Jiří Černý
2020-Nov-20 13:45 UTC
[Samba] winbind use default domain = yes doesn't work on Samba 4.13?
Yes. In the first name, I wrote DOMAIN, but our real workgroup is SVMETAL, as you cas see in smb.conf. [global] netbios name = fs0001 workgroup = SVMETAL security = ADS realm = SAMDOM.SVMETAL.CZ dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab acl allow execute always = True idmap config *:backend = tdb idmap config *:range = 70001-99999 idmap config SVMETAL:backend = ad idmap config SVMETAL:schema_mode = rfc2307 idmap config SVMETAL:range = 500-40000 #for legacy reasons idmap config SVMETAL:unix_nss_info = yes idmap config SVMETAL:unix_primary_group = yes winbind nss info = rfc2307 winbind use default domain = yes winbind refresh tickets = Yes log level = 2 max log size = 1024000 map to guest = bad user load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes #Enable SMB1 ntlm auth = yes server min protocol = LANMAN1 allow insecure wide links = yes map acl inherit = Yes store dos attributes = Yes vfs objects = full_audit acl_xattr btrfs vfs_full_audit:prefix = %U|%I|%M|%S full_audit:success = unlink rmdir pwrite full_audit:failure = none full_audit:facility = local5 full_audit:priority = NOTICE #BTRFS log errors workaround get quota command = /etc/samba/samba-btrfs-quota.sh #Shares [Company] path = /home/samba/fs0001/Company read only = no follow symlinks = yes wide links = yes vfs objects = full_audit acl_xattr recycle btrfs recycle:repository = .recycle/%U recycle:touch = Yes recycle:keeptree = Yes recycle:versions = Yes recycle:directory_mode = 0777 recycle:subdir_mode = 0700 recycle:noversions *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP,*.db,.~lock*,$*,~$* recycle:exclude *.tmp,*.temp,*.o,*.obj,*.TMP,*.TEMP,*.db,.~lock*,$*,~$* recycle:excludedir = /recycle,/tmp,/temp,/TMP,/TEMP Thanks Jiri>>> Rowland penny <rpenny at samba.org> 19.11.2020 16:26 >>>On 19/11/2020 15:02, Ji?? ?ern? via samba wrote:> Hello everybody. > > I just upgraded our Fedora fileserver to version 30, which has Samba > 4.13.2. > > So, we have user dmu60evo in our domain, but on client machine, weare> not able to use username in format DOMAIN\dmu60evo. So we have touse> winbind use default domain = yes.Please post your smb.conf Rowland
Rowland penny
2020-Nov-20 14:34 UTC
[Samba] winbind use default domain = yes doesn't work on Samba 4.13?
On 20/11/2020 13:45, Ji?? ?ern? via samba wrote:> Yes. > In the first name, I wrote DOMAIN, but our real workgroup is SVMETAL, > as you cas see in smb.conf.OK, 4.13.2 with 'winbind use default domain = yes' works for myself and there isn't anything really wrong with your smb.conf, but there was this: So, we have user dmu60evo in our domain, but on client machine, we are not able to use username in format DOMAIN\dmu60evo. So we have to use winbind use default domain = yes. Why can you not use 'DOMAIN\dmu60evo' ? Is dmu60evo a local Unix user as well as being in AD ? Rowland
Jiří Černý
2020-Nov-23 11:46 UTC
[Samba] winbind use default domain = yes doesn't work on Samba 4.13?
Hello, Rowland. Yes, user presents in domain. I can't say if there is local account with same name machine. The machine is CNC milling machine with some linux/unix PC inside. We can set only path to share and credentials and only via GUI. It's hard to debug in this environment. So I have only log.smbd on fileserver. Before upgrade, log entries were: [2020/09/29 05:43:26.537994, 2] ../../source3/auth/auth.c:310(auth_check_ntlm_password) check_ntlm_password: authentication for user [dmu60evo] -> [dmu60evo] -> [DOMAIN\dmu60evo] succeeded After upgrade, with dmu60evo at DOMAIN: [2020/11/23 05:39:22.764641, 2] ../../source3/auth/auth.c:323(auth_check_ntlm_password) check_ntlm_password: authentication for user [dmu60evo at DOMAIN] -> [dmu60evo at DOMAIN] -> [DOMAIN\dmu60evo] succeeded I also tried DOMAIN\\dmu60evo with same results. So it looks good. But doesn't work -> machine operator can't browse files on the share. Maybe it's just Fedora problem. I'll try to deploy CentOS fileserver with sernet-samba packages and test with the same smb.conf. Jiri>>> Rowland penny <rpenny at samba.org> 20.11.2020 15:34 >>>On 20/11/2020 13:45, Ji?? ?ern? via samba wrote:> Yes. > In the first name, I wrote DOMAIN, but our real workgroup isSVMETAL,> as you cas see in smb.conf.OK, 4.13.2 with 'winbind use default domain = yes' works for myself and there isn't anything really wrong with your smb.conf, but there was this: So, we have user dmu60evo in our domain, but on client machine, we are not able to use username in format DOMAIN\dmu60evo. So we have to use winbind use default domain = yes. Why can you not use 'DOMAIN\dmu60evo' ? Is dmu60evo a local Unix user as well as being in AD ? Rowland