thats a great problem 
Result on a W2012 terminal server connected to a UCS 4.3-0 errata 9:
PS F:\> get-smbconnection
get-smbconnection : Zugriff verweigert
In Zeile:1 Zeichen:1
+ get-smbconnection
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (MSFT_SMBConnection:ROOT/Microsoft/...T_SMBConnection) [Get-SmbConnect
ion], CimException
+ FullyQualifiedErrorId : Windows System Error 5,Get-SmbConnection
Hope that gives some indication on what’s going on.
Martin
Hey,
you must run PowerShell with admin privileges for that command to work.
Kind regards,
mosu
you must run PowerShell with admin privileges for that command to work.
Logging in as admin was obviously not sufficient 
powershell command Get-SmbConnection
Result on a W2012 terminal server connected to a UCS 4.3-0 errata 9:
Dialect 3.02 in my case.
Martin
Hi there,
I’ve had exactly the same issue. Solved reproducably by the following steps for anyone who is interested:
- Create a local.conf file which is then included in smb.conf:
cat /etc/samba/local.conf
[global]
map untrusted to domain = yes
- ucr commit /etc/samba/smb.conf
- service samba-ad-dc restart
Side note: Running on 4.3-0 errata11, was a 4.2 before.
Side note 2: This also solved in this forum reported RDP issues with upgraded 4.3 instances which access did not work or took forever.
And you will be a happy puppy with uber-fast connections to RDP and CIFS shares again.
Have fun.
- mike
Hello
this solution does not work for me, problem still exists, unhappily
regards klaus
1 Like
same here … 
___________________
@klausz, @onex: The only other difference I’ve also made in my environment is : ucr set samba/ntlm/auth=yes - Maybe that helps…
@mkromer don’t belive that could be solution.
I don’t have that variable set, but the option is in my /etc/samba/smb.conf…
root@CCMDC01:~# ucr search --brief ntlm
samba/ntlm/auth: <empty>
root@CCMDC01:~# cat /etc/samba/smb.conf | grep ntlm
ntlm auth = yes
root@CCMDC01:~#
@codeminded: yup, that seems then that in your case this won’t help much. The only other thing I can do is to help you out in drilling down on the problem. Is your self-check (diagnosis) page all good in UMC? Mine is perfect and shows no issues.
Yes… well i have two issues but i cannot solve them … maybe not related…
`samba-tool ntacl sysvolcheck` returned a problem with the sysvol ACLs.
STDOUT:
WARNING: The "map untrusted to domain" option is deprecated
WARNING: The "map untrusted to domain" option is deprecated
You can run `samba-tool ntacl sysvolreset` to fix the issue.
Found 1 UCS rejects and 0 S4 rejects. See Univention Support Database - How to deal with s4-connector rejects for more information.
UCS rejected:
UCS DN: ;unknown, S4 DN: not found, Filename: /var/lib/univention-connector/s4/.1522319929.525067.swp
However i have an warning that i don’t know how to get rid of.
DNS Check
Caution! The DNS service record for...
Caution! The DNS service record for the UCS Master was not found in the DNS server.
Details are explained in the [Support Database](http://sdb.univention.de/1299).
Do you have two UCS servers? I have one master and one slave (do you know if i should have active directory app in both? I always only have in the master… and everything works…)
mine is ugly
`samba-tool dbcheck` fand Probleme mit der lokalen AD Datenbank.
STDOUT:
WARNING: Ignoring invalid value '' for parameter 'ntlm auth'
ERROR(runtime): uncaught exception - Unable to load default file
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py", line 87, in run
lp = sambaopts.get_loadparm()
File "/usr/lib/python2.7/dist-packages/samba/getopt.py", line 92, in get_loadparm
self._lp.load_default()
Sie können `samba-tool dbcheck --fix` ausführen um die Probleme zu beheben.
Traceback (most recent call last):
File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/__init__.py", line 269, in execute
result = execute(umc_module, **kwargs)
File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/41_samba_tool_showrepl.py", line 148, in run
drs = DRSUAPI()
File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/41_samba_tool_showrepl.py", line 59, in __init__
(self.load_param, self.credentials) = self.samba_credentials()
File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/41_samba_tool_showrepl.py", line 77, in samba_credentials
load_param.load_default()
RuntimeError: Unable to load default file
`samba-tool ntacl sysvolcheck` meldet ein Problem mit den SYSVOL ACL Einträgen.
STDOUT:
WARNING: Ignoring invalid value '' for parameter 'ntlm auth'
ERROR(runtime): uncaught exception - Unable to load default file
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 252, in run
lp = sambaopts.get_loadparm()
File "/usr/lib/python2.7/dist-packages/samba/getopt.py", line 92, in get_loadparm
self._lp.load_default()
Sie können `samba-tool ntacl sysvolreset` ausführen um die Probleme zu beheben.
Hey,
seems like you’ve set the variable samba/ntlm/auth to an empty value — which is not the same as unsetting it. Try ucr unset samba/ntlm/auth
m.
I reversed the local.conf in /etc/samba/ and unset the variable.
Now, I don’t have any issues on the self-check, but the same problem as in my initial post.
with my samba db query comes the message
WARNING: The “map untrusted to domain” option is deprecated
is this ok?
klaus
We are currently checking the issue and will report our results. First checks with Windows 7 domain members hosting a share in a UCS 4.3 Samba/AD domain seem to show that the issue is reproducible.
1 Like
Ok, it looks like the firewall of the UCS 4.3 Samba/AD DCs is blocking TCP ports dynamically allocated by Samba 4.7. In our lab we found that the following adjustment fixed the issue:
ucr set \
security/packetfilter/package/univention-samba4/tcp/49152:65535/all="ACCEPT" \
security/packetfilter/package/univention-samba4/tcp/49152:65535/all/en="Dynamic RPC Ports (Samba)"
ucr unset \
security/packetfilter/package/univention-samba4/tcp/49152/all \
security/packetfilter/package/univention-samba4/tcp/49152/all/en
service univention-firewall restart
Please note that this needs to be adjusted on all UCS 4.3 Samba/AD DCs.
We will also prepare an errata update to address this.
4 Likes
This solve my issues!!!
Thanks a lot!
that was,
thank you very much