samba - Apr 2020 - Samba update cause windows incorrect password

Dear,

on my debian system I upgraded samba from 4.5.16 to 4.9.5. My samba
server is configured as domain controller.

Now happens a strange thing. From a windows 10 client I'm able to login
with a domain user without problem. But if I logout and try to enter
the password for the same user, Windows tells me that the password is
incorrect.

To be able to loing, I've to select Other User, enter username and
password and all works fine. But if I logout and enter the same
password, Windows tells me "Incorrect password".

In the samba log file I've only:

 ./source3/auth/auth_winbind.c:129(check_winbind_security)
  check_winbind_security: pdb_enum_trusted_domains() failed -
NT_STATUS_NOT_IMPLEMENTED

No other error messages:

Follow some configuration from smb.conf:

security = user
	passdb backend = tdbsam
	
	ntlm auth = yes
	lanman auth = no
	client ntlmv2 auth = yes
	client use spnego = no

	domain master = yes 
	local master = yes
	domain logons = yes
	
        server max protocol = NT1
	#server max protocol = SMB3
	#server min protocol = SMB3

The parameters ntlm, lanman, ntlmv2 and spnego are attempts to solve
the problem.


Someone can help me?

Thanks
-- 
-----------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------

On 22/04/2020 16:06, Enrico Morelli via samba wrote:
> Dear,
>
> on my debian system I upgraded samba from 4.5.16 to 4.9.5. My samba
> server is configured as domain controller.
>
> Now happens a strange thing. From a windows 10 client I'm able to login
> with a domain user without problem. But if I logout and try to enter
> the password for the same user, Windows tells me that the password is
> incorrect.
>
> To be able to loing, I've to select Other User, enter username and
> password and all works fine. But if I logout and enter the same
> password, Windows tells me "Incorrect password".
>
> In the samba log file I've only:
>
>   ./source3/auth/auth_winbind.c:129(check_winbind_security)
>    check_winbind_security: pdb_enum_trusted_domains() failed -
> NT_STATUS_NOT_IMPLEMENTED
>
> No other error messages:
>
> Follow some configuration from smb.conf:
>
Please do not do that, it doesn't help, please post the entire smb.conf

Rowland

On 22-04-2020 17:29, Rowland penny via samba wrote:
> On 22/04/2020 16:06, Enrico Morelli via samba wrote:
>> Dear,
>> 
>> on my debian system I upgraded samba from 4.5.16 to 4.9.5. My samba
>> server is configured as domain controller.
>> 
>> Now happens a strange thing. From a windows 10 client I'm able to 
>> login
>> with a domain user without problem. But if I logout and try to enter
>> the password for the same user, Windows tells me that the password is
>> incorrect.
>> 
>> To be able to loing, I've to select Other User, enter username and
>> password and all works fine. But if I logout and enter the same
>> password, Windows tells me "Incorrect password".
>> 
>> In the samba log file I've only:
>> 
>>   ./source3/auth/auth_winbind.c:129(check_winbind_security)
>>    check_winbind_security: pdb_enum_trusted_domains() failed -
>> NT_STATUS_NOT_IMPLEMENTED
>> 
>> No other error messages:
>> 
>> Follow some configuration from smb.conf:
>> 
> Please do not do that, it doesn't help, please post the entire smb.conf
> 
> Rowland
Ok.


[global]
	workgroup = DOMAIN
	server string = Samba Server Version %v

	netbios name = pdc
	hosts allow = 127. 192.168.100.
	name resolve order = lmhosts
	security = user
	passdb backend = tdbsam

	ntlm auth = yes
	lanman auth = no
	client ntlmv2 auth = yes
	client use spnego = no
	domain master = yes
	local master = yes
	domain logons = yes

         server max protocol = NT1
	#server max protocol = SMB3
	#server min protocol = SMB3

	browse list = yes

	# the login script name depends on the machine name
;	logon script = %m.bat
	# the login script name depends on the unix user used
	logon script = logon.bat
	logon path = \\%L\Profiles\%U
	# disables profiles support by specifing an empty path
	logon drive = Z:
	;logon path ;	logon home 
	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d
/n
ohome -s /bin/false "%u"
	delete user script = /usr/sbin/userdel "%u"
	delete user from group script = /usr/sbin/userdel "%u" "%g"
	delete group script = /usr/sbin/groupdel "%g"
	wins support = yes
;	wins server = w.x.y.z
	wins proxy = yes

	dns proxy = yes
[homes]
	comment = Home Directories
	browseable = no
	writable = yes
	hide dot files = yes
	nt acl support = no
	create mask = 0600
	directory mask = 0700
	;valid users = %S
;	valid users = MYDOMAIN\%S
[netlogon]
	comment = Network Logon Service
	path = /var/lib/samba/netlogon
	browseable = no
	read only = yes
	guest ok = no
	writable = no

[Profiles.V6]
	path = /win_shares/profiles/%u.V6
	read only = no
	create mask = 0600
	directory mask = 0700
	browseable = no
	guest ok = no
	printable = no

-- 
-----------------------------------------------------------
   Enrico Morelli
   System Administrator | Programmer | Web Developer

   CERM - Polo Scientifico
   via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------