No RDP connection to domain computers

Jochen77 · April 6, 2018, 8:25pm

Hello,

I trieded these solutien and it works fine.

Thank you very much.

Jochen77 · April 9, 2018, 7:24am

I’m sorry but i have to come back to you because the problem is here again.

The solution “map untrusted to daomain = yes” worked for a while but the problem is back again. This moring the same issue: LSA is not available.

When i restart the samba-ac-dc service a login is possible for a while but not stady.

Any other ideas?

Kind regards Jochen

mkromer · April 9, 2018, 2:27pm

@Moritz_Bunkus: Totally agree.

@Jochen77: The only other difference I’ve made was setting ucr set samba/ntlm/auth=yes which effectively sets NTLM1 to be permitted as well. Maybe worth a try?

mkromer · April 9, 2018, 2:33pm

@Moritz_Bunkus: What I find quite disturbing as of yet is still though that there seems to be close to 0 from Univention directly and by the mere number of posts regarding this special topic I think there really should be at least some sort of reaction. While it is true that samba made this changes I personally would have expected a bit more QA or at least reaction in this topic. Not wanting to rant at all, I know a lot of Univention guys and they’re really great (I mean it with every word) I still find it a bit disturbing nothing happens in these cases for weeks now. … Well, whatever it be: Let’s hope they’ll find a solution to these problems as well.

ref: UCS 4.3 Samba 4.7 - Probleme beim Authentizieren (war: Änderungen bei NTLM?)
ref: Windows Fileserveranmeldung nach UCS Update auf 4.3 nicht möglich

I’m just happy I could at least solve my issues by the solutions I’ve posted. Wish you good luck alltogether!

onex · April 9, 2018, 3:02pm

100% agreement!
And the worst part about it, they messed things up with the upgrade and want me to pay for support to fix it.
Comparing the Kopano support with the Univention support is like comparing black to white.
It is more than embarrassing that a Kopano employee is now taking care of possible bug fixes for a Univention product.

But, tyvm, @mkromer . Way to go!

Maybe Univention can learn from it.

requate · April 11, 2018, 10:56am

We are currently checking the issue and will report our results.

Jochen77 · April 11, 2018, 11:13am

Hello,

just a short feedback. I run the

ucr set samba/ntlm/auth=yes

2 days ago. Now it seems to run clear now.

Kind regards.

Jochen

requate · April 11, 2018, 4:46pm

Ok, it looks like the firewall of the UCS 4.3 Samba/AD DCs is blocking TCP ports dynamically allocated by Samba 4.7. In our lab we found that the following adjustment fixed the issue:

ucr set \
     security/packetfilter/package/univention-samba4/tcp/49152:65535/all="ACCEPT" \
     security/packetfilter/package/univention-samba4/tcp/49152:65535/all/en="Dynamic RPC Ports (Samba)"

ucr unset \
     security/packetfilter/package/univention-samba4/tcp/49152/all \
     security/packetfilter/package/univention-samba4/tcp/49152/all/en

service univention-firewall restart

Please note that this needs to be adjusted on all UCS 4.3 Samba/AD DCs.
We will also prepare an errata update to address this.