samba - Feb 2023 - After Suse Enterprise upgrade from 11.4 to 15.4 PCs fails authentication when trying to mount Samba share

On 09/02/2023 18:09, John Adamski (Work Account) via samba
wrote:
> Our ERP server was on SLES 11.4 and we upgraded to SLES 15.4 last September
and have had a problem since with Samba shares on the SLES server accessed by
windows desktops. Can't authenticate not translating the Windows side user
to Linux side user. Not exactly sure if windows GUID to UID or username to
username .  It seems the translations that use to take place with username not
happing anymore and I never figured out why.
> 
> The upgrade process was migrate from 11.4 to 15.1 and then to 15.4 as a
migration, SLES didn't have a direct path from 11.4 to 15.4.  For the most
part the upgrade of the OS went ok.
> 
> We had been using the samba shares for years without problems until
upgrading to 15.4.  I had an open case with SUSE shortly after the upgrade but
they basically said its not a break-fix  but a configuration problem and they
couldn't help.  Did offer an outrageous priced consulting option.  I did get
from the SUSE "expert" that looked at the case when we disagreed with
them not helping, and he said 15.4 Samba was a major rewrite and that is
probably why we are having problems.  But still agreed a consulting problem not
support problem.
> 
>   We paid a local VR that had a RHEL expert, but he could figure out why
not working and said SUSE seemed to be very different then other Linux he worked
on.  Also posted on SUSE forum, no help there.  So trying Samba forum.
> 
> The ERP requires local Linux user accounts and local group for security so
can't get this from AD.
Yes you can.

   When SUSE had me try SSSD the SLES server could see and get 
information from AD and users now had local and AD groups which caused a 
big mess.  Even though the server could get AD information still could 
authenticate to mount the shares. I undid all those changes.  I'm just 
trying to get a simple and easy to maintain configuration so PC can 
mount a SLES home directory and transfer files back and
forth.
> 
> As I understand how worked on 11.4 was using Samba and winbind, PAM and
Kerberos might have been in the mix I can't remember.
> 
> Here are the specs for the server and domain controllers in the network,
the windows PC are all win10 21H2 or 22H2.  I've and so many changes over
the last months not sure what is what any more.
> 
> -=-=-=-=-=-=-=-=-=- SMB.CONF -=-=-=-=-=-=-=-=-=-=-
In my opinion this is where your problems start
> 
>   cat smb.conf
> # smb.conf is the main Samba configuration file. You find a full commented
> # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
> # samba-doc package is installed.
> # Date: 2015-05-01
> [global]
>          workgroup = GRACELAND
> #kerberos method = secrets and keytab
> password server = xxxxxx.graceland.edu
You should not set the password server. let Samba find the best DC
>          realm = GRACELAND.EDU
>          security = ADS
>          netbios name = nova
>          usershare allow guests = No> John David Adamski
> Sr. Sysadmin/DBA
> Graceland University
> 
>          wins support = No
> #debug level = 7
> #enable core files = yes
> #username map script = /bin/echo
> #username map script = /etc/samba/StripDomainName.sh
I take it that is to remove 'GRACELAND\' from the user names, if so, 
what is wrong with 'winbind use default domain = yes' ?

You should be using the username map to map Administrator to root.
>          idmap config * : backend = tdb
>          idmap config * : range = 10000-199999
Okay, but I wouldn't have use that range
> idmap config GRACELAND:unix_nss_info = yes
Only used with the 'ad' idmap backend
>          idmap config GRACELAND : backend = tdb
Here is the biggy, the 'tdb' idmap shouldn't be used for the main 
domain, you should be using 'ad', 'rid', 'autorid' or
'nss' idmap backends
> #idmap config SAMDOM:schema_mode = rfc2307
Again only used with the 'ad' idmap backend
>          idmap config GRACELAND : range = 200000-2000200000
>          ldap admin dn = CN=xxxxxx,CN=Users,DC=graceland,DC=edu
>          ldap group suffix = ou=Groups
>          ldap idmap suffix = ou=Idmap
>          ldap machine suffix = ou=Machines
>          ldap passwd sync = Yes
>          ldap suffix = dc=graceland,dc=edu
>          ldap user suffix = ou=Users
>          ldap ssl = off
This is a Unix domain member 'security = ADS' says that, so you 
shouldn't have the 'ldap' lines, they will do nothing other than 
potentially messing things up.
> #passdb backend = tdbsam
>          allow insecure wide links = yes
>          client ipc signing = auto
>          wins server > 
> [homes]
>          comment = Home Directories
>          valid users = %S
>          browseable = no
>          read only = no
>          inherit acls = yes
>          follow symlinks = yes
>          wide links = yes
> 
> [tmp]
>          comment = Temporary file space
>          inherit acls = Yes
>          path = /tmp
>          read only = No
> 
> 
> -=-=-=-=-=-=-=-=-=-=- resolv.conf -=-=-=-=-=-=-=-=-=-=-
> 
> ### /etc/resolv.conf is a symlink to /run/netconfig/resolv.conf
> ### autogenerated by netconfig!
> #
> # Before you change this file manually, consider to define the
> # static DNS configuration using the following variables in the
> # /etc/sysconfig/network/config file:
> #     NETCONFIG_DNS_STATIC_SEARCHLIST
> #     NETCONFIG_DNS_STATIC_SERVERS
> #     NETCONFIG_DNS_FORWARDER
> # or disable DNS configuration updates via netconfig by setting:
> #     NETCONFIG_DNS_POLICY=''
> #
> # See also the netconfig(8) manual page and other documentation.
> #
> ### Call "netconfig update -f" to force adjusting of
/etc/resolv.conf.
> ####
> #### GU deleted symbolic link to /var/run/netconfig/resolv.conf and
hardcoded
> ####
> domain graceland.edu
> search graceland.edu
> nameserver xxx.xxx.xxx.xxx
> nameserver xxx.xxx.xxx.xxx
I take it that the first nameserver is a DC
> 
> 
> -=-=-=-=-=-=-=-=-=-=- krb5.conf -=-=-=-=-=-=-=-=-=-=-
> 
> 
> cat krb5.conf
> [libdefaults]
>      default_realm = GRACELAND.EDU
>      clockskew = 500
> #   dns_lookup_realm = true
> #   dns_lookup_kdc = true
> #   forwardable = true
> #   default_ccache_name = FILE:/tmp/krb5cc_%{uid}
> #   default_tkt_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac
> #   default_tgs_enctypes = aes128-cts-hmac-sha1-96  rc4-hmac
> #   permitted_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac
> #   proxiable = false
> #   noaddresses = false
> #   allow_weak_crypto = false
> 
> [domain_realm]
>      .graceland.edu = GRACELAND.EDU
>      graceland.edu = GRACELAND.EDU
> 
> [logging]
>      kdc = FILE:/var/log/krb5/krb5kdc.log
>      admin_server = FILE:/var/log/krb5/kadmind.log
>      default = SYSLOG:NOTICE:DAEMON
> 
> [realms]
>      GRACELAND.EDU = {
>          default_domain = graceland.edu
>          admin_server = xxxxxx.graceland.edu
>          kdc = xxxxxx.graceland.edu
>      }
> 
> [appdefaults]
> pam = {
>          ticket_lifetime = 1d
>          renew_lifetime = 1d
>          forwardable = true
>          proxiable = false
>          minimum_uid = 1
>          external = sshd
>          use_shmem = sshd
> 
> -=-=-=-=-=-=-=-=-=-=- idmap.conf -=-=-=-=-=-=-=-=-=-=-
Nothing to do with Samba, it is for NFS
> [General]
> 
> Verbosity = 0
> Pipefs-Directory = /var/lib/nfs/rpc_pipefs
> Domain = localdomain
> 
> [Mapping]
> 
> Nobody-User = nobody
> Nobody-Group = nobody
> 
> 
Rowland

Thanks for the reply. I have a question or two to clarify what you stated.

First the ranges in the idmap settings was what the SUSE tech that had the case
suggested.  I just left them large after they closed the case.  I will try
setting them back to normal range.

Second the password server line has been include and excluded on different
tries, I think was left in from last things the SUSE tech had me try.  I will
comment out and see if that helps.

Now to my clarification question(s):

I don't understand these comments:
> idmap config GRACELAND:unix_nss_info = yes
Only used with the 'ad' idmap backend
>          idmap config GRACELAND : backend = tdb
Here is the biggy, the 'tdb' idmap shouldn't be used for the main
domain, you should be using 'ad', 'rid', 'autorid' or
'nss' idmap backends

I am not sure which config lines you are talking about and what they should be
instead. Can you clarify?


John

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny
via samba
Sent: Thursday, February 9, 2023 12:49 PM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
> -=-=-=-=-=-=-=-=-=- SMB.CONF -=-=-=-=-=-=-=-=-=-=-
In my opinion this is where your problems start
>
>   cat smb.conf
> # smb.conf is the main Samba configuration file. You find a full 
> commented # version at 
> /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the # samba-doc
package is installed.
> # Date: 2015-05-01
> [global]
>          workgroup = GRACELAND
> #kerberos method = secrets and keytab
> password server = xxxxxx.graceland.edu
You should not set the password server. let Samba find the best DC
>          realm = GRACELAND.EDU
>          security = ADS
>          netbios name = nova
>          usershare allow guests = No> John David Adamski Sr. 
> Sysadmin/DBA Graceland University
>
>          wins support = No
> #debug level = 7
> #enable core files = yes
> #username map script = /bin/echo
> #username map script = /etc/samba/StripDomainName.sh
I take it that is to remove 'GRACELAND\' from the user names, if so,
what is wrong with 'winbind use default domain = yes' ?

You should be using the username map to map Administrator to root.
>          idmap config * : backend = tdb
>          idmap config * : range = 10000-199999
Okay, but I wouldn't have use that range
> idmap config GRACELAND:unix_nss_info = yes
Only used with the 'ad' idmap backend
>          idmap config GRACELAND : backend = tdb
Here is the biggy, the 'tdb' idmap shouldn't be used for the main
domain, you should be using 'ad', 'rid', 'autorid' or
'nss' idmap backends
> #idmap config SAMDOM:schema_mode = rfc2307
Again only used with the 'ad' idmap backend
>          idmap config GRACELAND : range = 200000-2000200000
>          ldap admin dn = CN=xxxxxx,CN=Users,DC=graceland,DC=edu
>          ldap group suffix = ou=Groups
>          ldap idmap suffix = ou=Idmap
>          ldap machine suffix = ou=Machines
>          ldap passwd sync = Yes
>          ldap suffix = dc=graceland,dc=edu
>          ldap user suffix = ou=Users
>          ldap ssl = off
This is a Unix domain member 'security = ADS' says that, so you
shouldn't have the 'ldap' lines, they will do nothing other than
potentially messing things up.
> #passdb backend = tdbsam
>          allow insecure wide links = yes
>          client ipc signing = auto
>          wins server >
> [homes]
>          comment = Home Directories
>          valid users = %S
>          browseable = no
>          read only = no
>          inherit acls = yes
>          follow symlinks = yes
>          wide links = yes
>
> [tmp]
>          comment = Temporary file space
>          inherit acls = Yes
>          path = /tmp
>          read only = No
>
>
Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba