Hi, I have 4 Samba servers DC1, DC2, DC3, SRV8. DC3 is a domain controller and file server, SRV8 is a file server. Sometimes one/another computer cannot mount network shares from SRV8. We can log in on that computer, but when we try to mount a network share, Windows asks credentials for the share, but doesn't accept it. When we log in with another user on the same computer, the result is the same. Same users can mount shares on other computers. On the computer which cannot mount shares from SRV8, I can mount shares from DC3. I restarted the Samba services on SRV8, and after that, I could mount shares on the computer what failed before. Next day I couldn't mount shares on it again, and the restart of the Samba services didn't help. Next try: I unjoined the computer from the domain, and joined it again: I could mount the shares again, but next day the problem came back. Today, I did the trick again, and I see the shares... I'm sure about that it will fail again. What could be the problem? smb.conf on SRV8: [global] bind interfaces only = Yes dos charset = CP852 interfaces = lo eth0 log file = /var/log/samba/%m.log log level = 1 auth:5 logon path = "" name resolve order = lmhosts host bcast realm = XYZ.XYZ.HU security = ADS template homedir = /home/%D/users/%U template shell = /bin/bash unix charset = UTF8 username map = /etc/samba/user.map workgroup = XYZ idmap config perczel : range = 10000-999999 idmap config perczel : backend = rid idmap config * : range = 3000-7999 idmap config * : backend = tdb csc policy = disable map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr [example] path = /home/xyz/example read only = No smb.conf on DCs: [global] bind interfaces only = Yes dns forwarder = 208.67.220.220 interfaces = lo eth0 logon home = \\srv8\users\%U logon path = "" name resolve order = lmhosts host bcast netbios name = DC1 realm = XYZ.XYZ.HU server role = active directory domain controller template shell = /bin/bash workgroup = XYZ idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/xyz.xyz.hu/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Samba version: 4.10.11 on Debian Buster
On 09/01/2020 07:41, Pisch Tam?s via samba wrote:> Hi, > > I have 4 Samba servers DC1, DC2, DC3, SRV8. DC3 is a domain controller and > file server, SRV8 is a file server. > Sometimes one/another computer cannot mount network shares from SRV8. We > can log in on that computer, but when we try to mount a network share, > Windows asks credentials for the share, but doesn't accept it. When we log > in with another user on the same computer, the result is the same. Same > users can mount shares on other computers. On the computer which cannot > mount shares from SRV8, I can mount shares from DC3. > I restarted the Samba services on SRV8, and after that, I could mount > shares on the computer what failed before. Next day I couldn't mount shares > on it again, and the restart of the Samba services didn't help. > Next try: I unjoined the computer from the domain, and joined it again: I > could mount the shares again, but next day the problem came back. Today, I > did the trick again, and I see the shares... I'm sure about that it will > fail again. What could be the problem? > > smb.conf on SRV8: > [global] > bind interfaces only = Yes > dos charset = CP852 > interfaces = lo eth0 > log file = /var/log/samba/%m.log > log level = 1 auth:5 > logon path = "" > name resolve order = lmhosts host bcast > realm = XYZ.XYZ.HU > security = ADS > template homedir = /home/%D/users/%U > template shell = /bin/bash > unix charset = UTF8 > username map = /etc/samba/user.map > workgroup = XYZ > idmap config perczel : range = 10000-999999 > idmap config perczel : backend = rid > idmap config * : range = 3000-7999 > idmap config * : backend = tdb > csc policy = disable > map acl inherit = Yes > store dos attributes = Yes > vfs objects = acl_xattr > > [example] > path = /home/xyz/example > read only = No > > smb.conf on DCs: > [global] > bind interfaces only = Yes > dns forwarder = 208.67.220.220 > interfaces = lo eth0 > logon home = \\srv8\users\%U > logon path = "" > name resolve order = lmhosts host bcast > netbios name = DC1 > realm = XYZ.XYZ.HU > server role = active directory domain controller > template shell = /bin/bash > workgroup = XYZ > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/xyz.xyz.hu/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > Samba version: 4.10.11 on Debian BusterOK, I take it you missed this: idmap config perczel : backend = rid If your workgroup isn't 'PERCZEL' then change it in the 'idmap config' lines There are a couple of default lines in SRV8: unix charset = UTF8 store dos attributes = Yes You can remove these. You also have these lines: logon path = "" name resolve order = lmhosts host bcast You should remove these, they have no place in an AD smb.conf You should also remove these lines from the DCs (for the same reason): logon home = \\srv8\users\%U logon path = "" name resolve order = lmhosts host bcast Now we come to a line that you should add to all the smb.conf files: winbind refresh tickets = yes This will ensure that your kerberos tickets will be refreshed. Rowland
> You also have these lines: > > logon path = "" > name resolve order = lmhosts host bcast > > You should remove these, they have no place in an AD smb.confThe smb.conf manpage mention that: 'Disable the use of roaming profiles by setting the value of this parameter to the empty string. For example, logon path = "".' I don't want roaming profiles, so I thought I need this parameter. Is it enough if user profiles has empty Profile Path entries? "Disabling of all roaming profile use requires that the user account settings must also be blank." What does it mean exactly? name resolve order: I removed this settings from dcs. man offers wins bcast settings for security = ADS, and SRV8 has that setting.> Now we come to a line that you should add to all the smb.conf files: > > winbind refresh tickets = yes > > This will ensure that your kerberos tickets will be refreshed.For this, I need libpam-winbind, according to the manual. I've read that: "Note: For a DC you do not need libpam-winbind libnss-winbind libpam-krb5, unless you require AD users to login " I think, to login locally. I don't want them to login locally, so I thought I don't want these on DCs. Do I really need libpam-winbind, and 'winbind refresh tickets' on DCs? I set it up on SRV8 and DC3. I still have the auth problem. 1-2 months ago I reinstalled the computhers that had this problem, and after that the authentication problem disappeared, but I wouldn't like to do it frequently. Another question, but might be related to this problem. I usually reinstall computers from clone image file, but I don't use sysprep. What problem(s) can cause that?
Hai, Not sysprepping is asking for problems.. Your computer SIDs are now the same. Always sysprep, im currently rolling out new w10 pc's atm Read: https://thesolving.com/server-room/when-and-how-to-use-sysprep/ Tip, use this order to setup. - start a new computer, setup , at the first page the w10 install stops and is asking questions. CTRL+SHIFT+F3, now it reboots and logs in as Administrator automaticly. Configure the computer, install the needed software, everything you need/want. ( NOTE, i only install/remove software, all other parts are done in GPO's. ) Cleanup the crap from W10. runas Administrator Powershell: and run : Get-AppxPackage -allusers | where-object {$_.name ?notlike "*store*"} | Remove-AppxPackage the removed all crap apps, excludeing windows store ( adviced to keep that, can give problem to get it back ) run sysprep. - if you use fixed IP, first set the fixed IP, reboot - Change PC name, reboot - Add to domain, reboot Done, resulting in , alway correct DNS entries. ;-) Short version of how i setup my pc's. Greetz Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Pisch Tam?s via samba > Verzonden: vrijdag 10 januari 2020 10:38 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] authentication problem > > > You also have these lines: > > > > logon path = "" > > name resolve order = lmhosts host bcast > > > > You should remove these, they have no place in an AD smb.conf > > The smb.conf manpage mention that: > 'Disable the use of roaming profiles by setting the value of this > parameter to the empty string. For example, logon path = "".' > I don't want roaming profiles, so I thought I need this parameter. Is > it enough if user profiles has empty Profile Path entries? > "Disabling of all roaming profile use requires that the user account > settings must also be blank." > What does it mean exactly? > name resolve order: I removed this settings from dcs. man offers wins > bcast settings for security = ADS, and SRV8 has that setting. > > > Now we come to a line that you should add to all the smb.conf files: > > > > winbind refresh tickets = yes > > > > This will ensure that your kerberos tickets will be refreshed. > > For this, I need libpam-winbind, according to the manual. > I've read that: > "Note: For a DC you do not need libpam-winbind libnss-winbind > libpam-krb5, unless you require AD users to login " > I think, to login locally. I don't want them to login locally, so I > thought I don't want these on DCs. Do I really need libpam-winbind, > and 'winbind refresh tickets' on DCs? > I set it up on SRV8 and DC3.No, but what if you want to login.. The solution to this is very simple, create an group on AD and/or on linux, give it and GID (incase of AD group) And add something like the lines below in sshd_config. # Allow groups ( samba/windows groups GID is a must ) AllowGroups ssh-allow-from-ad localAdminGroup> > I still have the auth problem. 1-2 months ago I reinstalled the > computhers that had this problem, and after that the authentication > problem disappeared, but I wouldn't like to do it frequently. > Another question, but might be related to this problem. > I usually reinstall computers from clone image file, but I don't use > sysprep. What problem(s) can cause that? > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Apparently Analagous Threads
- using one-time passwords
- kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD)
- samba-tool ntacl sysvol check errors (samba 4.7.4 AD DC)
- moved DM config to new server : gids different etc
- Mac OS and interpretation of @ in a username. Ex user@mds.xyz doesn't work on Mac OS but does on Win 10