samba - Apr 2019 - AD member server, some users suddenly can only connect to shares via ip address

On 2019/04/25 14:44, Rowland Penny via samba wrote:
> OK, post your smb.conf
Thanks for help.... remember this has been working up to now and only a 
few users have the password prompt..  (btw "gibb.local" is a trusted 
samba3 domain used for migration, connecting as a gibb.local user does work)

getent passwd returns expected results, as does wbinfo -u

# Global parameters
[global]
         netbios name = PTA-CLUSTER
         realm = AD.GIBB.CO.ZA
         server string = Pretoria Cluster
         workgroup = GIBB
         ldap connection timeout = 20
         ldap timeout = 60
         log file = /var/log/samba/log.%m
         max log size = 1000
         syslog = 0
         panic action = /usr/share/samba/panic-action %d
         map to guest = Bad User
         obey pam restrictions = Yes
         pam password change = Yes
         passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
         passwd program = /usr/bin/passwd %u
         security = ADS
         server role = member server
         unix password sync = Yes
         username map = /etc/samba/user.map
         template homedir = /home/gibb/%U
         winbind enum groups = Yes
         winbind enum users = Yes
         winbind refresh tickets = Yes
         winbind request timeout = 120
         dns proxy = No
         wins server = 192.168.112.94 192.168.104.2
         idmap config gibb.local : range = 1600000-1999999
         idmap config gibb.local : backend = rid
         idmap config gibb : range = 1000000-1599999
         idmap config gibb : backend = rid
         idmap config * : range = 3000-7999
         idmap config * : backend = tdb
[homes]
         comment = Home Directories
         path = /home/gibb/%U
         browseable = No
         root preexec = /usr/local/sbin/mkhomedir.sh %U
         create mask = 0750
         directory mask = 0750
         read only = No
        valid users = %S GIBB.LOCAL\%S GIBB\%S

[projects]
         comment = Pretoria projects
         path = /home/shares/projects
         inherit permissions = Yes
         read only = No
         valid users = @domusers "@GIBB.LOCAL\Domain Users" 
"@GIBB\Domain Users"

user.map:

!root = GIBB\Administrator

On Thu, 25 Apr 2019 15:39:21 +0200
Neil Price via samba <samba at lists.samba.org> wrote:
> On 2019/04/25 14:44, Rowland Penny via samba wrote:
> > OK, post your smb.conf  
> 
> Thanks for help.... remember this has been working up to now and only
> a few users have the password prompt..  (btw "gibb.local" is a
> trusted samba3 domain used for migration, connecting as a gibb.local
> user does work)
> 
> getent passwd returns expected results, as does wbinfo -u
> 
> # Global parameters
> [global]
>          netbios name = PTA-CLUSTER
>          realm = AD.GIBB.CO.ZA
>          server string = Pretoria Cluster
>          workgroup = GIBB
>          ldap connection timeout = 20
You should remove the above, you do not use ldap with an AD Unix domain
member
>          ldap timeout = 60
 as above
>          log file = /var/log/samba/log.%m
>          max log size = 1000
>          syslog = 0
>          panic action = /usr/share/samba/panic-action %d
>          map to guest = Bad User
>          obey pam restrictions = Yes
>          pam password change = Yes
>          passwd chat = *Enter\snew\s*\spassword:* %n\n 
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>          passwd program = /usr/bin/passwd %u
>          security = ADS
>          server role = member server
>          unix password sync = Yes
You shouldn't have any Unix users that are in AD in /etc/passwd, so you
do not need the above line.
>          username map = /etc/samba/user.map
>          template homedir = /home/gibb/%U
>          winbind enum groups = Yes
>          winbind enum users = Yes
>          winbind refresh tickets = Yes
>          winbind request timeout = 120
>          dns proxy = No
>          wins server = 192.168.112.94 192.168.104.2
You do not use 'wins' with AD
>          idmap config gibb.local : range = 1600000-1999999
>          idmap config gibb.local : backend = rid
You said above that 'gibb.local' is a trusted domain that was used for
migration. Two questions about this, is 'gibb.local' the workgroup
name, if so, why does it have a dot in it ? Secondly, you mentioned
'migrate', do you mean you migrated 'gibb.local' (a PDC domain)
to the
'GIBB' AD domain ? if so, you should immediately turn off
'gibb.local',
it will have the same SID as 'GIBB'
If this isn't the case, can you explain further what you mean by
'migrate' ?
>          idmap config gibb : range = 1000000-1599999
>          idmap config gibb : backend = rid
>          idmap config * : range = 3000-7999
>          idmap config * : backend = tdb
Rowland

On 2019/04/25 16:24, Rowland Penny via samba wrote:
(.. lots of helpful stuff)

Thanks for advice on smb.conf..

Today people who could not access it yesterday can, and some people who 
could access it can't and even one who cannot access it via the ip 
address, so you know what I'll be doing this weekend.
> You said above that 'gibb.local' is a trusted domain that was used
for
> migration. Two questions about this, is 'gibb.local' the workgroup
> name, if so, why does it have a dot in it ? Secondly, you mentioned
> 'migrate', do you mean you migrated 'gibb.local' (a PDC
domain) to the
> 'GIBB' AD domain ? if so, you should immediately turn off
'gibb.local',
> it will have the same SID as 'GIBB'
> If this isn't the case, can you explain further what you mean by
> 'migrate' ?
I did not use the samba migration tools so the SIDs are different. I 
used the trust because we could migrate people and machines at leisure 
and without downtime. It has not caused problems (but will be removed 
shortly). We did try the  migration tools but it puked on our ldap.