samba - Apr 2020 - Samba update cause windows incorrect password

On 28/04/2020 11:51, Enrico Morelli via samba wrote:
> On Tue, 28 Apr 2020 12:31:09 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
>
>> Hai Rowland,
>>
>> Well, its based on that i have here.
>> I run still a mixed setup here. ( 2 different domains )
>>
>> 2 servers 4.1.x as PDC/member on wheezy. (DOMAINA )
>> 4.11.7 as AD-DC's (buster) DOMAINB
>>
>> All my windows clients login through AD-DC. (DOMAINB\username)
>> I use the "Passthrough" auth for the shares on the PDC.
>> (DOMAINA\username) I use GPO's to set the correct domain to pass..
>> And %username% for the usersnames
>>
>> 0 problems here with windows 10 and my "PDC" is set with
security >> domain.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>> Rowland penny via samba
>>> Verzonden: dinsdag 28 april 2020 12:10
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Samba update cause windows incorrect
password
>>>
>>> On 28/04/2020 10:39, L.P.H. van Belle via samba wrote:
>>>> Sure, i have a suggestion.
>>>>
>>>> security = user ? In samba 4.9.x ?  And using domain logings??
>>>>
>>>> Run man smb.conf
>>>> Search : security >>>>
>>>> Read : NOTE ABOUT USERNAME/PASSWORD VALIDATION where you see
it.
>>>>
>>>> Then goto : map to guest (G)
>>>> Read that.
>>>>
>>>> Then goto : security (G)
>>>> And read that also.
>>>>
>>>> I think you didnt read the complete changelog between 4.5.x
>>> and 4.9.x also ;-)
>>>>   
>>>>>> To be able to loing, I've to select Other User,
enter username
>>>>>> and password and all works fine. But if I logout and
enter the
>>>>>> same password, Windows tells me "Incorrect
password".
>>>> If you do that, your typing DOM\username ? Or only
"username"
>>>>
>>>> Because, all windows logings now using COMPUTERNAME\username
>>>> localy. So if you enter "username" for the PDC login
it passes
>>>> "
>>> COMPUTERNAME\username" to samba most probely.
>>>> I hope above helps you a bit, but as far i can see above is
>>> only a configuration issue.
>>>> You need to review the config and setup for security=domain.
>>> The OP is running Samba as a PDC, so 'security = user' is
>>> probably okay,
>>> but I would remove it entirely and let Samba decide what it
>>> should be ;-)
>>>
>>> What is missing is 'unix password sync = yes'
>>>
>>> If this was a Unix client, then you would need 'security
>>> domain' and
>>> run winbind, but it is a PDC using tdbsam, so you probably
>>> don't. I say
>>> this because I haven't run a PDC for sometime and would urge
>>> the OP to
>>> upgrade to AD.
>>>
>>> Rowland
>>>
> Thanks to both, but at the end which is the best way to reconfigure my
> server without loose all my Windows machines?
> If I put security = domain I'm unable to login.
> security = ADS require kerberos and a lot of work, and at the end I'm
> not sure that all my windows machines will works fine.
>
> In my laboratory there are many windows 10 machines, the server shares
> a lot of folders and I can't afford not to let a lot of people work to
> do my tests.
>
> I'm a bit confusing
The first thing I would do, start winbind if it isn't already running.

If you run an NT4-style PDC, then any Linux clients need to use 
'security = domain' and run winbind, Louis says this is also required on
the PDC, but I am not entirely sure this is correct, I don't remember 
doing this.

You only use 'security = ADS' on a Unix computer joined to an AD domain 
and adding it to a Unix client joined to an NT4-style domain will not 
make it an AD client.

If you only have Windows clients then I suggest you upgrade to AD, which 
your Windows 10 machines will work better with.

It is normal to set up a sandboxed network to test the upgrade, this way 
you can find and fix any problems before you do it for real on your 
production network.

Rowland

Thanks for the suggestions. When I'll can go to work I'll start to test
the
Ad solution. All my clients are Windows and the only things I need is the 
client authentication and permit to some user to access to some shared 
folders from the server.

Have you some tutorials/books to help me to configure everything?

Thanks again
-----------------------------------------------------------
Enrico Morelli
System Administrator | Programmer | Web Developer


CERM - Polo Scientifico
via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
-----------------------------------------------------------

In data 28 aprile 2020 1:09:46 PM Rowland penny via samba 
<samba at lists.samba.org> ha scritto:
> On 28/04/2020 11:51, Enrico Morelli via samba wrote:
>> On Tue, 28 Apr 2020 12:31:09 +0200
>> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
>>
>>> Hai Rowland,
>>>
>>> Well, its based on that i have here.
>>> I run still a mixed setup here. ( 2 different domains )
>>>
>>> 2 servers 4.1.x as PDC/member on wheezy. (DOMAINA )
>>> 4.11.7 as AD-DC's (buster) DOMAINB
>>>
>>> All my windows clients login through AD-DC. (DOMAINB\username)
>>> I use the "Passthrough" auth for the shares on the PDC.
>>> (DOMAINA\username) I use GPO's to set the correct domain to
pass..
>>> And %username% for the usersnames
>>>
>>> 0 problems here with windows 10 and my "PDC" is set with
security >>> domain.
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>> Rowland penny via samba
>>>> Verzonden: dinsdag 28 april 2020 12:10
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Samba update cause windows incorrect
password
>>>>
>>>> On 28/04/2020 10:39, L.P.H. van Belle via samba wrote:
>>>>> Sure, i have a suggestion.
>>>>>
>>>>> security = user ? In samba 4.9.x ?  And using domain
logings??
>>>>>
>>>>> Run man smb.conf
>>>>> Search : security >>>>>
>>>>> Read : NOTE ABOUT USERNAME/PASSWORD VALIDATION where you
see it.
>>>>>
>>>>> Then goto : map to guest (G)
>>>>> Read that.
>>>>>
>>>>> Then goto : security (G)
>>>>> And read that also.
>>>>>
>>>>> I think you didnt read the complete changelog between 4.5.x
>>>> and 4.9.x also ;-)
>>>>>
>>>>>>> To be able to loing, I've to select Other User,
enter username
>>>>>>> and password and all works fine. But if I logout
and enter the
>>>>>>> same password, Windows tells me "Incorrect
password".
>>>>> If you do that, your typing DOM\username ? Or only
"username"
>>>>>
>>>>> Because, all windows logings now using
COMPUTERNAME\username
>>>>> localy. So if you enter "username" for the PDC
login it passes
>>>>> "
>>>> COMPUTERNAME\username" to samba most probely.
>>>>> I hope above helps you a bit, but as far i can see above is
>>>> only a configuration issue.
>>>>> You need to review the config and setup for
security=domain.
>>>> The OP is running Samba as a PDC, so 'security = user'
is
>>>> probably okay,
>>>> but I would remove it entirely and let Samba decide what it
>>>> should be ;-)
>>>>
>>>> What is missing is 'unix password sync = yes'
>>>>
>>>> If this was a Unix client, then you would need 'security
>>>> domain' and
>>>> run winbind, but it is a PDC using tdbsam, so you probably
>>>> don't. I say
>>>> this because I haven't run a PDC for sometime and would
urge
>>>> the OP to
>>>> upgrade to AD.
>>>>
>>>> Rowland
>>>>
>> Thanks to both, but at the end which is the best way to reconfigure my
>> server without loose all my Windows machines?
>> If I put security = domain I'm unable to login.
>> security = ADS require kerberos and a lot of work, and at the end
I'm
>> not sure that all my windows machines will works fine.
>>
>> In my laboratory there are many windows 10 machines, the server shares
>> a lot of folders and I can't afford not to let a lot of people work
to
>> do my tests.
>>
>> I'm a bit confusing
>
> The first thing I would do, start winbind if it isn't already running.
>
> If you run an NT4-style PDC, then any Linux clients need to use
> 'security = domain' and run winbind, Louis says this is also
required on
> the PDC, but I am not entirely sure this is correct, I don't remember
> doing this.
>
> You only use 'security = ADS' on a Unix computer joined to an AD
domain
> and adding it to a Unix client joined to an NT4-style domain will not
> make it an AD client.
>
> If you only have Windows clients then I suggest you upgrade to AD, which
> your Windows 10 machines will work better with.
>
> It is normal to set up a sandboxed network to test the upgrade, this way
> you can find and fix any problems before you do it for real on your
> production network.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 29/04/2020 11:46, Enrico Morelli via samba wrote:
> Thanks for the suggestions. When I'll can go to work I'll start to 
> test the Ad solution. All my clients are Windows and the only things I 
> need is the client authentication and permit to some user to access to 
> some shared folders from the server.
>
> Have you some tutorials/books to help me to configure everything?
We have an entire wiki ;-)

see here:

https://wiki.samba.org/index.php/Main_Page

Any questions, ask here.

Rowland