
> ekacnet, Anton, so does this problem still persist? Or was it only due to
> winbind misconfiguration?
> 

Same problem, tommorow i will finally be able to try with a xp client.
Comment 21 Matthias Dieter Wallnöfer 2010-03-08 04:33:24 UTC
Reassign file server related bugs up to tridge.
Comment 22 Anton 2010-03-23 05:18:46 UTC
(In reply to comment #21)
> Reassign file server related bugs up to tridge.
> 

Any news on this?
Comment 23 Matthias Dieter Wallnöfer 2010-03-28 13:26:12 UTC
Anton, does the problem persist? Otherwise I close this bug.
Comment 24 Anton 2010-03-30 14:56:19 UTC
(In reply to comment #23)
> Anton, does the problem persist? Otherwise I close this bug.
> 

(In reply to comment #23)
> Anton, does the problem persist? Otherwise I close this bug.
> 

Actually, i havnt tried tried this in a while, i might be wrong, but i thought this was from an missing feature (something with Distributed file system and windows 7) that was quite a big project to fix.
Comment 25 Matthieu Patou 2010-05-01 07:48:22 UTC
With a recent git I do not have the problem on w7 (didn't test it before).

Anton, can you recheck for you with something new. 

Also I remember that you told me that you had to fight somehow with acls which is not normal because provision by default make them pretty ok.

Maybe it's worth recreating a brand new provision with a clean setup and first see if you still have acls pb (in this case fill another bug) and if in this context you still have the pb.

Comment 26 Matthieu Patou 2010-05-14 17:25:26 UTC
Anton,
What is the status of this bug ?
Comment 27 Anton 2010-05-14 17:46:44 UTC
(In reply to comment #26)
> Anton,
> What is the status of this bug ?
> 
I reinstalled it recently with a new version and it works!
Comment 28 Matthias Dieter Wallnöfer 2010-05-15 02:23:36 UTC
Well, okay - then I mark this as "FIXED".