samba - Mar 2021 - winbind use default domain problem after upgrade

On 03/03/2021 16:10, Perttu Aaltonen via samba wrote:
> After upgrading a file server from Ubuntu 19.10 with Samba 4.10.5 to Ubuntu
20.04 with Samba 4.13.2, "winbind use default domain? doesn?t seem to work
anymore.
>
> I went through the release notes in between but nothing stood out for me
that would require a configuration change.
>
> Before the upgrade:
> [2021/02/23 20:05:31.553745,  3]
../../auth/auth_log.c:629(log_authentication_event_human_readable)
>    Auth: [SMB,(null)] user []\[user] at [Tue, 23 Feb 2021 20:05:31.553731
EET] with [NTLMv1] status [NT_STATUS_OK] workstation [192.168.0.11] remote host
[ipv4:192.168.0.11:53784] became [DOMAIN]\[user] [SID redacted]. local host
[ipv4:192.168.0.10:445]
>
> After the upgrade:
> [2021/02/23 20:19:04.581131,  2]
../../auth/auth_log.c:635(log_authentication_event_human_readable)
>    Auth: [SMB,(null)] user []\[user] at [Tue, 23 Feb 2021 20:19:04.581108
EET] with [NTLMv1] status [NT_STATUS_NO_SUCH_USER] workstation [192.168.0.11]
remote host [ipv4:192.168.0.11:49792] mapped to []\[user]. local host
[ipv4:192.168.0.12:445]
>
> Do I need to change something in the configuration or have I hit some kind
of bug?
>
> Thanks!

Strange, it works for myself (not that it helps you)

Can you give us a bit more info, What is the AD DC ?

Why are you still using SMBv1 ?

Please post your smb.conf

Rowland

> On 3 Mar 2021, at 18.49, Rowland penny via samba <samba at
lists.samba.org> wrote:
> 
> On 03/03/2021 16:10, Perttu Aaltonen via samba wrote:
>> After upgrading a file server from Ubuntu 19.10 with Samba 4.10.5 to
Ubuntu 20.04 with Samba 4.13.2, "winbind use default domain? doesn?t seem
to work anymore.
>> 
>> I went through the release notes in between but nothing stood out for
me that would require a configuration change.
>> 
>> Before the upgrade:
>> [2021/02/23 20:05:31.553745,  3]
../../auth/auth_log.c:629(log_authentication_event_human_readable)
>>   Auth: [SMB,(null)] user []\[user] at [Tue, 23 Feb 2021
20:05:31.553731 EET] with [NTLMv1] status [NT_STATUS_OK] workstation
[192.168.0.11] remote host [ipv4:192.168.0.11:53784] became [DOMAIN]\[user] [SID
redacted]. local host [ipv4:192.168.0.10:445]
>> 
>> After the upgrade:
>> [2021/02/23 20:19:04.581131,  2]
../../auth/auth_log.c:635(log_authentication_event_human_readable)
>>   Auth: [SMB,(null)] user []\[user] at [Tue, 23 Feb 2021
20:19:04.581108 EET] with [NTLMv1] status [NT_STATUS_NO_SUCH_USER] workstation
[192.168.0.11] remote host [ipv4:192.168.0.11:49792] mapped to []\[user]. local
host [ipv4:192.168.0.12:445]
>> 
>> Do I need to change something in the configuration or have I hit some
kind of bug?
>> 
>> Thanks!
> 
> 
> Strange, it works for myself (not that it helps you)
> 
> Can you give us a bit more info, What is the AD DC ?
> 
> Why are you still using SMBv1 ?
> 
> Please post your smb.conf
> 
> Rowland
Hi Rowland,

The DC is still an old Samba 4.1.9 in Debian 7. We are waiting for either a
decision to upgrade it or move to a cloud DC, in which case we will just
decommission it. Has been working fine though up until now. It?s just a user
directory, nothing fancy like GPO.

SMBv1 is for certain legacy clients, like the Supermicro IPMI virtual media
where I ran into this problem in the first place. I asked Supermicro support if
they have any fixes for this in newer firmware releases, but they just replied
that it?s not tested or supported with Samba. Their web UI doesn?t even allow
the \ character so it?s not possible to include the domain in the user name.

The config is below. Some of it is from a previous admin so might include
redundant or unnecessary options for current releases.

Thanks,
Perttu

??

# Global parameters
[global]
	allow trusted domains = No
	dns proxy = No
	domain master = No
	load printers = No
	local master = No
	log file = /var/log/samba/log.%m
	map to guest = Bad User
	max log size = 1000
	pam password change = Yes
	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n
*password\supdated\ssuccessfully* .
	passwd program = /usr/bin/passwd %u
	preferred master = No
	realm = DOMAIN.COM
	security = ADS
	server min protocol = NT1
	server string = %h server (Samba, Ubuntu)
	syslog = 0
	template homedir = /home/%U
	template shell = /bin/sh
	unix extensions = No
	unix password sync = Yes
	winbind enum groups = Yes
	winbind enum users = Yes
	winbind offline logon = Yes
	winbind refresh tickets = Yes
	winbind use default domain = Yes
	workgroup = DOMAIN
	rpc_server:mdssvc = embedded
	streams_xattr:store_stream_type = no
	streams_xattr:prefix = user.
	fruit:delete_empty_adfiles = yes
	fruit:wipe_intentionally_left_blank_rfork = yes
	fruit:zero_file_id = yes
	fruit:posix_rename = yes
	fruit:veto_appledouble = yes
	fruit:model = Xserve
	fruit:locking = netatalk
	fruit:encoding = native
	fruit:metadata = netatalk
	fruit:resource = file
	fruit:copyfile = yes
	fruit:nfs_aces = no
	readdir_attr:aapl_max_access = yes
	readdir_attr:aapl_finder_info = yes
	readdir_attr:aapl_rsize = yes
	fruit:aapl = yes
	idmap config DOMAIN: range = 20000-20000000
	idmap config *:range = 90000000-100000000
	idmap config DOMAIN: backend = rid
	idmap config * : backend = tdb
	access based share enum = Yes
	delete veto files = Yes
	inherit permissions = Yes
	strict locking = No
	use sendfile = Yes
	veto oplock files = /.*rvt/
	vfs objects = catia fruit streams_xattr


[SERVER]
	path = /zpool/shares/SERVER
	read only = No