samba - Nov 2020 - winbind use default domain = yes doesn't work on Samba 4.13?

Hello everybody.

I just upgraded our Fedora fileserver to version 30, which has Samba
4.13.2.
Now, I can see this errors in log:

check_ntlm_password:  Authentication for user [dmu60evo] -> [dmu60evo]
FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
  Auth: [SMB2,(null)] user []\[dmu60evo] at [?t, 19 lis 2020
15:50:26.373477 CET] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER]
workstation [] remote host [ipv4:192.168.18.34:37038] mapped to
[]\[dmu60evo]. local host [ipv4:192.168.1.3:445] 
  {"timestamp": "2020-11-19T15:50:26.373527+0100",
"type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor":
2}, "eventId": 4625, "logonId": "0",
"logonType": 3, "status":
"NT_STATUS_NO_SUCH_USER", "localAddress":
"ipv4:192.168.1.3:445",
"remoteAddress": "ipv4:192.168.18.34:37038",
"serviceDescription":
"SMB2", "authDescription": null, "clientDomain":
"", "clientAccount":
"dmu60evo", "workstation": "",
"becameAccount": null, "becameDomain":
null, "becameSid": null, "mappedAccount":
"dmu60evo", "mappedDomain":
"", "netlogonComputer": null,
"netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"NTLMv2", "duration":
1836}}

So, we have user dmu60evo in our domain, but on client machine, we are
not able to use username in format DOMAIN\dmu60evo. So we have to use
winbind use default domain = yes.

Is this normal? Some new setting has to be done? 
Or it's just bug in Fedora package?

Thanks for answers.

Jiri

On 19/11/2020 15:02, Ji?? ?ern? via samba wrote:
> Hello everybody.
>
> I just upgraded our Fedora fileserver to version 30, which has Samba
> 4.13.2.
>
> So, we have user dmu60evo in our domain, but on client machine, we are
> not able to use username in format DOMAIN\dmu60evo. So we have to use
> winbind use default domain = yes.
Please post your smb.conf

Rowland

Yes.
In the first name, I wrote DOMAIN, but our real workgroup is SVMETAL,
as you cas see in smb.conf.

 [global]
 netbios name = fs0001
 workgroup = SVMETAL
 security = ADS
 realm = SAMDOM.SVMETAL.CZ
 dedicated keytab file = /etc/krb5.keytab
 kerberos method = secrets and keytab

 acl allow execute always = True
 
 idmap config *:backend = tdb
 idmap config *:range = 70001-99999
 idmap config SVMETAL:backend = ad
 idmap config SVMETAL:schema_mode = rfc2307
 idmap config SVMETAL:range = 500-40000 #for legacy reasons
 idmap config SVMETAL:unix_nss_info = yes
 idmap config SVMETAL:unix_primary_group = yes

 winbind nss info = rfc2307
 winbind use default domain = yes
 winbind refresh tickets = Yes

 log level = 2
 max log size = 1024000

 map to guest = bad user

 load printers = no
 printing = bsd
 printcap name = /dev/null
 disable spoolss = yes

#Enable SMB1
 ntlm auth = yes 
 server min protocol = LANMAN1

 allow insecure wide links = yes

 map acl inherit = Yes
 store dos attributes = Yes

 vfs objects = full_audit acl_xattr btrfs
 vfs_full_audit:prefix = %U|%I|%M|%S
 full_audit:success = unlink rmdir pwrite
 full_audit:failure = none
 full_audit:facility = local5
 full_audit:priority = NOTICE

#BTRFS log errors workaround
 get quota command = /etc/samba/samba-btrfs-quota.sh

#Shares
[Company]
 path = /home/samba/fs0001/Company
 read only = no
 follow symlinks = yes
 wide links = yes
 vfs objects = full_audit acl_xattr recycle btrfs
 recycle:repository = .recycle/%U
 recycle:touch = Yes
 recycle:keeptree = Yes
 recycle:versions = Yes
 recycle:directory_mode = 0777
 recycle:subdir_mode = 0700
 recycle:noversions *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP,*.db,.~lock*,$*,~$*
 recycle:exclude *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP,*.db,.~lock*,$*,~$*
 recycle:excludedir = /recycle,/tmp,/temp,/TMP,/TEMP



Thanks
Jiri

>>> Rowland penny <rpenny at samba.org> 19.11.2020 16:26
>>>
On 19/11/2020 15:02, Ji?? ?ern? via samba wrote:
> Hello everybody.
>
> I just upgraded our Fedora fileserver to version 30, which has Samba
> 4.13.2.
>
> So, we have user dmu60evo in our domain, but on client machine, we
are
> not able to use username in format DOMAIN\dmu60evo. So we have to
use
> winbind use default domain = yes.
Please post your smb.conf

Rowland