Perttu Aaltonen
2021-Mar-04 13:56 UTC
[Samba] winbind use default domain problem after upgrade
> On 3 Mar 2021, at 18.49, Rowland penny via samba <samba at lists.samba.org> wrote: > > On 03/03/2021 16:10, Perttu Aaltonen via samba wrote: >> After upgrading a file server from Ubuntu 19.10 with Samba 4.10.5 to Ubuntu 20.04 with Samba 4.13.2, "winbind use default domain? doesn?t seem to work anymore. >> >> I went through the release notes in between but nothing stood out for me that would require a configuration change. >> >> Before the upgrade: >> [2021/02/23 20:05:31.553745, 3] ../../auth/auth_log.c:629(log_authentication_event_human_readable) >> Auth: [SMB,(null)] user []\[user] at [Tue, 23 Feb 2021 20:05:31.553731 EET] with [NTLMv1] status [NT_STATUS_OK] workstation [192.168.0.11] remote host [ipv4:192.168.0.11:53784] became [DOMAIN]\[user] [SID redacted]. local host [ipv4:192.168.0.10:445] >> >> After the upgrade: >> [2021/02/23 20:19:04.581131, 2] ../../auth/auth_log.c:635(log_authentication_event_human_readable) >> Auth: [SMB,(null)] user []\[user] at [Tue, 23 Feb 2021 20:19:04.581108 EET] with [NTLMv1] status [NT_STATUS_NO_SUCH_USER] workstation [192.168.0.11] remote host [ipv4:192.168.0.11:49792] mapped to []\[user]. local host [ipv4:192.168.0.12:445] >> >> Do I need to change something in the configuration or have I hit some kind of bug? >> >> Thanks! > > > Strange, it works for myself (not that it helps you) > > Can you give us a bit more info, What is the AD DC ? > > Why are you still using SMBv1 ? > > Please post your smb.conf > > RowlandHi Rowland, The DC is still an old Samba 4.1.9 in Debian 7. We are waiting for either a decision to upgrade it or move to a cloud DC, in which case we will just decommission it. Has been working fine though up until now. It?s just a user directory, nothing fancy like GPO. SMBv1 is for certain legacy clients, like the Supermicro IPMI virtual media where I ran into this problem in the first place. I asked Supermicro support if they have any fixes for this in newer firmware releases, but they just replied that it?s not tested or supported with Samba. Their web UI doesn?t even allow the \ character so it?s not possible to include the domain in the user name. The config is below. Some of it is from a previous admin so might include redundant or unnecessary options for current releases. Thanks, Perttu ?? # Global parameters [global] allow trusted domains = No dns proxy = No domain master = No load printers = No local master = No log file = /var/log/samba/log.%m map to guest = Bad User max log size = 1000 pam password change = Yes passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/bin/passwd %u preferred master = No realm = DOMAIN.COM security = ADS server min protocol = NT1 server string = %h server (Samba, Ubuntu) syslog = 0 template homedir = /home/%U template shell = /bin/sh unix extensions = No unix password sync = Yes winbind enum groups = Yes winbind enum users = Yes winbind offline logon = Yes winbind refresh tickets = Yes winbind use default domain = Yes workgroup = DOMAIN rpc_server:mdssvc = embedded streams_xattr:store_stream_type = no streams_xattr:prefix = user. fruit:delete_empty_adfiles = yes fruit:wipe_intentionally_left_blank_rfork = yes fruit:zero_file_id = yes fruit:posix_rename = yes fruit:veto_appledouble = yes fruit:model = Xserve fruit:locking = netatalk fruit:encoding = native fruit:metadata = netatalk fruit:resource = file fruit:copyfile = yes fruit:nfs_aces = no readdir_attr:aapl_max_access = yes readdir_attr:aapl_finder_info = yes readdir_attr:aapl_rsize = yes fruit:aapl = yes idmap config DOMAIN: range = 20000-20000000 idmap config *:range = 90000000-100000000 idmap config DOMAIN: backend = rid idmap config * : backend = tdb access based share enum = Yes delete veto files = Yes inherit permissions = Yes strict locking = No use sendfile = Yes veto oplock files = /.*rvt/ vfs objects = catia fruit streams_xattr [SERVER] path = /zpool/shares/SERVER read only = No
Rowland penny
2021-Mar-04 15:08 UTC
[Samba] winbind use default domain problem after upgrade
On 04/03/2021 13:56, Perttu Aaltonen via samba wrote:> >> On 3 Mar 2021, at 18.49, Rowland penny via samba <samba at lists.samba.org> wrote: >> >> On 03/03/2021 16:10, Perttu Aaltonen via samba wrote: >>> After upgrading a file server from Ubuntu 19.10 with Samba 4.10.5 to Ubuntu 20.04 with Samba 4.13.2, "winbind use default domain? doesn?t seem to work anymore. >>> >>> I went through the release notes in between but nothing stood out for me that would require a configuration change. >>> >>> Before the upgrade: >>> [2021/02/23 20:05:31.553745, 3] ../../auth/auth_log.c:629(log_authentication_event_human_readable) >>> Auth: [SMB,(null)] user []\[user] at [Tue, 23 Feb 2021 20:05:31.553731 EET] with [NTLMv1] status [NT_STATUS_OK] workstation [192.168.0.11] remote host [ipv4:192.168.0.11:53784] became [DOMAIN]\[user] [SID redacted]. local host [ipv4:192.168.0.10:445] >>> >>> After the upgrade: >>> [2021/02/23 20:19:04.581131, 2] ../../auth/auth_log.c:635(log_authentication_event_human_readable) >>> Auth: [SMB,(null)] user []\[user] at [Tue, 23 Feb 2021 20:19:04.581108 EET] with [NTLMv1] status [NT_STATUS_NO_SUCH_USER] workstation [192.168.0.11] remote host [ipv4:192.168.0.11:49792] mapped to []\[user]. local host [ipv4:192.168.0.12:445] >>> >>> Do I need to change something in the configuration or have I hit some kind of bug? >>> >>> Thanks! >> >> Strange, it works for myself (not that it helps you) >> >> Can you give us a bit more info, What is the AD DC ? >> >> Why are you still using SMBv1 ? >> >> Please post your smb.conf >> >> Rowland > Hi Rowland, > > The DC is still an old Samba 4.1.9 in Debian 7. We are waiting for either a decision to upgrade it or move to a cloud DC, in which case we will just decommission it. Has been working fine though up until now. It?s just a user directory, nothing fancy like GPO. > > SMBv1 is for certain legacy clients, like the Supermicro IPMI virtual media where I ran into this problem in the first place. I asked Supermicro support if they have any fixes for this in newer firmware releases, but they just replied that it?s not tested or supported with Samba. Their web UI doesn?t even allow the \ character so it?s not possible to include the domain in the user name.You can change the winbind separator.> > The config is below. Some of it is from a previous admin so might include redundant or unnecessary options for current releases.The only setting I would query is this: unix password sync = yes Not sure why you have this, you shouldn't have users in AD and /etc/passwd. If you do have users in both places, then this may be your problem. Rowland