samba - Feb 2021 - Fileserver Upgrade problems

Hello,

After I upgrade our fileserver from 4.10 to 4.13 and debian 10, the shared
folder has stopped working. In fact now, every time I try to access the
shared folder, the password is requested.

smb.conf
[global]
        netbios name = FILESERVER
        workgroup = CAMPUS
        security = ADS
        realm = CAMPUS.COMPAMY.COM
        bind interfaces only = yes
        interfaces = eth0 lo

        # default config
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        idmap config CAMPUS:backend = ad
        idmap config CAMPUS:schema_mode = rfc2307
        idmap config CAMPUS:range = 10000-999999
        idmap config CAMPUS:unix_nss_info = yes
        idmap config CAMPUS:unix_primary_group = yes

        #winbind trusted domains only = no
        winbind use default domain = yes
        winbind nested groups = Yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind refresh tickets = yes
        winbind cache time = 300

        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab

        domain master = no
        local master = no
        prefered master = no

        # DFS server
        host msdfs = yes

        # Enable modules
        vfs objects = acl_xattr, recycle, full_audit, dfs_samba4

        map acl inherit = Yes
        store dos attributes = Yes
        username map = /etc/samba/user.map

        #log file
        log file = /var/log/samba/machines/%m.log
        log level = 1 passdb:2 auth:2 winbind:1

        # Variaveis para print server
        printing = cups
        load printers = yes
        printcap name = cups
        printcap cache time = 300
        rpc_server:spoolss = external
        rpc_daemon:spoolssd = fork
        spoolss: architecture = Windows x64
        #ldap server require strong auth = no

        # audit log file
        full_audit:success = open, opendir, write, unlink, rename, mkdir,
rmdir, chmod, chown
        full_audit:prefix = %u|%I|%S
        full_audit:failure = none
        full_audit:facility = LOCAL1
        full_audit:priority = notice

[storage]
        path = /mnt/strdc3/
        read only = no

        # Entradas para a lixeira
        recycle:repository = /mnt/strdc3/recycle/%U
        recycle:keeptree = yes
        recycle:versions = yes
        recycle:touch = yes
        recycle:exclude = ?~$*,~$*,*.tmp,index*.pl,index*.htm*,*.temp,*.TMP
        recycle:exclude_dir=  /tmp,/temp,/cache
        recycle:noversions = *.doc,*.xls,*.ppt,*.docx,*.xlsx,*.pptx,*.pdf

[Printers]
        comment = All Printers
        path = /var/spool/samba
        #browseable = yes
        #writeable = yes
        printable = yes
        #read only = no
        #print ok = yes
        #public = yes
        #force printername = yes
        #guest ok = yes

[print$]
        path = /var/samba/drivers
        read only = no
        #browseable = yes
        #write list = @"Domain Admins", root, administrator
        #inherit permissions = yes

This below part of
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

If you use the winbind 'ad' backend on Unix domain members and you add a
gidNumber attribute to the Domain Admins group in AD, you will break the
mapping in idmap.ldb. Domain Admins is mapped as ID_TYPE_BOTH in idmap.ldb,
this is to allow the group to own files in Sysvol on a Samba AD DC. It is
suggested you create a new AD group (Unix Admins for instance), give this
group a gidNumber attribute and add it to the Administrators group and
then, on Unix, use the group wherever you would normally use Domain Admins.

didn't seem necessary in samba 4.10? Or at least when I set up the
fileserver it will be requested for "Domain Admins".

Does this refer to adding a Unix Attribute to the "Domain Admins"
group?

-- 
Elias Pereira

On 04/02/2021 19:30, Elias Pereira via samba wrote:
> Hello,
>
> After I upgrade our fileserver from 4.10 to 4.13 and debian 10, the shared
> folder has stopped working. In fact now, every time I try to access the
> shared folder, the password is requested.
>
> smb.conf
> [global]
>
>          # Enable modules
>          vfs objects = acl_xattr, recycle, full_audit, dfs_samba4

Why have you added 'dfs_samba4' ?

It should only be used on a Samba AD DC
>
>
>
>
>
> This below part of
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> If you use the winbind 'ad' backend on Unix domain members and you
add a
> gidNumber attribute to the Domain Admins group in AD, you will break the
> mapping in idmap.ldb. Domain Admins is mapped as ID_TYPE_BOTH in idmap.ldb,
> this is to allow the group to own files in Sysvol on a Samba AD DC. It is
> suggested you create a new AD group (Unix Admins for instance), give this
> group a gidNumber attribute and add it to the Administrators group and
> then, on Unix, use the group wherever you would normally use Domain Admins.
>
> didn't seem necessary in samba 4.10? Or at least when I set up the
> fileserver it will be requested for "Domain Admins".

it isn't a problem on a Unix domain member (never has been) but it 
breaks sysvol on a Samba AD DC if you add a gidNumber to Domain Admins. 
Windows has this quaint idea of letting a group own files & folders, 
something that isn't normally possible on Unix. However, on a Samba AD 
DC, Domain Admins is mapped as 'ID_TYPE_BOTH' (it is both a group and a 
user), if you give Domain Admins a gidNumber, you break this mapping and 
it just becomes a group and cannot own things in sysvol.

Rowland