samba - Feb 2023 - After Suse Enterprise upgrade from 11.4 to 15.4 PCs fails authentication when trying to mount Samba share

Thanks for the reply. I have a question or two to clarify what you stated.

First the ranges in the idmap settings was what the SUSE tech that had the case
suggested.  I just left them large after they closed the case.  I will try
setting them back to normal range.

Second the password server line has been include and excluded on different
tries, I think was left in from last things the SUSE tech had me try.  I will
comment out and see if that helps.

Now to my clarification question(s):

I don't understand these comments:
> idmap config GRACELAND:unix_nss_info = yes
Only used with the 'ad' idmap backend
>          idmap config GRACELAND : backend = tdb
Here is the biggy, the 'tdb' idmap shouldn't be used for the main
domain, you should be using 'ad', 'rid', 'autorid' or
'nss' idmap backends

I am not sure which config lines you are talking about and what they should be
instead. Can you clarify?


John

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny
via samba
Sent: Thursday, February 9, 2023 12:49 PM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
> -=-=-=-=-=-=-=-=-=- SMB.CONF -=-=-=-=-=-=-=-=-=-=-
In my opinion this is where your problems start
>
>   cat smb.conf
> # smb.conf is the main Samba configuration file. You find a full 
> commented # version at 
> /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the # samba-doc
package is installed.
> # Date: 2015-05-01
> [global]
>          workgroup = GRACELAND
> #kerberos method = secrets and keytab
> password server = xxxxxx.graceland.edu
You should not set the password server. let Samba find the best DC
>          realm = GRACELAND.EDU
>          security = ADS
>          netbios name = nova
>          usershare allow guests = No> John David Adamski Sr. 
> Sysadmin/DBA Graceland University
>
>          wins support = No
> #debug level = 7
> #enable core files = yes
> #username map script = /bin/echo
> #username map script = /etc/samba/StripDomainName.sh
I take it that is to remove 'GRACELAND\' from the user names, if so,
what is wrong with 'winbind use default domain = yes' ?

You should be using the username map to map Administrator to root.
>          idmap config * : backend = tdb
>          idmap config * : range = 10000-199999
Okay, but I wouldn't have use that range
> idmap config GRACELAND:unix_nss_info = yes
Only used with the 'ad' idmap backend
>          idmap config GRACELAND : backend = tdb
Here is the biggy, the 'tdb' idmap shouldn't be used for the main
domain, you should be using 'ad', 'rid', 'autorid' or
'nss' idmap backends
> #idmap config SAMDOM:schema_mode = rfc2307
Again only used with the 'ad' idmap backend
>          idmap config GRACELAND : range = 200000-2000200000
>          ldap admin dn = CN=xxxxxx,CN=Users,DC=graceland,DC=edu
>          ldap group suffix = ou=Groups
>          ldap idmap suffix = ou=Idmap
>          ldap machine suffix = ou=Machines
>          ldap passwd sync = Yes
>          ldap suffix = dc=graceland,dc=edu
>          ldap user suffix = ou=Users
>          ldap ssl = off
This is a Unix domain member 'security = ADS' says that, so you
shouldn't have the 'ldap' lines, they will do nothing other than
potentially messing things up.
> #passdb backend = tdbsam
>          allow insecure wide links = yes
>          client ipc signing = auto
>          wins server >
> [homes]
>          comment = Home Directories
>          valid users = %S
>          browseable = no
>          read only = no
>          inherit acls = yes
>          follow symlinks = yes
>          wide links = yes
>
> [tmp]
>          comment = Temporary file space
>          inherit acls = Yes
>          path = /tmp
>          read only = No
>
>
Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 09/02/2023 20:00, John Adamski (Work Account) wrote:
> Thanks for the reply. I have a question or two to clarify what you stated.
> 
> First the ranges in the idmap settings was what the SUSE tech that had the
case suggested.  I just left them large after they closed the case.  I will try
setting them back to normal range.
The problem is, if you change the ranges, you change file ownership, so 
by that guy changing them, they changed file ownership if any new files 
have been created.
> 
> Second the password server line has been include and excluded on different
tries, I think was left in from last things the SUSE tech had me try.  I will
comment out and see if that helps.
> 
> Now to my clarification question(s):
> 
> I don't understand these comments:
> 
>> idmap config GRACELAND:unix_nss_info = yes
> 
> Only used with the 'ad' idmap backend
> 
>>           idmap config GRACELAND : backend = tdb
> 
> Here is the biggy, the 'tdb' idmap shouldn't be used for the
main domain, you should be using 'ad', 'rid', 'autorid'
or 'nss' idmap backends
> 
> I am not sure which config lines you are talking about and what they should
be instead. Can you clarify?
> 
There are various idmap backends:
You can read the documentation for each backend by entering 'man 
idmap-BACKEND' where 'BACKEND' can be:
tdb
ad
rid
autorid
nss
NOTE: there are others, but they are the main ones used.

tdb: This an allocating backend and is used for the default domain '*'

ad: This requires that users are given a UidNumber attribute containing 
a unique number in the DOMAIN range, Domain Users must also have a 
gidNumber attribute. Any group that you require to be visible to Unix 
must also have a gidNumber attribute. You can also use the other RFC2307 
attributes

rid: This calculates the Unix user and group ID's from the user or group 
RID using the low DOMAIN range set in smb.conf

autorid: works similar to 'rid' but is used for multiple domains.

nss: requires local users and groups to match AD user and groups

NOTE: 'DOMAIN' above refers to the worgroup name.

The 'idmap config' lines that I referred to only have relevance if you 
use the 'ad' idmap backend

You said:
The ERP requires local Linux user accounts and local group for security 
so can't get this from AD.

I don't know if you noticed my reply:

Yes you can

Properly set up, Samba makes AD users into local users.

If you accept that the output from 'getent passwd A_USERNAME' shows 
local users, then:

getent passwd rowland
rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash

Means that 'rowland is a local user, right ?

Then what do you make of this:

rowland at devstation:~$ grep 'rowland' /etc/passwd
rowland at devstation:~$

Rowland is not in /etc/passwd

And

rowland at devstation:~$ wbinfo -u | grep rowland
rowland

wbinfo reads from AD, so 'rowland' only exists in AD, but is a local 
Unix user.

Any further questions etc, please ask.

Rowland