Perttu Aaltonen
2021-Mar-05  08:38 UTC
[Samba] winbind use default domain problem after upgrade
> On 4. Mar 2021, at 17.08, Rowland penny via samba <samba at lists.samba.org> wrote: > > On 04/03/2021 13:56, Perttu Aaltonen via samba wrote: >> >> Hi Rowland, >> >> The DC is still an old Samba 4.1.9 in Debian 7. We are waiting for either a decision to upgrade it or move to a cloud DC, in which case we will just decommission it. Has been working fine though up until now. It?s just a user directory, nothing fancy like GPO. >> >> SMBv1 is for certain legacy clients, like the Supermicro IPMI virtual media where I ran into this problem in the first place. I asked Supermicro support if they have any fixes for this in newer firmware releases, but they just replied that it?s not tested or supported with Samba. Their web UI doesn?t even allow the \ character so it?s not possible to include the domain in the user name. > > > You can change the winbind separator.How does changing the separator affect clients that have saved credentials with the standard separator? In any case, I tried it with a spare server and got this: [2021/03/05 10:27:24.171714, 2] ../../auth/auth_log.c:635(log_authentication_event_human_readable) Auth: [SMB,(null)] user []\[DOMAIN+user] at [Fri, 05 Mar 2021 10:27:24.171689 EET] with [NTLMv1] status [NT_STATUS_NO_SUCH_USER] workstation [192.168.0.11] remote host [ipv4:192.168.0.11:48556] mapped to []\[DOMAIN+user]. local host [ipv4:192.168.0.10:445] So looks like the mapping isn?t working with a different separator either. It seems to be client or protocol specific because from another machine it says ?....with [NTLMv2]?.mapped to [DOMAIN]\[DOMAIN+user]?.> >> >> The config is below. Some of it is from a previous admin so might include redundant or unnecessary options for current releases. > > > The only setting I would query is this: > > unix password sync = yes > > Not sure why you have this, you shouldn't have users in AD and /etc/passwd. If you do have users in both places, then this may be your problem.No identical users in both places, removed this but no effect. Perttu
Perttu Aaltonen
2021-Mar-10  15:31 UTC
[Samba] winbind use default domain problem after upgrade
> On 5 Mar 2021, at 10.38, Perttu Aaltonen via samba <samba at lists.samba.org> wrote: > > > >> On 4. Mar 2021, at 17.08, Rowland penny via samba <samba at lists.samba.org> wrote: >> >> On 04/03/2021 13:56, Perttu Aaltonen via samba wrote: >>> >>> Hi Rowland, >>> >>> The DC is still an old Samba 4.1.9 in Debian 7. We are waiting for either a decision to upgrade it or move to a cloud DC, in which case we will just decommission it. Has been working fine though up until now. It?s just a user directory, nothing fancy like GPO. >>> >>> SMBv1 is for certain legacy clients, like the Supermicro IPMI virtual media where I ran into this problem in the first place. I asked Supermicro support if they have any fixes for this in newer firmware releases, but they just replied that it?s not tested or supported with Samba. Their web UI doesn?t even allow the \ character so it?s not possible to include the domain in the user name. >> >> >> You can change the winbind separator. > > How does changing the separator affect clients that have saved credentials with the standard separator? In any case, I tried it with a spare server and got this: > > [2021/03/05 10:27:24.171714, 2] ../../auth/auth_log.c:635(log_authentication_event_human_readable) > Auth: [SMB,(null)] user []\[DOMAIN+user] at [Fri, 05 Mar 2021 10:27:24.171689 EET] with [NTLMv1] status [NT_STATUS_NO_SUCH_USER] workstation [192.168.0.11] remote host [ipv4:192.168.0.11:48556] mapped to []\[DOMAIN+user]. local host [ipv4:192.168.0.10:445] > > So looks like the mapping isn?t working with a different separator either. It seems to be client or protocol specific because from another machine it says ?....with [NTLMv2]?.mapped to [DOMAIN]\[DOMAIN+user]?. > >> >>> >>> The config is below. Some of it is from a previous admin so might include redundant or unnecessary options for current releases. >> >> >> The only setting I would query is this: >> >> unix password sync = yes >> >> Not sure why you have this, you shouldn't have users in AD and /etc/passwd. If you do have users in both places, then this may be your problem. > > No identical users in both places, removed this but no effect. >Perhaps I?ve misunderstood the ?winbind use default domain? parameter. According to the smb.conf manual it doesn?t apply to ?Windows users? meaning SMB clients. It also doesn?t seem to have any effect on the user mapping when authenticating through the SMB connection. On a working system I can connect without providing the domain part even with ?winbind use default domain = no?. It doesn?t matter if I provide the "DOMAIN\? or not and the authentication succeeds. But on an updated system the automatic mapping doesn?t work anymore and I?m not sure what affects it when the smb.conf file is identical. Any ideas what the difference could be? -Perttu