Try it again with adding in [Global] min domain uid = 0> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Thibault Roulet via samba > Verzonden: dinsdag 5 april 2022 14:05 > Aan: samba at lists.samba.org > Onderwerp: [Samba] AD Member setup broken after samba upgrade > > Hi all, > > I'm a bit lost in a samba setup which turned bad after an upgrade > Everything was working fine when running samba 2:4.13.5+dfsg-2 and it > broke my setup after upgrade to 2:4.13.13+dfsg-1~deb11u3 > > The server is running an up to date debian stable and configured as a > domain member only. > - samba 4.13.13+dfsg-1~deb11u3 > - winbind 4.13.13+dfsg-1~deb11u3 > - libnss-winbind 4.13.13+dfsg-1~deb11u3 > > Kerberos is correctly configured and the machine has been > linked to the > domain using net ads join. > > All the domain controllers of the domain are running Windows Server. > > > ## SMB conf file ## > > [global] > ?? ?client signing = required > ?? ?deadtime = 30 > ?? ?dedicated keytab file = /etc/krb5.keytab > ?? ?disable spoolss = Yes > ?? ?dns proxy = No > ?? ?domain master = No > ?? ?kerberos method = secrets and keytab > ?? ?load printers = No > ?? ?local master = No > ?? ?log file = /var/log/samba/log.%I > ?? ?max log size = 3000 > ?? ?panic action = /usr/share/samba/panic-action %d > ?? ?password server = AD1.DOMAIN.MYDOMAIN.ORG > ?? ?realm = DOMAIN.MYDOMAIN.ORG > ?? ?security = ADS > ?? ?server min protocol = SMB2 > ?? ?server signing = required > ?? ?server string = srv.MYDOMAIN.ORG > ?? ?template homedir = /home/%U > ?? ?template shell = /bin/bash > ?? ?username map = /etc/samba/smbusers > ?? ?username map script = /bin/echo > ?? ?usershare allow guests = Yes > ?? ?winbind use default domain = Yes > ?? ?wins server = 123.123.1.2 > ?? ?workgroup = DOMAIN > ?? ?idmap config DOMAIN:unix_primary_group = no > ?? ?idmap config DOMAIN:unix_nss_info = no > ?? ?idmap config DOMAIN:range = 9000 - 90000000 > ?? ?idmap config DOMAIN:backend = ad > ??? idmap config INTRANET:schema_mode = rfc2307 > ??? idmap config * : range = 3000 - 8500 > ?? ?idmap config * : backend = tdb > ?? ?hosts allow = 123.123. 127. 10.95. > > > ## nsswitch.conf ## > passwd:???????? compat winbind ldap systemd > group:????????? compat winbind ldap systemd > > > ## SMB LOGS ## > > When connecting the share using a windows or linux, I have > this result > and can't enter the shared folder. > > [2022/04/05 13:18:28.795040,? 3] > ../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth) > ? Got user=[myuser] domain=[mydomain] workstation=[machine] > len1=0 len2=142 > [2022/04/05 13:18:28.800143,? 3] > ../../source3/auth/user_util.c:353(map_username) > ? Mapped user myuser to myuser > [2022/04/05 13:18:28.800228,? 3] > ../../source3/auth/auth.c:200(auth_check_ntlm_password) > ? check_ntlm_password:? Checking password for unmapped user > [mydomain]\[myuser]@[machine] with the new password interface > [2022/04/05 13:18:28.800254,? 3] > ../../source3/auth/auth.c:203(auth_check_ntlm_password) > ? check_ntlm_password:? mapped user is: [mydomain]\[myuser]@[machine] > [2022/04/05 13:18:28.810026,? 3] > ../../source3/auth/user_util.c:353(map_username) > ? Mapped user mydomain\myuser to mydomain\myuser > [2022/04/05 13:18:28.810155,? 3] > ../../source3/auth/auth.c:267(auth_check_ntlm_password) > ? auth_check_ntlm_password: winbind authentication for user [myuser] > succeeded > [2022/04/05 13:18:28.810264,? 3] > ../../auth/auth_log.c:635(log_authentication_event_human_readable) > ? Auth: [SMB2,(null)] user [mydomain]\[myuser] at [Tue, 05 Apr 2022 > 13:18:28.810236 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation > [machine] remote host [ipv4:123.123.157.16:50120] became > [mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182]. > local host [ipv4:123.123.241.3:445] > ? {"timestamp": "2022-04-05T13:18:28.810420+0200", "type": > "Authentication", "Authentication": {"version": {"major": 1, "minor": > 2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status": > "NT_STATUS_OK", "localAddress": "ipv4:123.123.241.3:445", > "remoteAddress": "ipv4:123.123.157.16:50120", "serviceDescription": > "SMB2", "authDescription": null, "clientDomain": "mydomain", > "clientAccount": "myuser", "workstation": "machine", "becameAccount": > "myuser", "becameDomain": "mydomain", "becameSid": > "S-1-5-21-12345678-123456789-112233445-142182", "mappedAccount": > "myuser", "mappedDomain": "mydomain", "netlogonComputer": null, > "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", > "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, > "passwordType": "NTLMv2", "duration": 16317}} > [2022/04/05 13:18:28.810490,? 2] > ../../source3/auth/auth.c:323(auth_check_ntlm_password) > ? check_ntlm_password:? authentication for user [myuser] -> > [myuser] -> > [mydomain\myuser] succeeded > > > [2022/04/05 13:18:28.812094,? 3] > ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset) > ? NTLMSSP Sign/Seal - Initialising with flags: > [2022/04/05 13:18:28.812115,? 3] > ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags) > ? Got NTLMSSP neg_flags=0xe2088235 > [2022/04/05 13:18:28.812920,? 1] > ../../source3/auth/token_util.c:1089(create_token_from_sid) > ? sid_to_gid(S-1-5-21-12345678-123456789-112233445-513) failed > [2022/04/05 13:18:28.812986,? 3] > ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex) > ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_LOGON_FAILURE] || at > ../../source3/smbd/smb2_sesssetup.c:146 > > ==> log.wb-mydomain <=> [2022/04/05 13:18:28.801106,? 3] > ../../source3/winbindd/winbindd_pam.c:2698(winbindd_dual_pam_a > uth_crap) > ? [ 7141]: pam auth crap domain: mydomain user: myuser > [2022/04/05 13:18:28.804698,? 3] > ../../auth/auth_log.c:635(log_authentication_event_human_readable) > ? Auth: [winbind,NTLM_AUTH, smbd, 7141] user [mydomain]\[myuser] at > [Tue, 05 Apr 2022 13:18:28.804672 CEST] with [NTLMv2] status > [NT_STATUS_OK] workstation [sbitpc23] remote host [unix:] became > [mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182]. > local host [unix:] > ? {"timestamp": "2022-04-05T13:18:28.804766+0200", "type": > "Authentication", "Authentication": {"version": {"major": 1, "minor": > 2}, "eventId": 4624, "logonId": "123d123fbfb6d8dd", "logonType": 3, > "status": "NT_STATUS_OK", "localAddress": "unix:", "remoteAddress": > "unix:", "serviceDescription": "winbind", "authDescription": > "NTLM_AUTH, > smbd, 7141", "clientDomain": "mydomain", "clientAccount": "myuser", > "workstation": "sbitpc23", "becameAccount": "myuser", "becameDomain": > "mydomain", "becameSid": > "S-1-5-21-12345678-123456789-112233445-142182", > "mappedAccount": null, "mappedDomain": null, > "netlogonComputer": null, > "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", > "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, > "passwordType": "NTLMv2", "duration": 3685}} > > I did a lot of tests and could finally "fix" the issue by switching > ?? ?idmap config DOMAIN:backend = ad > to > ?? ?idmap config DOMAIN:backend = rid > > But then it obviously killed all my UID/GID mappings. > > I can't understand what's wrong in this setup and why the AD > backend is > suddenly not working after this smb upgrade. When I rollback to the > prior version, everything comes back as normal. > > It looks like I have the same issue on a CentOS 7 server > where I could > rollback samba before finding a working solution. > > Any advise would be nice, thanks in advance! > > -- > > Thibault > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi, It's not working either. Best On 4/5/22 14:41, L.P.H. van Belle via samba wrote:> Try it again with adding in [Global] > > min domain uid = 0 > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Thibault Roulet via samba >> Verzonden: dinsdag 5 april 2022 14:05 >> Aan:samba at lists.samba.org >> Onderwerp: [Samba] AD Member setup broken after samba upgrade >> >> Hi all, >> >> I'm a bit lost in a samba setup which turned bad after an upgrade >> Everything was working fine when running samba 2:4.13.5+dfsg-2 and it >> broke my setup after upgrade to 2:4.13.13+dfsg-1~deb11u3 >> >> The server is running an up to date debian stable and configured as a >> domain member only. >> - samba 4.13.13+dfsg-1~deb11u3 >> - winbind 4.13.13+dfsg-1~deb11u3 >> - libnss-winbind 4.13.13+dfsg-1~deb11u3 >> >> Kerberos is correctly configured and the machine has been >> linked to the >> domain using net ads join. >> >> All the domain controllers of the domain are running Windows Server. >> >> >> ## SMB conf file ## >> >> [global] >> ?? ?client signing = required >> ?? ?deadtime = 30 >> ?? ?dedicated keytab file = /etc/krb5.keytab >> ?? ?disable spoolss = Yes >> ?? ?dns proxy = No >> ?? ?domain master = No >> ?? ?kerberos method = secrets and keytab >> ?? ?load printers = No >> ?? ?local master = No >> ?? ?log file = /var/log/samba/log.%I >> ?? ?max log size = 3000 >> ?? ?panic action = /usr/share/samba/panic-action %d >> ?? ?password server = AD1.DOMAIN.MYDOMAIN.ORG >> ?? ?realm = DOMAIN.MYDOMAIN.ORG >> ?? ?security = ADS >> ?? ?server min protocol = SMB2 >> ?? ?server signing = required >> ?? ?server string = srv.MYDOMAIN.ORG >> ?? ?template homedir = /home/%U >> ?? ?template shell = /bin/bash >> ?? ?username map = /etc/samba/smbusers >> ?? ?username map script = /bin/echo >> ?? ?usershare allow guests = Yes >> ?? ?winbind use default domain = Yes >> ?? ?wins server = 123.123.1.2 >> ?? ?workgroup = DOMAIN >> ?? ?idmap config DOMAIN:unix_primary_group = no >> ?? ?idmap config DOMAIN:unix_nss_info = no >> ?? ?idmap config DOMAIN:range = 9000 - 90000000 >> ?? ?idmap config DOMAIN:backend = ad >> ??? idmap config INTRANET:schema_mode = rfc2307 >> ??? idmap config * : range = 3000 - 8500 >> ?? ?idmap config * : backend = tdb >> ?? ?hosts allow = 123.123. 127. 10.95. >> >> >> ## nsswitch.conf ## >> passwd:???????? compat winbind ldap systemd >> group:????????? compat winbind ldap systemd >> >> >> ## SMB LOGS ## >> >> When connecting the share using a windows or linux, I have >> this result >> and can't enter the shared folder. >> >> [2022/04/05 13:18:28.795040,? 3] >> ../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth) >> ? Got user=[myuser] domain=[mydomain] workstation=[machine] >> len1=0 len2=142 >> [2022/04/05 13:18:28.800143,? 3] >> ../../source3/auth/user_util.c:353(map_username) >> ? Mapped user myuser to myuser >> [2022/04/05 13:18:28.800228,? 3] >> ../../source3/auth/auth.c:200(auth_check_ntlm_password) >> ? check_ntlm_password:? Checking password for unmapped user >> [mydomain]\[myuser]@[machine] with the new password interface >> [2022/04/05 13:18:28.800254,? 3] >> ../../source3/auth/auth.c:203(auth_check_ntlm_password) >> ? check_ntlm_password:? mapped user is: [mydomain]\[myuser]@[machine] >> [2022/04/05 13:18:28.810026,? 3] >> ../../source3/auth/user_util.c:353(map_username) >> ? Mapped user mydomain\myuser to mydomain\myuser >> [2022/04/05 13:18:28.810155,? 3] >> ../../source3/auth/auth.c:267(auth_check_ntlm_password) >> ? auth_check_ntlm_password: winbind authentication for user [myuser] >> succeeded >> [2022/04/05 13:18:28.810264,? 3] >> ../../auth/auth_log.c:635(log_authentication_event_human_readable) >> ? Auth: [SMB2,(null)] user [mydomain]\[myuser] at [Tue, 05 Apr 2022 >> 13:18:28.810236 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation >> [machine] remote host [ipv4:123.123.157.16:50120] became >> [mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182]. >> local host [ipv4:123.123.241.3:445] >> ? {"timestamp": "2022-04-05T13:18:28.810420+0200", "type": >> "Authentication", "Authentication": {"version": {"major": 1, "minor": >> 2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status": >> "NT_STATUS_OK", "localAddress": "ipv4:123.123.241.3:445", >> "remoteAddress": "ipv4:123.123.157.16:50120", "serviceDescription": >> "SMB2", "authDescription": null, "clientDomain": "mydomain", >> "clientAccount": "myuser", "workstation": "machine", "becameAccount": >> "myuser", "becameDomain": "mydomain", "becameSid": >> "S-1-5-21-12345678-123456789-112233445-142182", "mappedAccount": >> "myuser", "mappedDomain": "mydomain", "netlogonComputer": null, >> "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", >> "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, >> "passwordType": "NTLMv2", "duration": 16317}} >> [2022/04/05 13:18:28.810490,? 2] >> ../../source3/auth/auth.c:323(auth_check_ntlm_password) >> ? check_ntlm_password:? authentication for user [myuser] -> >> [myuser] -> >> [mydomain\myuser] succeeded >> >> >> [2022/04/05 13:18:28.812094,? 3] >> ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset) >> ? NTLMSSP Sign/Seal - Initialising with flags: >> [2022/04/05 13:18:28.812115,? 3] >> ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags) >> ? Got NTLMSSP neg_flags=0xe2088235 >> [2022/04/05 13:18:28.812920,? 1] >> ../../source3/auth/token_util.c:1089(create_token_from_sid) >> ? sid_to_gid(S-1-5-21-12345678-123456789-112233445-513) failed >> [2022/04/05 13:18:28.812986,? 3] >> ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex) >> ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] >> status[NT_STATUS_LOGON_FAILURE] || at >> ../../source3/smbd/smb2_sesssetup.c:146 >> >> ==> log.wb-mydomain <=>> [2022/04/05 13:18:28.801106,? 3] >> ../../source3/winbindd/winbindd_pam.c:2698(winbindd_dual_pam_a >> uth_crap) >> ? [ 7141]: pam auth crap domain: mydomain user: myuser >> [2022/04/05 13:18:28.804698,? 3] >> ../../auth/auth_log.c:635(log_authentication_event_human_readable) >> ? Auth: [winbind,NTLM_AUTH, smbd, 7141] user [mydomain]\[myuser] at >> [Tue, 05 Apr 2022 13:18:28.804672 CEST] with [NTLMv2] status >> [NT_STATUS_OK] workstation [sbitpc23] remote host [unix:] became >> [mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182]. >> local host [unix:] >> ? {"timestamp": "2022-04-05T13:18:28.804766+0200", "type": >> "Authentication", "Authentication": {"version": {"major": 1, "minor": >> 2}, "eventId": 4624, "logonId": "123d123fbfb6d8dd", "logonType": 3, >> "status": "NT_STATUS_OK", "localAddress": "unix:", "remoteAddress": >> "unix:", "serviceDescription": "winbind", "authDescription": >> "NTLM_AUTH, >> smbd, 7141", "clientDomain": "mydomain", "clientAccount": "myuser", >> "workstation": "sbitpc23", "becameAccount": "myuser", "becameDomain": >> "mydomain", "becameSid": >> "S-1-5-21-12345678-123456789-112233445-142182", >> "mappedAccount": null, "mappedDomain": null, >> "netlogonComputer": null, >> "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", >> "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, >> "passwordType": "NTLMv2", "duration": 3685}} >> >> I did a lot of tests and could finally "fix" the issue by switching >> ?? ?idmap config DOMAIN:backend = ad >> to >> ?? ?idmap config DOMAIN:backend = rid >> >> But then it obviously killed all my UID/GID mappings. >> >> I can't understand what's wrong in this setup and why the AD >> backend is >> suddenly not working after this smb upgrade. When I rollback to the >> prior version, everything comes back as normal. >> >> It looks like I have the same issue on a CentOS 7 server >> where I could >> rollback samba before finding a working solution. >> >> Any advise would be nice, thanks in advance! >> >> -- >> >> Thibault >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions:https://lists.samba.org/mailman/options/samba >> >-- Thibault Roulet Linux system engineer EPFL - ISIC-GE - BCH 1212 T: +41 21 69 39397
Hai, Then .. i would like to see the complete config. Can you run this script and post the content to the list. Anonimyze where needed. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh All i can see thats off in logs is this part.> >> [2022/04/05 13:18:28.812920,? 1] > >> ../../source3/auth/token_util.c:1089(create_token_from_sid) > >> ? sid_to_gid(S-1-5-21-12345678-123456789-112233445-513) failed > >> [2022/04/05 13:18:28.812986,? 3] > >> ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex) > >> ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > >> status[NT_STATUS_LOGON_FAILURE] || at > >> ../../source3/smbd/smb2_sesssetup.c:146Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Thibault Roulet via samba > Verzonden: dinsdag 5 april 2022 15:06 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] AD Member setup broken after samba upgrade > > Hi, > > It's not working either. > > Best > > On 4/5/22 14:41, L.P.H. van Belle via samba wrote: > > Try it again with adding in [Global] > > > > min domain uid = 0 > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> Thibault Roulet via samba > >> Verzonden: dinsdag 5 april 2022 14:05 > >> Aan:samba at lists.samba.org > >> Onderwerp: [Samba] AD Member setup broken after samba upgrade > >> > >> Hi all, > >> > >> I'm a bit lost in a samba setup which turned bad after an upgrade > >> Everything was working fine when running samba > 2:4.13.5+dfsg-2 and it > >> broke my setup after upgrade to 2:4.13.13+dfsg-1~deb11u3 > >> > >> The server is running an up to date debian stable and > configured as a > >> domain member only. > >> - samba 4.13.13+dfsg-1~deb11u3 > >> - winbind 4.13.13+dfsg-1~deb11u3 > >> - libnss-winbind 4.13.13+dfsg-1~deb11u3 > >> > >> Kerberos is correctly configured and the machine has been > >> linked to the > >> domain using net ads join. > >> > >> All the domain controllers of the domain are running > Windows Server. > >> > >> > >> ## SMB conf file ## > >> > >> [global] > >> ?? ?client signing = required > >> ?? ?deadtime = 30 > >> ?? ?dedicated keytab file = /etc/krb5.keytab > >> ?? ?disable spoolss = Yes > >> ?? ?dns proxy = No > >> ?? ?domain master = No > >> ?? ?kerberos method = secrets and keytab > >> ?? ?load printers = No > >> ?? ?local master = No > >> ?? ?log file = /var/log/samba/log.%I > >> ?? ?max log size = 3000 > >> ?? ?panic action = /usr/share/samba/panic-action %d > >> ?? ?password server = AD1.DOMAIN.MYDOMAIN.ORG > >> ?? ?realm = DOMAIN.MYDOMAIN.ORG > >> ?? ?security = ADS > >> ?? ?server min protocol = SMB2 > >> ?? ?server signing = required > >> ?? ?server string = srv.MYDOMAIN.ORG > >> ?? ?template homedir = /home/%U > >> ?? ?template shell = /bin/bash > >> ?? ?username map = /etc/samba/smbusers > >> ?? ?username map script = /bin/echo > >> ?? ?usershare allow guests = Yes > >> ?? ?winbind use default domain = Yes > >> ?? ?wins server = 123.123.1.2 > >> ?? ?workgroup = DOMAIN > >> ?? ?idmap config DOMAIN:unix_primary_group = no > >> ?? ?idmap config DOMAIN:unix_nss_info = no > >> ?? ?idmap config DOMAIN:range = 9000 - 90000000 > >> ?? ?idmap config DOMAIN:backend = ad > >> ??? idmap config INTRANET:schema_mode = rfc2307 > >> ??? idmap config * : range = 3000 - 8500 > >> ?? ?idmap config * : backend = tdb > >> ?? ?hosts allow = 123.123. 127. 10.95. > >> > >> > >> ## nsswitch.conf ## > >> passwd:???????? compat winbind ldap systemd > >> group:????????? compat winbind ldap systemd > >> > >> > >> ## SMB LOGS ## > >> > >> When connecting the share using a windows or linux, I have > >> this result > >> and can't enter the shared folder. > >> > >> [2022/04/05 13:18:28.795040,? 3] > >> ../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth) > >> ? Got user=[myuser] domain=[mydomain] workstation=[machine] > >> len1=0 len2=142 > >> [2022/04/05 13:18:28.800143,? 3] > >> ../../source3/auth/user_util.c:353(map_username) > >> ? Mapped user myuser to myuser > >> [2022/04/05 13:18:28.800228,? 3] > >> ../../source3/auth/auth.c:200(auth_check_ntlm_password) > >> ? check_ntlm_password:? Checking password for unmapped user > >> [mydomain]\[myuser]@[machine] with the new password interface > >> [2022/04/05 13:18:28.800254,? 3] > >> ../../source3/auth/auth.c:203(auth_check_ntlm_password) > >> ? check_ntlm_password:? mapped user is: > [mydomain]\[myuser]@[machine] > >> [2022/04/05 13:18:28.810026,? 3] > >> ../../source3/auth/user_util.c:353(map_username) > >> ? Mapped user mydomain\myuser to mydomain\myuser > >> [2022/04/05 13:18:28.810155,? 3] > >> ../../source3/auth/auth.c:267(auth_check_ntlm_password) > >> ? auth_check_ntlm_password: winbind authentication for > user [myuser] > >> succeeded > >> [2022/04/05 13:18:28.810264,? 3] > >> ../../auth/auth_log.c:635(log_authentication_event_human_readable) > >> ? Auth: [SMB2,(null)] user [mydomain]\[myuser] at [Tue, > 05 Apr 2022 > >> 13:18:28.810236 CEST] with [NTLMv2] status [NT_STATUS_OK] > workstation > >> [machine] remote host [ipv4:123.123.157.16:50120] became > >> [mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182]. > >> local host [ipv4:123.123.241.3:445] > >> ? {"timestamp": "2022-04-05T13:18:28.810420+0200", "type": > >> "Authentication", "Authentication": {"version": {"major": > 1, "minor": > >> 2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status": > >> "NT_STATUS_OK", "localAddress": "ipv4:123.123.241.3:445", > >> "remoteAddress": "ipv4:123.123.157.16:50120", "serviceDescription": > >> "SMB2", "authDescription": null, "clientDomain": "mydomain", > >> "clientAccount": "myuser", "workstation": "machine", > "becameAccount": > >> "myuser", "becameDomain": "mydomain", "becameSid": > >> "S-1-5-21-12345678-123456789-112233445-142182", "mappedAccount": > >> "myuser", "mappedDomain": "mydomain", "netlogonComputer": null, > >> "netlogonTrustAccount": null, "netlogonNegotiateFlags": > "0x00000000", > >> "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, > >> "passwordType": "NTLMv2", "duration": 16317}} > >> [2022/04/05 13:18:28.810490,? 2] > >> ../../source3/auth/auth.c:323(auth_check_ntlm_password) > >> ? check_ntlm_password:? authentication for user [myuser] -> > >> [myuser] -> > >> [mydomain\myuser] succeeded > >> > >> > >> [2022/04/05 13:18:28.812094,? 3] > >> ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset) > >> ? NTLMSSP Sign/Seal - Initialising with flags: > >> [2022/04/05 13:18:28.812115,? 3] > >> ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags) > >> ? Got NTLMSSP neg_flags=0xe2088235 > >> [2022/04/05 13:18:28.812920,? 1] > >> ../../source3/auth/token_util.c:1089(create_token_from_sid) > >> ? sid_to_gid(S-1-5-21-12345678-123456789-112233445-513) failed > >> [2022/04/05 13:18:28.812986,? 3] > >> ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex) > >> ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > >> status[NT_STATUS_LOGON_FAILURE] || at > >> ../../source3/smbd/smb2_sesssetup.c:146 > >> > >> ==> log.wb-mydomain <=> >> [2022/04/05 13:18:28.801106,? 3] > >> ../../source3/winbindd/winbindd_pam.c:2698(winbindd_dual_pam_a > >> uth_crap) > >> ? [ 7141]: pam auth crap domain: mydomain user: myuser > >> [2022/04/05 13:18:28.804698,? 3] > >> ../../auth/auth_log.c:635(log_authentication_event_human_readable) > >> ? Auth: [winbind,NTLM_AUTH, smbd, 7141] user > [mydomain]\[myuser] at > >> [Tue, 05 Apr 2022 13:18:28.804672 CEST] with [NTLMv2] status > >> [NT_STATUS_OK] workstation [sbitpc23] remote host [unix:] became > >> [mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182]. > >> local host [unix:] > >> ? {"timestamp": "2022-04-05T13:18:28.804766+0200", "type": > >> "Authentication", "Authentication": {"version": {"major": > 1, "minor": > >> 2}, "eventId": 4624, "logonId": "123d123fbfb6d8dd", "logonType": 3, > >> "status": "NT_STATUS_OK", "localAddress": "unix:", "remoteAddress": > >> "unix:", "serviceDescription": "winbind", "authDescription": > >> "NTLM_AUTH, > >> smbd, 7141", "clientDomain": "mydomain", "clientAccount": "myuser", > >> "workstation": "sbitpc23", "becameAccount": "myuser", > "becameDomain": > >> "mydomain", "becameSid": > >> "S-1-5-21-12345678-123456789-112233445-142182", > >> "mappedAccount": null, "mappedDomain": null, > >> "netlogonComputer": null, > >> "netlogonTrustAccount": null, "netlogonNegotiateFlags": > "0x00000000", > >> "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, > >> "passwordType": "NTLMv2", "duration": 3685}} > >> > >> I did a lot of tests and could finally "fix" the issue by switching > >> ?? ?idmap config DOMAIN:backend = ad > >> to > >> ?? ?idmap config DOMAIN:backend = rid > >> > >> But then it obviously killed all my UID/GID mappings. > >> > >> I can't understand what's wrong in this setup and why the AD > >> backend is > >> suddenly not working after this smb upgrade. When I rollback to the > >> prior version, everything comes back as normal. > >> > >> It looks like I have the same issue on a CentOS 7 server > >> where I could > >> rollback samba before finding a working solution. > >> > >> Any advise would be nice, thanks in advance! > >> > >> -- > >> > >> Thibault > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions:https://lists.samba.org/mailman/options/samba > >> > > > -- > Thibault Roulet > Linux system engineer > EPFL - ISIC-GE - BCH 1212 > T: +41 21 69 39397 > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >