samba - Aug 2020 - Problem with login win10

Hi

I have problem with login in computer with win10. Sometimes when I try login
I get communicat the password entered is incorrect, in samba logs no errors.
I must restart computer and then I can login. 

Sometimes login to computer work and block comuter (win+l), when try
unblock computer i see communicat - the password entered is incorrect.

My samba AD is in version 4.12.6. Users and computer I add in samba ver. 4.8
and last I update it to 4.12.6 and then I see this problems.

Please help me

BR 

GC

On 20/08/2020 10:29, JM via samba wrote:
> Hi
>
> I have problem with login in computer with win10. Sometimes when I try
login
> I get communicat the password entered is incorrect, in samba logs no
errors.
> I must restart computer and then I can login.
>
> Sometimes login to computer work and block comuter (win+l), when try
> unblock computer i see communicat - the password entered is incorrect.
>
> My samba AD is in version 4.12.6. Users and computer I add in samba ver.
4.8
> and last I update it to 4.12.6 and then I see this problems.
>
> Please help me
>
> BR
>
> GC
>
Hi, what OS ?

Self compiled Samba or packages ?

If self compiled, how was it compiled ?

If packages, where from ?

Can you post your smb.conf.

Rowland

On 20/08/2020 11:20, admin at prawda.net.pl wrote
> Hi
> Samba is installed on Debian
> I install from source  ./configure --enable-debug --enable-selftest
&& make
> && make install
> Packages get from samba.org
No, you got a tarball from Samba, if you are interested, you can get 
Debian Samba packages here: http://apt.van-belle.nl/
> My smb.conf
>
> # Global parameters
> [global]
> #<----->smb ports = 139
You are shooting yourself in the foot, this is a DC, you need port 445, 
so I suggest you remove that line.
> <------>workgroup = WORK
> <------>realm = WORK.LOCAL
Using '.local' is not recommended.
> <------>netbios name = DEBIAN
> <------>server role = active directory domain controller
> <------>server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,
> winbind, ntp_signd, kcc, dnsupdate
> #<----->log level = 4
> <------>log level = 2 passdb:5 auth:5
> <------>log file = /var/log/samba/samba.log.%m
>          max log size = 50
> <------>debug timestamp = yes
> #<----->server max protocol = nt1
> <------>min protocol = SMB2
SMBv2 is now the default and is one reason you need port
445
>          ntlm auth = yes
Do you really need ntlm auth ?
> [netlogon]
> <------>path = /usr/local/samba/var/locks/sysvol/work.local/scripts
> <------>read only = No
>
> [sysvol]
> <------>path = /usr/local/samba/var/locks/sysvol
> <------>read only = No
>
> [profiles]
>      comment = Network Profiles Service
>      path = /mnt/profile/profiles
>      read only = No
>      store dos attributes = Yes
>      create mask = 0600
>      directory mask = 0700
>
Sorry, but you do not set up the profiles share on a Samba DC like that, 
see here:

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles#Using_Windows_ACLs

Rowland

On 20/08/2020 12:58, admin at prawda.net.pl wrote:
> I found in logs: auth_check_password_send: Checking password for unmapped
> user [prawda]\[admin]@[KOMPUTER111]  why unmapped?
Possibly because it a user unknown to the domain, unless your workgroup 
'WORK' is actually 'PRAWDA'

Can you download this:

https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh

Run it on your Samba DC and post the output into a reply to this post.

Rowland

On 20/08/2020 14:32, admin at prawda.net.pl wrote:
> Debug:
>
> Collected config  --- 2020-08-20-15:28 -----------
>
> Hostname: debian
> DNS Domain: prawda.local
A bit late now, but it would have been better to use something like 
'ad.prawda.net.pl' for your DNS domain.
> FQDN: debian.prawda.local
> ipaddress: 192.168.0.92 192.168.10.92
You have two IP's, you need to ensure that Samba only uses
192.168.0.92
>
> -----------
>
> Kerberos SRV _kerberos._tcp.prawda.local record verified ok, sample output:
> Server:		192.168.0.92
> Address:	192.168.0.92#53
>
> _kerberos._tcp.prawda.local	service = 0 100 88 debian.prawda.local.
> Samba is running as an AD DC
Any chance you could run at least another DC and a separate fileserver
?
> -----------
>
>
> This computer is running Debian 10.4 x86_64
I think I already said this, but I would stop compiling Samba yourself 
and use Louis's repo: http://apt.van-belle.nl/
>
> -----------
> running command : ip a
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group
> default qlen 1000
>      link/ether ca:d8:84:e0:22:77 brd ff:ff:ff:ff:ff:ff
>      inet 192.168.0.92/24 brd 192.168.0.255 scope global eth0
>      inet6 fe80::c8d8:84ff:fee0:2277/64 scope link
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group
> default qlen 1000
>      link/ether 32:c0:95:d5:de:50 brd ff:ff:ff:ff:ff:ff
>      inet 192.168.10.92/24 brd 192.168.10.255 scope global eth1
>      inet6 fe80::30c0:95ff:fed5:de50/64 scope link
Two network interfaces, you need to get Samba to only use one, add to 
smb.conf:

interfaces = eth0
bind interfaces only = yes
>
> -----------
>         Checking file: /etc/hosts
>
> 127.0.0.1	localhost
> 192.168.0.92	debian.prawda.local	debian
>
> 192.168.0.94	magazyn.prawda.net.pl
Remove the '192.168.0.94' line, it isn't in the AD dns
domain
>         Checking file: /usr/local/samba/etc/smb.conf
>
> # Global parameters
> [global]
> #	smb ports = 139
> 	workgroup = PRAWDA
> 	realm = PRAWDA.LOCAL
> 	netbios name = DEBIAN
> 	server role = active directory domain controller
> 	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate
> 	log level = 10
> #	log level = 2 passdb:5 auth:5
> 	log file = /var/log/samba/samba.log.%m
>          max log size = 50
> 	debug timestamp = yes
> #	server max protocol = nt1
> 	min protocol = SMB2
>          ntlm auth = yes
>
> [netlogon]
> 	path = /usr/local/samba/var/locks/sysvol/prawda.local/scripts
> 	read only = No
>
> [sysvol]
> 	path = /usr/local/samba/var/locks/sysvol
> 	read only = No
>
> [profiles]
>      comment = Network Profiles Service
>      path = /mnt/profile/profiles
>      read only = No
>      store dos attributes = Yes
>      create mask = 0600
>      directory mask = 0700
>
> [INSTALKI]
>      path = /mnt/profile/instalki
>      comment = INSTALKI
>      read only = No
>      create mode = 0600
>      directory mode = 0700
>      hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [DOKUMENTACJE]
>      path = /mnt/profile/dokumentacje
>      comment = DOKUMENTACJE
>      read only = No
>      create mode = 0600
>      directory mode = 0700
>      hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [ECO-DOKUMENTACJE]
>      path = /mnt/profile/eco-dokumentacje
>      comment = ECO-DOKUMENTACJE
>      read only = No
>      create mode = 0600
>      directory mode = 0700
>      hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [GOSCIE]
>      path = /mnt/profile/goscie
>      comment = goscie
>      read only = No
>      create mode = 0777
>      directory mode = 0777
>      hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [JAKOSC]
>      path = /mnt/profile/jakosc
>      comment = JAKOSC
>      read only = No
>      create mode = 0600
>      directory mode = 0700
>      hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [NICELABEL]
>      path = /mnt/profile/nicelabel
>      comment = NICELABEL
>      read only = No
>      create mode = 0600
>      directory mode = 0700
>      hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [KADRY]
>      path = /mnt/profile/kadry
>      comment = KADRY
>      read only = No
>      create mode = 0600
>      directory mode = 0700
>      hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [SPRZEDAZ]
>      path = /mnt/profile/sprzedaz
>      comment = SPRZEDAZ
>      read only = No
>      create mode = 0600
>      directory mode = 0700
>      hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [SORTOWNIA]
>      path = /mnt/profile/sortownia
>      comment = SORTOWNIA
>      read only = No
>      create mode = 0600
>      directory mode = 0700
>      hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [KSIEGOWOSC]
>      path = /mnt/profile/ksiegowosc
>      comment = KSIEGOWOSC
>      read only = No
>      create mode = 0600
>      directory mode = 0700
>      hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [UR]
>      path = /mnt/profile/ur
>      comment = UR
>      read only = No
>      create mode = 0600
>      directory mode = 0700
>      hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [NORMOWANIE]
>      path = /mnt/profile/normowanie
>      comment = NORMOWANIE
>      read only = No
>      create mode = 0600
>      directory mode = 0700
>      hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [LEAN]
>      path = /mnt/profile/lean
>      comment = LEAN
>      read only = No
>      create mode = 0600
>      directory mode = 0700
>      hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [KONTROLING]
>      path = /mnt/profile/kontroling
>      comment = KONTROLING
>      read only = No
>      create mode = 0600
>      directory mode = 0700
>      hosts allow = 192.168.0.0/16,10.0.0.0/8
>
> [ECO-PROGRES]
>      path = /mnt/profile/eco-progres
>      comment = ECO_PROGRES
>      read only = No
>      create mode = 0600
>      directory mode = 0700
>      hosts allow = 192.168.0.0/16,10.0.0.0/8
It is not recommended to use a Samba DC as a fileserver, for numerous 
reasons, most of which you have broken, plus your users will be unknown 
to the shares because you do not have 'winbind' in the 'passwd'
&
'group' lines in /etc/nsswitch.conf
>
>
>
> Detected bind DLZ enabled..
>
>         Checking file: /etc/bind/named.conf.options
>
> options {
> 	directory "/var/cache/bind";
> 	forwarders {
> 		8.8.4.4;
> 	 	8.8.8.8;
> 	 };
> 	dnssec-validation auto;
That should be 'no'
>
> 	auth-nxdomain no;    # conform to RFC1035
That should be 'yes'
> 	listen-on port 53 { any; };
> 	allow-query { any; };
> 	listen-on-v6 { any; };
> 	tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
I think you may find that is now
'/usr/local/samba/bind-dns/dns.keytab'
> };
>
> -----------
>
>         Checking file: /etc/bind/named.conf.local
>
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
> include "/usr/local/samba/private/named.conf";
Again, that is probably now
'/usr/local/samba/bind-dns/named.conf'
>
> -----------
>
>         Checking file: /etc/bind/named.conf.default-zones
>
> // prime the server with knowledge of the root servers
> zone "." {
> 	type hint;
> 	file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> 	type master;
> 	file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> 	type master;
> 	file "/etc/bind/db.127";
> };
>
> zone "0.in-addr.arpa" {
> 	type master;
> 	file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> 	type master;
> 	file "/etc/bind/db.255";
> };
>
> zone "prawda.net.pl" {
> 	type master;
> 	file "/etc/bind/slave/prawda.net.pl.root";
> 	allow-query { any; };
> };
Whilst there isn't anything stopping you having 'prawda.net.pl' in
your
AD dns, it isn't recommended either.
> -----------
>
> Samba DNS zone list:   6 zone(s) found
>
>    pszZoneName                 : prawda.local
>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>    Version                     : 50
>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
>    pszDpFqdn                   : DomainDnsZones.prawda.local
>
>    pszZoneName                 : 11.10.10.in-addr.arpa
>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>    Version                     : 50
>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
>    pszDpFqdn                   : DomainDnsZones.prawda.local
>
>    pszZoneName                 : 30.168.192.in-addr.arpa
>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>    Version                     : 50
>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
>    pszDpFqdn                   : DomainDnsZones.prawda.local
Where do the two reverse zones come into AD ?
>
>    pszZoneName                 : 0.168.192.in-addr.arpa
>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>    Version                     : 50
>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
>    pszDpFqdn                   : DomainDnsZones.prawda.local
>
>    pszZoneName                 : 10.168.192.in-addr.arpa
>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>    Version                     : 50
>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
>    pszDpFqdn                   : DomainDnsZones.prawda.local
That one looks like the reverse zone for
'prawda.net.pl'
>
>    pszZoneName                 : _msdcs.prawda.local
>    Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
>    ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>    Version                     : 50
>    dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
> DNS_DP_ENLISTED
>    pszDpFqdn                   : ForestDnsZones.prawda.local
>
> Samba DNS zone list Automated check :
> zone : prawda.local ok, no Bind flat-files found
> -----------
> zone : 11.10.10.in-addr.arpa ok, no Bind flat-files found
> -----------
> zone : 30.168.192.in-addr.arpa ok, no Bind flat-files found
> -----------
>
> ERROR: AD DC zones found in the Bind flat-files
>         This is not allowed, you must remove them.
>         Conflicting zone name : 0.168.192.in-addr.arpa
>         File in question is :
> /etc/bind/0.168.192.in-addr.arpa:0.168.192.in-addr.arpa.                IN
> NS      ns1.yournameserver.com.
> /etc/bind/0.168.192.in-addr.arpa:0.168.192.in-addr.arpa.                IN
> NS      ns2.yournameserver.com.
> -----------
>
> ERROR: AD DC zones found in the Bind flat-files
>         This is not allowed, you must remove them.
>         Conflicting zone name : 10.168.192.in-addr.arpa
>         File in question is :
> -----------
>
> ERROR: AD DC zones found in the Bind flat-files
>         This is not allowed, you must remove them.
>         Conflicting zone name : _msdcs.prawda.local
>         File in question is :
> -----------
You appear to be using named flat files as well as them being in AD, if 
so, this is not allowed.

Rowland