Okay the '%' were due to bad coy paste between the source code and a local smb.conf. The samba is running on a minimal and embedded environment, which is why it must be built using buildroot. It turns out that we might have been too restrictive with the samba libraries embedded in our environment. I've solved this issue using latest version available in buildroot (4.19.3) and making sure all samba libraries are there. The command "net ads join" now works well and I can connect to a share using AD authentication without netbios. One last thing though : I've to do a new join after each reboot because a large part of the system is not persistent at reboot (like the whole /var directory that's flushed). The only thing for which I do backup is the passdb.tdb and the secrets.tdb (historically for local users authentication). Are there other things to backup to avoid the Kerberos pre-authentication issue after reboot? Thanks for your help Vincent -----Message d'origine----- De : samba <samba-bounces at lists.samba.org> De la part de Rowland Penny via samba Envoy? : vendredi 26 janvier 2024 10:58 ? : samba at lists.samba.org Cc : Rowland Penny <rpenny at samba.org> Objet : Re: [Samba] Samba acting as a domain member + netbios [You don't often get email from samba at lists.samba.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] On Fri, 26 Jan 2024 08:44:13 +0000 Vincent DROUIN <vdrouin at chapsvision.com> wrote:> Active Directory running on Windows Server 2019 Samba 4.15.8 (built > from buildroot, using heimdal & libgssapi_krb5)It sounds like you built Samba yourself, if so, why ? Also why use an old version ?> Samba is running on a custom Unix distribution, all ports are open for > the tests'custom unix' ????> > Testparm -s result : > > # Global parameters > [global] > bind interfaces only = Yes > disable spoolss = Yes > idmap cache time = 300 > idmap negative cache time = 0 > interfaces = 127.0.0.0/8 enp0s8 > load printers = No > machine password timeout = 0 > name cache timeout = 0 > realm = BERTINIT.TEST > security = ADS > server string = VDMACHINE File Server > smb ports = 445 > template homedir = /data/cifs/%%U > winbind cache time = 0 > winbind enum groups = Yes > winbind enum users = Yes > winbind use default domain = Yes > workgroup = BERTINIT > idmap config bertinit : range = 3000-999999 > idmap config bertinit : backend = rid > idmap config * : range = 1000-2999 > idmap config * : backend = tdb > > > [homes] > comment = LDAP only > force create mode = 0775 > force directory mode = 0775 > force group = trans > force user = %%U > path = /data/cifs/%%U > read only = No > root preexec = /bin/hush /var/lib/samba/scripts/mkhomedir.sh > %%U valid users = %%U > vfs objects = full_audit > full_audit:syslog = false > full_audit:success = fntimes > full_audit:prefix = %%u|%%I >Why the double '%' ? It should be just one e.g. 'valid users = %U' You do not actually need the 'path' parameter in '[homes]', it is set in '[global]' Having said that, it has nothing to do with your problem, which is that you do not want to use netbios. I said in my last post: If 'disable netbios = yes' is set in smb.conf, then netbios shouldn't be used by Samba and you shouldn't be having problems with it. Try adding 'disable netbios = yes' to your smb.conf , stop nmbd and stop it from starting again. Restart Samba and see if your problem has gone away, it should have. Rowland PS, please do not 'CC' me, just reply to the list. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
I guess I should also do a backup of netlogon_creds_cli.tdb. Is this enough or is there's something else recommended to avoid some bad corner cases? -----Message d'origine----- De : samba <samba-bounces at lists.samba.org> De la part de Vincent DROUIN via samba Envoy? : vendredi 26 janvier 2024 18:38 ? : samba at lists.samba.org Objet : Re: [Samba] Samba acting as a domain member + netbios [You don't often get email from samba at lists.samba.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Okay the '%' were due to bad coy paste between the source code and a local smb.conf. The samba is running on a minimal and embedded environment, which is why it must be built using buildroot. It turns out that we might have been too restrictive with the samba libraries embedded in our environment. I've solved this issue using latest version available in buildroot (4.19.3) and making sure all samba libraries are there. The command "net ads join" now works well and I can connect to a share using AD authentication without netbios. One last thing though : I've to do a new join after each reboot because a large part of the system is not persistent at reboot (like the whole /var directory that's flushed). The only thing for which I do backup is the passdb.tdb and the secrets.tdb (historically for local users authentication). Are there other things to backup to avoid the Kerberos pre-authentication issue after reboot? Thanks for your help Vincent -----Message d'origine----- De : samba <samba-bounces at lists.samba.org> De la part de Rowland Penny via samba Envoy? : vendredi 26 janvier 2024 10:58 ? : samba at lists.samba.org Cc : Rowland Penny <rpenny at samba.org> Objet : Re: [Samba] Samba acting as a domain member + netbios [You don't often get email from samba at lists.samba.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] On Fri, 26 Jan 2024 08:44:13 +0000 Vincent DROUIN <vdrouin at chapsvision.com> wrote:> Active Directory running on Windows Server 2019 Samba 4.15.8 (built > from buildroot, using heimdal & libgssapi_krb5)It sounds like you built Samba yourself, if so, why ? Also why use an old version ?> Samba is running on a custom Unix distribution, all ports are open for > the tests'custom unix' ????> > Testparm -s result : > > # Global parameters > [global] > bind interfaces only = Yes > disable spoolss = Yes > idmap cache time = 300 > idmap negative cache time = 0 > interfaces = 127.0.0.0/8 enp0s8 > load printers = No > machine password timeout = 0 > name cache timeout = 0 > realm = BERTINIT.TEST > security = ADS > server string = VDMACHINE File Server > smb ports = 445 > template homedir = /data/cifs/%%U > winbind cache time = 0 > winbind enum groups = Yes > winbind enum users = Yes > winbind use default domain = Yes > workgroup = BERTINIT > idmap config bertinit : range = 3000-999999 > idmap config bertinit : backend = rid > idmap config * : range = 1000-2999 > idmap config * : backend = tdb > > > [homes] > comment = LDAP only > force create mode = 0775 > force directory mode = 0775 > force group = trans > force user = %%U > path = /data/cifs/%%U > read only = No > root preexec = /bin/hush /var/lib/samba/scripts/mkhomedir.sh > %%U valid users = %%U > vfs objects = full_audit > full_audit:syslog = false > full_audit:success = fntimes > full_audit:prefix = %%u|%%I >Why the double '%' ? It should be just one e.g. 'valid users = %U' You do not actually need the 'path' parameter in '[homes]', it is set in '[global]' Having said that, it has nothing to do with your problem, which is that you do not want to use netbios. I said in my last post: If 'disable netbios = yes' is set in smb.conf, then netbios shouldn't be used by Samba and you shouldn't be having problems with it. Try adding 'disable netbios = yes' to your smb.conf , stop nmbd and stop it from starting again. Restart Samba and see if your problem has gone away, it should have. Rowland PS, please do not 'CC' me, just reply to the list. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba