samba - Nov 2022 - auth problems

On 24/11/2022 13:28, Piviul via samba wrote:
> ...I forgot to say that the samba version of the PDC is 4.10.16
What, you are running an nt4-style domain ?
Or do you mean an AD DC is running 4.10.16 ?
There is is no such thing as a PDC in AD.
>> this is testparm:
>>
>> root at serverdati:~# du -sh /home/shares/DAE/
>> ^G^C
>> root at serverdati:~# testparm
>> Load smb config files from /etc/samba/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
>> Processing section "[homes]"
>> [...]
>> Loaded services file OK.
>> WARNING: You have some share names that are longer than 12 characters.
>> These may not be accessible to some older clients.
>> (Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
>> Server role: ROLE_DOMAIN_MEMBER
>> Press enter to see a dump of your service definitions
>>
>> [global]
>> ?? ?workgroup = DOMINIOCSA
>> ?? ?realm = AD.CSARICERCHE.COM
>> ?? ?server string = %h server (Samba, Debian)
>> ?? ?security = ADS
>> ?? ?map to guest = Bad User
>> ?? ?obey pam restrictions = Yes
>> ?? ?pam password change = Yes
>> ?? ?log file = /var/log/samba/log.%m
>> ?? ?max log size = 1000
>> ?? ?usershare allow guests = Yes
>> ?? ?panic action = /usr/share/samba/panic-action %d
>> ?? ?template shell = /bin/bash
>> ?? ?winbind enum users = Yes
>> ?? ?winbind enum groups = Yes
>> ?? ?winbind refresh tickets = Yes
>> ?? ?idmap config DOMINIOCSA : range = 10000-99999
>> ?? ?idmap config DOMINIOCSA : backend = rid
>> ?? ?idmap config * : range = 3000-9999
>> ?? ?idmap config * : backend = tdb
>> ?? ?map acl inherit = Yes
>> ?? ?store dos attributes = Yes
>> ?? ?vfs objects = acl_xattr
>>
>> [...]
>>
> 
> 
There doesn't appear to be anything wrong, is the join still OK and is 
winbind running ?

Rowland

On 11/24/22 15:45, Rowland Penny via samba wrote:
>
>
> On 24/11/2022 13:28, Piviul via samba wrote:
>> ...I forgot to say that the samba version of the PDC is 4.10.16
>
> What, you are running an nt4-style domain ?
> Or do you mean an AD DC is running 4.10.16 ?
yes, I mean AD DC is running 4.10.16

>>> this is testparm:
>>>
>>> root at serverdati:~# du -sh /home/shares/DAE/
>>> ^G^C
>>> root at serverdati:~# testparm
>>> Load smb config files from /etc/samba/smb.conf
>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit 
>>> (16384)
>>> Processing section "[homes]"
>>> [...]
>>> Loaded services file OK.
>>> WARNING: You have some share names that are longer than 12
characters.
>>> These may not be accessible to some older clients.
>>> (Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
>>> Server role: ROLE_DOMAIN_MEMBER
>>> Press enter to see a dump of your service definitions
>>>
>>> [global]
>>> ?? ?workgroup = DOMINIOCSA
>>> ?? ?realm = AD.CSARICERCHE.COM
>>> ?? ?server string = %h server (Samba, Debian)
>>> ?? ?security = ADS
>>> ?? ?map to guest = Bad User
>>> ?? ?obey pam restrictions = Yes
>>> ?? ?pam password change = Yes
>>> ?? ?log file = /var/log/samba/log.%m
>>> ?? ?max log size = 1000
>>> ?? ?usershare allow guests = Yes
>>> ?? ?panic action = /usr/share/samba/panic-action %d
>>> ?? ?template shell = /bin/bash
>>> ?? ?winbind enum users = Yes
>>> ?? ?winbind enum groups = Yes
>>> ?? ?winbind refresh tickets = Yes
>>> ?? ?idmap config DOMINIOCSA : range = 10000-99999
>>> ?? ?idmap config DOMINIOCSA : backend = rid
>>> ?? ?idmap config * : range = 3000-9999
>>> ?? ?idmap config * : backend = tdb
>>> ?? ?map acl inherit = Yes
>>> ?? ?store dos attributes = Yes
>>> ?? ?vfs objects = acl_xattr
>>>
>>> [...]
>>>
>>
>>
>
> There doesn't appear to be anything wrong, is the join still OK and is 
> winbind running ?
# net ads testjoin
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Strong(er) 
authentication required
Join is OK


Piviul