On 28/04/2020 11:51, Enrico Morelli via samba wrote:> On Tue, 28 Apr 2020 12:31:09 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > >> Hai Rowland, >> >> Well, its based on that i have here. >> I run still a mixed setup here. ( 2 different domains ) >> >> 2 servers 4.1.x as PDC/member on wheezy. (DOMAINA ) >> 4.11.7 as AD-DC's (buster) DOMAINB >> >> All my windows clients login through AD-DC. (DOMAINB\username) >> I use the "Passthrough" auth for the shares on the PDC. >> (DOMAINA\username) I use GPO's to set the correct domain to pass.. >> And %username% for the usersnames >> >> 0 problems here with windows 10 and my "PDC" is set with security >> domain. >> >> Greetz, >> >> Louis >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>> Rowland penny via samba >>> Verzonden: dinsdag 28 april 2020 12:10 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Samba update cause windows incorrect password >>> >>> On 28/04/2020 10:39, L.P.H. van Belle via samba wrote: >>>> Sure, i have a suggestion. >>>> >>>> security = user ? In samba 4.9.x ? And using domain logings?? >>>> >>>> Run man smb.conf >>>> Search : security >>>> >>>> Read : NOTE ABOUT USERNAME/PASSWORD VALIDATION where you see it. >>>> >>>> Then goto : map to guest (G) >>>> Read that. >>>> >>>> Then goto : security (G) >>>> And read that also. >>>> >>>> I think you didnt read the complete changelog between 4.5.x >>> and 4.9.x also ;-) >>>> >>>>>> To be able to loing, I've to select Other User, enter username >>>>>> and password and all works fine. But if I logout and enter the >>>>>> same password, Windows tells me "Incorrect password". >>>> If you do that, your typing DOM\username ? Or only "username" >>>> >>>> Because, all windows logings now using COMPUTERNAME\username >>>> localy. So if you enter "username" for the PDC login it passes >>>> " >>> COMPUTERNAME\username" to samba most probely. >>>> I hope above helps you a bit, but as far i can see above is >>> only a configuration issue. >>>> You need to review the config and setup for security=domain. >>> The OP is running Samba as a PDC, so 'security = user' is >>> probably okay, >>> but I would remove it entirely and let Samba decide what it >>> should be ;-) >>> >>> What is missing is 'unix password sync = yes' >>> >>> If this was a Unix client, then you would need 'security >>> domain' and >>> run winbind, but it is a PDC using tdbsam, so you probably >>> don't. I say >>> this because I haven't run a PDC for sometime and would urge >>> the OP to >>> upgrade to AD. >>> >>> Rowland >>> > Thanks to both, but at the end which is the best way to reconfigure my > server without loose all my Windows machines? > If I put security = domain I'm unable to login. > security = ADS require kerberos and a lot of work, and at the end I'm > not sure that all my windows machines will works fine. > > In my laboratory there are many windows 10 machines, the server shares > a lot of folders and I can't afford not to let a lot of people work to > do my tests. > > I'm a bit confusingThe first thing I would do, start winbind if it isn't already running. If you run an NT4-style PDC, then any Linux clients need to use 'security = domain' and run winbind, Louis says this is also required on the PDC, but I am not entirely sure this is correct, I don't remember doing this. You only use 'security = ADS' on a Unix computer joined to an AD domain and adding it to a Unix client joined to an NT4-style domain will not make it an AD client. If you only have Windows clients then I suggest you upgrade to AD, which your Windows 10 machines will work better with. It is normal to set up a sandboxed network to test the upgrade, this way you can find and fix any problems before you do it for real on your production network. Rowland
Enrico Morelli
2020-Apr-29 10:46 UTC
[Samba] Samba update cause windows incorrect password
Thanks for the suggestions. When I'll can go to work I'll start to test the Ad solution. All my clients are Windows and the only things I need is the client authentication and permit to some user to access to some shared folders from the server. Have you some tutorials/books to help me to configure everything? Thanks again ----------------------------------------------------------- Enrico Morelli System Administrator | Programmer | Web Developer CERM - Polo Scientifico via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY ----------------------------------------------------------- In data 28 aprile 2020 1:09:46 PM Rowland penny via samba <samba at lists.samba.org> ha scritto:> On 28/04/2020 11:51, Enrico Morelli via samba wrote: >> On Tue, 28 Apr 2020 12:31:09 +0200 >> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: >> >>> Hai Rowland, >>> >>> Well, its based on that i have here. >>> I run still a mixed setup here. ( 2 different domains ) >>> >>> 2 servers 4.1.x as PDC/member on wheezy. (DOMAINA ) >>> 4.11.7 as AD-DC's (buster) DOMAINB >>> >>> All my windows clients login through AD-DC. (DOMAINB\username) >>> I use the "Passthrough" auth for the shares on the PDC. >>> (DOMAINA\username) I use GPO's to set the correct domain to pass.. >>> And %username% for the usersnames >>> >>> 0 problems here with windows 10 and my "PDC" is set with security >>> domain. >>> >>> Greetz, >>> >>> Louis >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>> Rowland penny via samba >>>> Verzonden: dinsdag 28 april 2020 12:10 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] Samba update cause windows incorrect password >>>> >>>> On 28/04/2020 10:39, L.P.H. van Belle via samba wrote: >>>>> Sure, i have a suggestion. >>>>> >>>>> security = user ? In samba 4.9.x ? And using domain logings?? >>>>> >>>>> Run man smb.conf >>>>> Search : security >>>>> >>>>> Read : NOTE ABOUT USERNAME/PASSWORD VALIDATION where you see it. >>>>> >>>>> Then goto : map to guest (G) >>>>> Read that. >>>>> >>>>> Then goto : security (G) >>>>> And read that also. >>>>> >>>>> I think you didnt read the complete changelog between 4.5.x >>>> and 4.9.x also ;-) >>>>> >>>>>>> To be able to loing, I've to select Other User, enter username >>>>>>> and password and all works fine. But if I logout and enter the >>>>>>> same password, Windows tells me "Incorrect password". >>>>> If you do that, your typing DOM\username ? Or only "username" >>>>> >>>>> Because, all windows logings now using COMPUTERNAME\username >>>>> localy. So if you enter "username" for the PDC login it passes >>>>> " >>>> COMPUTERNAME\username" to samba most probely. >>>>> I hope above helps you a bit, but as far i can see above is >>>> only a configuration issue. >>>>> You need to review the config and setup for security=domain. >>>> The OP is running Samba as a PDC, so 'security = user' is >>>> probably okay, >>>> but I would remove it entirely and let Samba decide what it >>>> should be ;-) >>>> >>>> What is missing is 'unix password sync = yes' >>>> >>>> If this was a Unix client, then you would need 'security >>>> domain' and >>>> run winbind, but it is a PDC using tdbsam, so you probably >>>> don't. I say >>>> this because I haven't run a PDC for sometime and would urge >>>> the OP to >>>> upgrade to AD. >>>> >>>> Rowland >>>> >> Thanks to both, but at the end which is the best way to reconfigure my >> server without loose all my Windows machines? >> If I put security = domain I'm unable to login. >> security = ADS require kerberos and a lot of work, and at the end I'm >> not sure that all my windows machines will works fine. >> >> In my laboratory there are many windows 10 machines, the server shares >> a lot of folders and I can't afford not to let a lot of people work to >> do my tests. >> >> I'm a bit confusing > > The first thing I would do, start winbind if it isn't already running. > > If you run an NT4-style PDC, then any Linux clients need to use > 'security = domain' and run winbind, Louis says this is also required on > the PDC, but I am not entirely sure this is correct, I don't remember > doing this. > > You only use 'security = ADS' on a Unix computer joined to an AD domain > and adding it to a Unix client joined to an NT4-style domain will not > make it an AD client. > > If you only have Windows clients then I suggest you upgrade to AD, which > your Windows 10 machines will work better with. > > It is normal to set up a sandboxed network to test the upgrade, this way > you can find and fix any problems before you do it for real on your > production network. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 29/04/2020 11:46, Enrico Morelli via samba wrote:> Thanks for the suggestions. When I'll can go to work I'll start to > test the Ad solution. All my clients are Windows and the only things I > need is the client authentication and permit to some user to access to > some shared folders from the server. > > Have you some tutorials/books to help me to configure everything?We have an entire wiki ;-) see here: https://wiki.samba.org/index.php/Main_Page Any questions, ask here. Rowland