samba - Mar 2022 - authentication issue moving from Samba 4.11.x to 4.13.14

LDAP is used for user and group lookups at the Unix/Linux level.?? This 
includes nfs and ssh.? The authentication itself is typically 
kerberos.?? Presumably if nsswitch.conf pointed to winbind but not ldap 
it everything would continue to work.


The sanitized smb.conf file


        [global]


        # 3/20/22

        #For samba 4.13

        winbind nss info = rfc2307

        min domain uid = 100

        template shell = /bin/bash

        template homedir = /home/%U

        #



        smb ports = 445

        disable netbios = yes


        syslog = 3



        #FOLLOWING CONFIGURES THIS A MEMBER SERVER


        security = ads

        realm=MYDOMAIN.COM

        workgroup = MYDOMAIN

        domain master = no

        domain logons = no


        kerberos method = system keytab



        include system krb5 conf = no



        #END MEM SERVER CONFIG



        name resolve order = host wins bcast




        # server string is the equivalent of the NT Description field

        server string = SERVER1



        preferred master = no





        # 3/20/22 server min protocol = SMB2

        server min protocol = SMB3

        server max protocol = SMB3




        log level = 3

        private dir = /etc/samba/private

        lock directory = /var/samba/locks

        pid directory = /var/samba/locks

        usershare path = /var/samba/locks/usershares


        lanman auth = No

        client lanman auth = No

        client plaintext auth = No


        map to guest = Bad User

        winbind use default domain = yes

        map readonly=no


        winbind enum users = Yes

        winbind enum groups = Yes

        winbind:rpc only = Yes



        idmap config *:backend = tdb

        idmap config *:range = 2000-2999


        idmap config MYDOMAIN:backend = ad

        idmap config MYDOMAIN:schema_mode = rfc2307

        idmap config MYDOMAIN:range = 100-1999




        name resolve order = host wins bcast

        load printers = yes

        local master = no



        [Share11]


        vfs objects = full_audit

        full_audit:prefix = %u|%I|%m|%S

        full_audit:success = connect disconnect open pread pwrite

        full_audit:failure = none

        full_audit:facility = LOCAL7

        full_audit:priority = NOTICE

        path = /Share1

        read only = No

        hide special files = Yes

        map archive = No

        guest ok = yes

        map archive = No

        inherit permissions = Yes

        inherit acls = Yes

        nfs4:acedup = merge

        nfs4:chown = yes

        nfs4:mode = special

        map readonly = no

        ea support = yes

        store dos attributes = yes










On 3/21/22 12:05, Rowland Penny via samba wrote:
> On Mon, 2022-03-21 at 11:04 -0400, Gaiseric Vandal via samba wrote:
>> I have several Solaris 11.4 servers in an AD domain.    File sharing
>> is
>> provide to Windows clients via Samba, and to Linux clients via nfs.
>>     
>> We also support some git repos over ssh.
> Please post the entire 'global' portion of your smb.conf, also, do
you
> use the 'ldap' for anything else ?
>
> Rowland
>
>
>

On Mon, 2022-03-21 at 13:17 -0400, Gaiseric Vandal via samba
wrote:
> LDAP is used for user and group lookups at the Unix/Linux level.  
> This 
> includes nfs and ssh.  The authentication itself is typically 
> kerberos.   Presumably if nsswitch.conf pointed to winbind but not
> ldap 
> it everything would continue to work.
Got to ask this, why are you using ldap for Unix user & group lookups ?
I presume that the ldap lookups are searching for RFC2307 attributes,
if so, ldap is a bit redundant, your 'ad' backend will use the same IDs

While there a numerous superfluous lines in your smb.conf, it is
basically sound.

Rowland