samba - Dec 2022 - Some older windows clients can't connect after upgrade

Hello,

After upgrading to samba 4.13 (from debian oldstable to debian stable),
some windows clients (windows 2008r2 and lower, Indows 7, windows XP,
etc) can't connect to the serveur anymore. My first move was to enable
SMBv1, now some linux clients connect using the older protocol, but the
windows client still fail to connect "can't connect" error,
neither
using the UNC name, nor the IP adress; neither from the windows
explorer, or "net use //xxxx/yyy" in a CMD shell.

Any ideas?


The global part of smb.conf:

[global]
    workgroup = EXAMPLE
    security = ADS
    realm = EXAMPLE.LAN

    # allow SMB1
    ntlm auth = ntlmv1-permitted
    server min protocol=NT1

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    server string = Data %h

    winbind use default domain = yes
    winbind expand groups = 4
    winbind nss info = rfc2307
    winbind refresh tickets = Yes
    winbind offline logon = yes
    winbind normalize names = Yes

    ## map ids outside of domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config EXAMPLE : backend = rid
    idmap config EXAMPLE : range = 10000-999999
    template shell = /bin/bash
    template homedir = /home/EXAMPLE/%U

    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no

    # user Administrator workaround, without it you are unable to set
    privileges username map = /etc/samba/user.map

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    # disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes



-- 
------------------------------------------------------------------------
Emmanuel Florac     |   Direction technique
                    |   Intellique
                    |	<eflorac at intellique.com>
                    |   +33 1 78 94 84 02
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: Signature digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20221215/c6ec3c4c/attachment.sig>

Le Thu, 15 Dec 2022 11:51:03 +0100
Emmanuel Florac via samba <samba at lists.samba.org> ?crivait:
> Hello,
> 
> After upgrading to samba 4.13 (from debian oldstable to debian
> stable), some windows clients (windows 2008r2 and lower, Indows 7,
> windows XP, etc) can't connect to the serveur anymore. My first move
> was to enable SMBv1, now some linux clients connect using the older
> protocol, but the windows client still fail to connect "can't
> connect" error, neither using the UNC name, nor the IP adress;
> neither from the windows explorer, or "net use //xxxx/yyy" in a
CMD
> shell.
> 
I've compared with another server which is still running Samba 4.5
(debian 9 oldoldstable), and all of the clients that fail to connect
are connected to the other one using SMB2_10 or SMB3_01; on the other
server I have no client connected using SMB3_01 (but some are
successfully connected using 2.10...)

-- 
------------------------------------------------------------------------
Emmanuel Florac     |   Direction technique
                    |   Intellique
                    |	<eflorac at intellique.com>
                    |   +33 1 78 94 84 02
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: Signature digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20221215/c4fd196b/attachment.sig>

Le Thu, 15 Dec 2022 11:51:03 +0100
Emmanuel Florac via samba <samba at lists.samba.org> ?crivait:
> After upgrading to samba 4.13 (from debian oldstable to debian
> stable), some windows clients (windows 2008r2 and lower, Indows 7,
> windows XP, etc) can't connect to the serveur anymore. My first move
> was to enable SMBv1, now some linux clients connect using the older
> protocol, but the windows client still fail to connect "can't
> connect" error, neither using the UNC name, nor the IP adress;
> neither from the windows explorer, or "net use //xxxx/yyy" in a
CMD
> shell.
> 
> Any ideas?
Some more tests:

"wbinfo -u" lists correctly the domain users.
"getent passwd" only lists local users (is it OK?), but
"getent passwd <some domain user>" works properly.


We tried "net ads leave" and "net ads join", it works fine,
and nothing
changes: the machines that could connect previously still can, those
that couldn't still can't. We rebooted everything of course, no dice.

Using a local account from the server (vs an AD account) works. So
there's something wrong about authentication in the AD, but I don't
understand what's wrong.

-- 
------------------------------------------------------------------------
Emmanuel Florac     |   Direction technique
                    |   Intellique
                    |	<eflorac at intellique.com>
                    |   +33 1 78 94 84 02
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: Signature digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20221216/9f532394/attachment.sig>