samba - Jun 2019 - Difficulty with samba after updating from 3.6.6 to 4.9.0.0

Server - HPUX 11.31
Clients - WIN7 WIN10

After upgrading my versions to 4.9.0.0 I've noticed that we're unable to
connect to our AD joined SMB HP-UX Server any longer.

Could someone tell me where to begin digging in release notes between
3.6.6-4.9.0.0  to find out what changed in the smb.conf file that would be
causing our problems?

Here's a somewhat similar .conf output

global]
        workgroup = BCACD001
        realm = BCACD001.ATL.BLUECROSS.CA
        server string = SERVER
        security = ADS
        update encrypted = Yes
        password server = DomainController01
        smb passwd file = /etc/opt/samba/private/smbpasswd
        passwd program = /usr/bin/passwd %u
        log level = 3
        log file = /var/adm/samba/samba-log.%m
        add user script = /opt/samba/bin/smbpasswd -%S -a -e -n
        logon path = \\%L\profiles\.msprofile
        logon drive = H:
        logon home = \\%L\%U\.9xprofile
        os level = 33
        domain master = No
        lock directory = /etc/opt/samba/lock
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = /
        directory security mask = 0700
        force directory security mode = 0700
        unix ignore mask = No
        print command = lp -c -d%p %s


I'm fairly new to the organization and just helped a colleague with his
updates for HPUX and are running into this.


Charles McGraw
Systems Administrator  |  Medavie Blue Cross
506.867.5331  |  Charles.McGraw at medavie.bluecross.ca<mailto:Charles.McGraw
at medavie.bluecross.ca>
Proud to be one of Canada's top employers!
LinkedIn<https://www.linkedin.com/company-beta/16960/> |
Twitter(E)<https://twitter.com/MedavieBC> |
Twitter(F)<https://twitter.com/CBMedavie> |
Facebook<https://www.facebook.com/MedavieBlueCross/>

----------------------------------------------------------------------
This communication, including any attached documentation, is intended only for
the person or entity to which it is addressed, and may contain confidential,
personal, and/or privileged information. Any unauthorized disclosure, copying,
or taking action on the contents is strictly prohibited. If you have received
this message in error, please contact us immediately so we may correct our
records. Please then delete or destroy the original transmission and any
subsequent reply. Thank you.

La présente communication, y compris toute pièce qui y a été jointe, est
destinée uniquement à la personne ou à l’entité à laquelle elle a été adressée,
et contient des renseignements à caractère confidentiel et personnel. Toute
diffusion ou reproduction non autorisée ou toute intervention entreprise
relativement à son contenu est strictement interdite. Si vous avez reçu ce
message par erreur, veuillez nous le signaler immédiatement afin que nous
puissions effectuer la correction à nos dossiers. Veuillez par la suite
supprimer ou détruire le contenu de la transmission originale ainsi que toute
réponse ultérieure. Merci.

On 03/06/2019 19:26, McGraw, Charles via samba wrote:
> Server - HPUX 11.31
> Clients - WIN7 WIN10
>
> After upgrading my versions to 4.9.0.0 I've noticed that we're
unable to connect to our AD joined SMB HP-UX Server any longer.
What does the authentication, an AD DC or the HP-UX ?
>
> Could someone tell me where to begin digging in release notes between
3.6.6-4.9.0.0  to find out what changed in the smb.conf file that would be
causing our problems?
After reading your smb.conf, just about everything has changed it seems ;-)

What does the HP-UX do ?

Once I find out, I will help you rewrite your smb.conf

Rowland
>
> Here's a somewhat similar .conf output
>
> global]
>          workgroup = BCACD001
>          realm = BCACD001.ATL.BLUECROSS.CA
>          server string = SERVER
>          security = ADS
>          update encrypted = Yes
>          password server = DomainController01
>          smb passwd file = /etc/opt/samba/private/smbpasswd
>          passwd program = /usr/bin/passwd %u
>          log level = 3
>          log file = /var/adm/samba/samba-log.%m
>          add user script = /opt/samba/bin/smbpasswd -%S -a -e -n
>          logon path = \\%L\profiles\.msprofile
>          logon drive = H:
>          logon home = \\%L\%U\.9xprofile
>          os level = 33
>          domain master = No
>          lock directory = /etc/opt/samba/lock
>          idmap uid = 10000-20000
>          idmap gid = 10000-20000
>          winbind separator = /
>          directory security mask = 0700
>          force directory security mode = 0700
>          unix ignore mask = No
>          print command = lp -c -d%p %s
>
>

On 03/06/2019 20:07, McGraw, Charles wrote:
> The HP-UX Server is nothing more than a batch job server with file shares
OK, I will try another tack, is the smb.conf from the HP-UX ?

If not, where is it from ?

Also, in a slightly different way, what does the authentication, an AD 
DC or what ?

If it is a an AD DC, is IDMU installed ?

Rowland

On 03/06/2019 20:41, Rowland penny via samba wrote:
> On 03/06/2019 20:07, McGraw, Charles wrote:
>> The HP-UX Server is nothing more than a batch job server with file 
>> shares
>
> OK, I will try another tack, is the smb.conf from the HP-UX ?
>
> If not, where is it from ?
>
> Also, in a slightly different way, what does the authentication, an AD 
> DC or what ?
>
> If it is a an AD DC, is IDMU installed ?
>
> Rowland
>
>
>
>
OK, I will take a chance that the smb.conf is from the the HP (not that 
this really matters), that it is joined to an AD domain and IDMU is not 
installed.

These parameters no longer exist:

         update encrypted = Yes
         directory security mask = 0700
         force directory security mode = 0700
         unix ignore mask = No

You should allow Samba to find the best DC to use, so you don't need this:
         password server = DomainController01

The passwords are stored in AD, so don't need these:
         smb passwd file = /etc/opt/samba/private/smbpasswd
         passwd program = /usr/bin/passwd %u

These only make sense on a PDC:
         add user script = /opt/samba/bin/smbpasswd -%S -a -e -n
         logon path = \\%L\profiles\.msprofile
         logon drive = H:
         logon home = \\%L\%U\.9xprofile
         os level = 33

Finally, 'idmap uid/gid' has been replaced by 'idmap config'
lines
         idmap uid = 10000-20000
         idmap gid = 10000-20000

Bearing the above in mind, I would try the following smb.conf:

global]
         workgroup = BCACD001
         realm = BCACD001.ATL.BLUECROSS.CA
         server string = SERVER
         security = ADS
         log level = 3
         log file = /var/adm/samba/samba-log.%m
         domain master = No
         lock directory = /etc/opt/samba/lock

         ## map ids outside of domain to tdb files.
         idmap config * : backend = tdb
         idmap config * : range = 2000-9999
         ## map ids from the domain  the ranges may not overlap !
         idmap config BCACD001 : backend = rid
         idmap config BCACD001 : range = 10000-20000
         winbind separator = /
         print command = lp -c -d%p %s

There are other parameters that could be added, but one fence at a time ;-)

Rowland