samba - Apr 2019 - AD member server, some users suddenly can only connect to shares via ip address

On 2019/04/25 13:46, Rowland Penny via samba wrote:
> No, the key error is that dns doesn't seem to be working, if you can
> connect via ipaddress, then you are not using kerberos.
>
The server is resolved just fine, it just gets a password prompt. The 
server can also resolve the client correctly.

I see this issue came up before 
https://lists.samba.org/archive/samba/2016-September/203338.html

On Thu, 25 Apr 2019 14:38:36 +0200
Neil Price via samba <samba at lists.samba.org> wrote:
> On 2019/04/25 13:46, Rowland Penny via samba wrote:
> > No, the key error is that dns doesn't seem to be working, if you
can
> > connect via ipaddress, then you are not using kerberos.
> >  
> The server is resolved just fine, it just gets a password prompt. The 
> server can also resolve the client correctly.
> 
> I see this issue came up before 
> https://lists.samba.org/archive/samba/2016-September/203338.html
OK, post your smb.conf

Rowland

On 2019/04/25 14:44, Rowland Penny via samba wrote:
> OK, post your smb.conf
Thanks for help.... remember this has been working up to now and only a 
few users have the password prompt..  (btw "gibb.local" is a trusted 
samba3 domain used for migration, connecting as a gibb.local user does work)

getent passwd returns expected results, as does wbinfo -u

# Global parameters
[global]
         netbios name = PTA-CLUSTER
         realm = AD.GIBB.CO.ZA
         server string = Pretoria Cluster
         workgroup = GIBB
         ldap connection timeout = 20
         ldap timeout = 60
         log file = /var/log/samba/log.%m
         max log size = 1000
         syslog = 0
         panic action = /usr/share/samba/panic-action %d
         map to guest = Bad User
         obey pam restrictions = Yes
         pam password change = Yes
         passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
         passwd program = /usr/bin/passwd %u
         security = ADS
         server role = member server
         unix password sync = Yes
         username map = /etc/samba/user.map
         template homedir = /home/gibb/%U
         winbind enum groups = Yes
         winbind enum users = Yes
         winbind refresh tickets = Yes
         winbind request timeout = 120
         dns proxy = No
         wins server = 192.168.112.94 192.168.104.2
         idmap config gibb.local : range = 1600000-1999999
         idmap config gibb.local : backend = rid
         idmap config gibb : range = 1000000-1599999
         idmap config gibb : backend = rid
         idmap config * : range = 3000-7999
         idmap config * : backend = tdb
[homes]
         comment = Home Directories
         path = /home/gibb/%U
         browseable = No
         root preexec = /usr/local/sbin/mkhomedir.sh %U
         create mask = 0750
         directory mask = 0750
         read only = No
        valid users = %S GIBB.LOCAL\%S GIBB\%S

[projects]
         comment = Pretoria projects
         path = /home/shares/projects
         inherit permissions = Yes
         read only = No
         valid users = @domusers "@GIBB.LOCAL\Domain Users" 
"@GIBB\Domain Users"

user.map:

!root = GIBB\Administrator