samba - Oct 2024 - Joining a 2022-schema Active Directory

Hello,

I'm trying to connect a Debian 11.x server (running Samba 4.13.13, old
version...) to an AD which is controlled by a Windows Server 2022
(21H2) controller.

The server joined the domain fine, it's listed among the domain
members normally, and user authentication works ("id <some domain
user>"
works), however I can connect to the server just fine in two cases :

 * From another linux machine, using smbclient, I can connect to my
   share using a domain user;

 * From a Win11 machine which is NOT a member of the domain, I can
 connect using credentials from a domain user;

BUT from any machine which is a domain member, I can't reach my server
at all; it's not listed in the "Network", and accessing it
directly
either with \\servername or \\servername\share fails instantly (with an
undefined, therefore completely unhelpful error 0x80004005).

Now from https://wiki.samba.org/index.php/AD_Schema_Version_Support I
see that Samba 4.13.13 (which I'm running) apparently can't manage an
AD schema higher than Win2008R2 ... Could that be the source of my
problems? Apparently I'd need Samba 4.19+ (though I don't know what sort
of failures I'm supposed to encounter when running in an higher than
supported schema).

In that case the only solution would be upgrading to Debian 12, then
installing Samba 4.20 from the backports. Is there any other way around?

cheers,
-- 
------------------------------------------------------------------------
   Emmanuel Florac     |   Direction technique
------------------------------------------------------------------------
   https://intellique.com
------------------------------------------------------------------------
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: Signature digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20241003/e30ca8bb/attachment.sig>

On Thu, 3 Oct 2024 15:39:29 +0200
Emmanuel Florac via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I'm trying to connect a Debian 11.x server (running Samba 4.13.13, old
> version...) to an AD which is controlled by a Windows Server 2022
> (21H2) controller.
> 
> The server joined the domain fine, it's listed among the domain
> members normally, and user authentication works ("id <some domain
> user>" works), however I can connect to the server just fine in two
> user>cases :
From the above, it sounds like you are joining Samba as a Unix domain
member (security = ads)
> 
>  * From another linux machine, using smbclient, I can connect to my
>    share using a domain user;
> 
>  * From a Win11 machine which is NOT a member of the domain, I can
>  connect using credentials from a domain user;
> 
> BUT from any machine which is a domain member, I can't reach my server
> at all; it's not listed in the "Network", and accessing it
directly
> either with \\servername or \\servername\share fails instantly (with
> an undefined, therefore completely unhelpful error 0x80004005).
> 
> Now from https://wiki.samba.org/index.php/AD_Schema_Version_Support I
> see that Samba 4.13.13 (which I'm running) apparently can't manage
an
> AD schema higher than Win2008R2 ... Could that be the source of my
> problems? Apparently I'd need Samba 4.19+ (though I don't know what
> sort of failures I'm supposed to encounter when running in an higher
> than supported schema).
> 
> In that case the only solution would be upgrading to Debian 12, then
> installing Samba 4.20 from the backports. Is there any other way
> around?
> 
If this is a Unix domain member, then the schema is only used on the
Windows DC, the Samba Unix domain member never sees it directly.

This sounds like a SMBv1 problem (partially at least), where, because
NetBIOS isn't being used, Network Browsing no longer works, but
smbclient connecting to a share should.

While Samba 4.13.13 is old (and you really should update to a much
newer version), it should work as a Unix domain member.

If it is a Unix domain member, please can you post the output of
'testparm -s', if it isn't, can you please explain in a bit more
detail
just how you have set up Samba.

Rowland