samba - Apr 2020 - Samba update cause windows incorrect password

Hai Rowland,

Well, its based on that i have here.
I run still a mixed setup here. ( 2 different domains ) 

2 servers 4.1.x as PDC/member on wheezy. (DOMAINA ) 
4.11.7 as AD-DC's (buster) DOMAINB  

All my windows clients login through AD-DC. (DOMAINB\username) 
I use the "Passthrough" auth for the shares on the PDC.
(DOMAINA\username)
I use GPO's to set the correct domain to pass.. And %username% for the
usersnames

0 problems here with windows 10 and my "PDC" is set with security =
domain.

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: dinsdag 28 april 2020 12:10
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba update cause windows incorrect password
> 
> On 28/04/2020 10:39, L.P.H. van Belle via samba wrote:
> > Sure, i have a suggestion.
> >
> > security = user ? In samba 4.9.x ?  And using domain logings??
> >
> > Run man smb.conf
> > Search : security > >
> > Read : NOTE ABOUT USERNAME/PASSWORD VALIDATION where you see it.
> >
> > Then goto : map to guest (G)
> > Read that.
> >
> > Then goto : security (G)
> > And read that also.
> >
> > I think you didnt read the complete changelog between 4.5.x 
> and 4.9.x also ;-)
> >
> >>> To be able to loing, I've to select Other User, enter
username and
> >>> password and all works fine. But if I logout and enter the
same
> >>> password, Windows tells me "Incorrect password".
> > If you do that, your typing DOM\username ? Or only
"username"
> >
> > Because, all windows logings now using COMPUTERNAME\username localy.
> > So if you enter "username" for the PDC login it passes
"
> COMPUTERNAME\username" to samba most probely.
> >
> > I hope above helps you a bit, but as far i can see above is 
> only a configuration issue.
> > You need to review the config and setup for security=domain.
> 
> The OP is running Samba as a PDC, so 'security = user' is 
> probably okay, 
> but I would remove it entirely and let Samba decide what it 
> should be ;-)
> 
> What is missing is 'unix password sync = yes'
> 
> If this was a Unix client, then you would need 'security = 
> domain' and 
> run winbind, but it is a PDC using tdbsam, so you probably 
> don't. I say 
> this because I haven't run a PDC for sometime and would urge 
> the OP to 
> upgrade to AD.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Tue, 28 Apr 2020 12:31:09 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai Rowland,
> 
> Well, its based on that i have here.
> I run still a mixed setup here. ( 2 different domains ) 
> 
> 2 servers 4.1.x as PDC/member on wheezy. (DOMAINA ) 
> 4.11.7 as AD-DC's (buster) DOMAINB  
> 
> All my windows clients login through AD-DC. (DOMAINB\username) 
> I use the "Passthrough" auth for the shares on the PDC.
> (DOMAINA\username) I use GPO's to set the correct domain to pass..
> And %username% for the usersnames 
> 
> 0 problems here with windows 10 and my "PDC" is set with security
> domain.
> 
> Greetz, 
> 
> Louis
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Rowland penny via samba
> > Verzonden: dinsdag 28 april 2020 12:10
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Samba update cause windows incorrect password
> > 
> > On 28/04/2020 10:39, L.P.H. van Belle via samba wrote:  
> > > Sure, i have a suggestion.
> > >
> > > security = user ? In samba 4.9.x ?  And using domain logings??
> > >
> > > Run man smb.conf
> > > Search : security > > >
> > > Read : NOTE ABOUT USERNAME/PASSWORD VALIDATION where you see it.
> > >
> > > Then goto : map to guest (G)
> > > Read that.
> > >
> > > Then goto : security (G)
> > > And read that also.
> > >
> > > I think you didnt read the complete changelog between 4.5.x   
> > and 4.9.x also ;-)  
> > >  
> > >>> To be able to loing, I've to select Other User, enter
username
> > >>> and password and all works fine. But if I logout and
enter the
> > >>> same password, Windows tells me "Incorrect
password".
> > > If you do that, your typing DOM\username ? Or only
"username"
> > >
> > > Because, all windows logings now using COMPUTERNAME\username
> > > localy. So if you enter "username" for the PDC login it
passes
> > > "   
> > COMPUTERNAME\username" to samba most probely.  
> > >
> > > I hope above helps you a bit, but as far i can see above is   
> > only a configuration issue.  
> > > You need to review the config and setup for security=domain.  
> > 
> > The OP is running Samba as a PDC, so 'security = user' is 
> > probably okay, 
> > but I would remove it entirely and let Samba decide what it 
> > should be ;-)
> > 
> > What is missing is 'unix password sync = yes'
> > 
> > If this was a Unix client, then you would need 'security = 
> > domain' and 
> > run winbind, but it is a PDC using tdbsam, so you probably 
> > don't. I say 
> > this because I haven't run a PDC for sometime and would urge 
> > the OP to 
> > upgrade to AD.
> > 
> > Rowland
> > 
Thanks to both, but at the end which is the best way to reconfigure my
server without loose all my Windows machines?
If I put security = domain I'm unable to login.
security = ADS require kerberos and a lot of work, and at the end I'm
not sure that all my windows machines will works fine.

In my laboratory there are many windows 10 machines, the server shares
a lot of folders and I can't afford not to let a lot of people work to
do my tests.

I'm a bit confusing
> > 
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> >   
> 
> 


-- 
-----------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------

On 28/04/2020 11:51, Enrico Morelli via samba wrote:
> On Tue, 28 Apr 2020 12:31:09 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
>
>> Hai Rowland,
>>
>> Well, its based on that i have here.
>> I run still a mixed setup here. ( 2 different domains )
>>
>> 2 servers 4.1.x as PDC/member on wheezy. (DOMAINA )
>> 4.11.7 as AD-DC's (buster) DOMAINB
>>
>> All my windows clients login through AD-DC. (DOMAINB\username)
>> I use the "Passthrough" auth for the shares on the PDC.
>> (DOMAINA\username) I use GPO's to set the correct domain to pass..
>> And %username% for the usersnames
>>
>> 0 problems here with windows 10 and my "PDC" is set with
security >> domain.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>> Rowland penny via samba
>>> Verzonden: dinsdag 28 april 2020 12:10
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Samba update cause windows incorrect
password
>>>
>>> On 28/04/2020 10:39, L.P.H. van Belle via samba wrote:
>>>> Sure, i have a suggestion.
>>>>
>>>> security = user ? In samba 4.9.x ?  And using domain logings??
>>>>
>>>> Run man smb.conf
>>>> Search : security >>>>
>>>> Read : NOTE ABOUT USERNAME/PASSWORD VALIDATION where you see
it.
>>>>
>>>> Then goto : map to guest (G)
>>>> Read that.
>>>>
>>>> Then goto : security (G)
>>>> And read that also.
>>>>
>>>> I think you didnt read the complete changelog between 4.5.x
>>> and 4.9.x also ;-)
>>>>   
>>>>>> To be able to loing, I've to select Other User,
enter username
>>>>>> and password and all works fine. But if I logout and
enter the
>>>>>> same password, Windows tells me "Incorrect
password".
>>>> If you do that, your typing DOM\username ? Or only
"username"
>>>>
>>>> Because, all windows logings now using COMPUTERNAME\username
>>>> localy. So if you enter "username" for the PDC login
it passes
>>>> "
>>> COMPUTERNAME\username" to samba most probely.
>>>> I hope above helps you a bit, but as far i can see above is
>>> only a configuration issue.
>>>> You need to review the config and setup for security=domain.
>>> The OP is running Samba as a PDC, so 'security = user' is
>>> probably okay,
>>> but I would remove it entirely and let Samba decide what it
>>> should be ;-)
>>>
>>> What is missing is 'unix password sync = yes'
>>>
>>> If this was a Unix client, then you would need 'security
>>> domain' and
>>> run winbind, but it is a PDC using tdbsam, so you probably
>>> don't. I say
>>> this because I haven't run a PDC for sometime and would urge
>>> the OP to
>>> upgrade to AD.
>>>
>>> Rowland
>>>
> Thanks to both, but at the end which is the best way to reconfigure my
> server without loose all my Windows machines?
> If I put security = domain I'm unable to login.
> security = ADS require kerberos and a lot of work, and at the end I'm
> not sure that all my windows machines will works fine.
>
> In my laboratory there are many windows 10 machines, the server shares
> a lot of folders and I can't afford not to let a lot of people work to
> do my tests.
>
> I'm a bit confusing
The first thing I would do, start winbind if it isn't already running.

If you run an NT4-style PDC, then any Linux clients need to use 
'security = domain' and run winbind, Louis says this is also required on
the PDC, but I am not entirely sure this is correct, I don't remember 
doing this.

You only use 'security = ADS' on a Unix computer joined to an AD domain 
and adding it to a Unix client joined to an NT4-style domain will not 
make it an AD client.

If you only have Windows clients then I suggest you upgrade to AD, which 
your Windows 10 machines will work better with.

It is normal to set up a sandboxed network to test the upgrade, this way 
you can find and fix any problems before you do it for real on your 
production network.

Rowland