Hi,
It's not working either.
Best
On 4/5/22 14:41, L.P.H. van Belle via samba wrote:> Try it again with adding in [Global]
>
> min domain uid = 0
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Thibault Roulet via samba
>> Verzonden: dinsdag 5 april 2022 14:05
>> Aan:samba at lists.samba.org
>> Onderwerp: [Samba] AD Member setup broken after samba upgrade
>>
>> Hi all,
>>
>> I'm a bit lost in a samba setup which turned bad after an upgrade
>> Everything was working fine when running samba 2:4.13.5+dfsg-2 and it
>> broke my setup after upgrade to 2:4.13.13+dfsg-1~deb11u3
>>
>> The server is running an up to date debian stable and configured as a
>> domain member only.
>> - samba 4.13.13+dfsg-1~deb11u3
>> - winbind 4.13.13+dfsg-1~deb11u3
>> - libnss-winbind 4.13.13+dfsg-1~deb11u3
>>
>> Kerberos is correctly configured and the machine has been
>> linked to the
>> domain using net ads join.
>>
>> All the domain controllers of the domain are running Windows Server.
>>
>>
>> ## SMB conf file ##
>>
>> [global]
>> ?? ?client signing = required
>> ?? ?deadtime = 30
>> ?? ?dedicated keytab file = /etc/krb5.keytab
>> ?? ?disable spoolss = Yes
>> ?? ?dns proxy = No
>> ?? ?domain master = No
>> ?? ?kerberos method = secrets and keytab
>> ?? ?load printers = No
>> ?? ?local master = No
>> ?? ?log file = /var/log/samba/log.%I
>> ?? ?max log size = 3000
>> ?? ?panic action = /usr/share/samba/panic-action %d
>> ?? ?password server = AD1.DOMAIN.MYDOMAIN.ORG
>> ?? ?realm = DOMAIN.MYDOMAIN.ORG
>> ?? ?security = ADS
>> ?? ?server min protocol = SMB2
>> ?? ?server signing = required
>> ?? ?server string = srv.MYDOMAIN.ORG
>> ?? ?template homedir = /home/%U
>> ?? ?template shell = /bin/bash
>> ?? ?username map = /etc/samba/smbusers
>> ?? ?username map script = /bin/echo
>> ?? ?usershare allow guests = Yes
>> ?? ?winbind use default domain = Yes
>> ?? ?wins server = 123.123.1.2
>> ?? ?workgroup = DOMAIN
>> ?? ?idmap config DOMAIN:unix_primary_group = no
>> ?? ?idmap config DOMAIN:unix_nss_info = no
>> ?? ?idmap config DOMAIN:range = 9000 - 90000000
>> ?? ?idmap config DOMAIN:backend = ad
>> ??? idmap config INTRANET:schema_mode = rfc2307
>> ??? idmap config * : range = 3000 - 8500
>> ?? ?idmap config * : backend = tdb
>> ?? ?hosts allow = 123.123. 127. 10.95.
>>
>>
>> ## nsswitch.conf ##
>> passwd:???????? compat winbind ldap systemd
>> group:????????? compat winbind ldap systemd
>>
>>
>> ## SMB LOGS ##
>>
>> When connecting the share using a windows or linux, I have
>> this result
>> and can't enter the shared folder.
>>
>> [2022/04/05 13:18:28.795040,? 3]
>> ../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth)
>> ? Got user=[myuser] domain=[mydomain] workstation=[machine]
>> len1=0 len2=142
>> [2022/04/05 13:18:28.800143,? 3]
>> ../../source3/auth/user_util.c:353(map_username)
>> ? Mapped user myuser to myuser
>> [2022/04/05 13:18:28.800228,? 3]
>> ../../source3/auth/auth.c:200(auth_check_ntlm_password)
>> ? check_ntlm_password:? Checking password for unmapped user
>> [mydomain]\[myuser]@[machine] with the new password interface
>> [2022/04/05 13:18:28.800254,? 3]
>> ../../source3/auth/auth.c:203(auth_check_ntlm_password)
>> ? check_ntlm_password:? mapped user is: [mydomain]\[myuser]@[machine]
>> [2022/04/05 13:18:28.810026,? 3]
>> ../../source3/auth/user_util.c:353(map_username)
>> ? Mapped user mydomain\myuser to mydomain\myuser
>> [2022/04/05 13:18:28.810155,? 3]
>> ../../source3/auth/auth.c:267(auth_check_ntlm_password)
>> ? auth_check_ntlm_password: winbind authentication for user [myuser]
>> succeeded
>> [2022/04/05 13:18:28.810264,? 3]
>> ../../auth/auth_log.c:635(log_authentication_event_human_readable)
>> ? Auth: [SMB2,(null)] user [mydomain]\[myuser] at [Tue, 05 Apr 2022
>> 13:18:28.810236 CEST] with [NTLMv2] status [NT_STATUS_OK] workstation
>> [machine] remote host [ipv4:123.123.157.16:50120] became
>> [mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182].
>> local host [ipv4:123.123.241.3:445]
>> ? {"timestamp":
"2022-04-05T13:18:28.810420+0200", "type":
>> "Authentication", "Authentication":
{"version": {"major": 1, "minor":
>> 2}, "eventId": 4624, "logonId": "0",
"logonType": 3, "status":
>> "NT_STATUS_OK", "localAddress":
"ipv4:123.123.241.3:445",
>> "remoteAddress": "ipv4:123.123.157.16:50120",
"serviceDescription":
>> "SMB2", "authDescription": null,
"clientDomain": "mydomain",
>> "clientAccount": "myuser", "workstation":
"machine", "becameAccount":
>> "myuser", "becameDomain": "mydomain",
"becameSid":
>> "S-1-5-21-12345678-123456789-112233445-142182",
"mappedAccount":
>> "myuser", "mappedDomain": "mydomain",
"netlogonComputer": null,
>> "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
>> "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
>> "passwordType": "NTLMv2", "duration":
16317}}
>> [2022/04/05 13:18:28.810490,? 2]
>> ../../source3/auth/auth.c:323(auth_check_ntlm_password)
>> ? check_ntlm_password:? authentication for user [myuser] ->
>> [myuser] ->
>> [mydomain\myuser] succeeded
>>
>>
>> [2022/04/05 13:18:28.812094,? 3]
>> ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
>> ? NTLMSSP Sign/Seal - Initialising with flags:
>> [2022/04/05 13:18:28.812115,? 3]
>> ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
>> ? Got NTLMSSP neg_flags=0xe2088235
>> [2022/04/05 13:18:28.812920,? 1]
>> ../../source3/auth/token_util.c:1089(create_token_from_sid)
>> ? sid_to_gid(S-1-5-21-12345678-123456789-112233445-513) failed
>> [2022/04/05 13:18:28.812986,? 3]
>> ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
>> ? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
>> status[NT_STATUS_LOGON_FAILURE] || at
>> ../../source3/smbd/smb2_sesssetup.c:146
>>
>> ==> log.wb-mydomain <=>> [2022/04/05 13:18:28.801106,? 3]
>> ../../source3/winbindd/winbindd_pam.c:2698(winbindd_dual_pam_a
>> uth_crap)
>> ? [ 7141]: pam auth crap domain: mydomain user: myuser
>> [2022/04/05 13:18:28.804698,? 3]
>> ../../auth/auth_log.c:635(log_authentication_event_human_readable)
>> ? Auth: [winbind,NTLM_AUTH, smbd, 7141] user [mydomain]\[myuser] at
>> [Tue, 05 Apr 2022 13:18:28.804672 CEST] with [NTLMv2] status
>> [NT_STATUS_OK] workstation [sbitpc23] remote host [unix:] became
>> [mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182].
>> local host [unix:]
>> ? {"timestamp":
"2022-04-05T13:18:28.804766+0200", "type":
>> "Authentication", "Authentication":
{"version": {"major": 1, "minor":
>> 2}, "eventId": 4624, "logonId":
"123d123fbfb6d8dd", "logonType": 3,
>> "status": "NT_STATUS_OK", "localAddress":
"unix:", "remoteAddress":
>> "unix:", "serviceDescription": "winbind",
"authDescription":
>> "NTLM_AUTH,
>> smbd, 7141", "clientDomain": "mydomain",
"clientAccount": "myuser",
>> "workstation": "sbitpc23",
"becameAccount": "myuser", "becameDomain":
>> "mydomain", "becameSid":
>> "S-1-5-21-12345678-123456789-112233445-142182",
>> "mappedAccount": null, "mappedDomain": null,
>> "netlogonComputer": null,
>> "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
>> "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
>> "passwordType": "NTLMv2", "duration":
3685}}
>>
>> I did a lot of tests and could finally "fix" the issue by
switching
>> ?? ?idmap config DOMAIN:backend = ad
>> to
>> ?? ?idmap config DOMAIN:backend = rid
>>
>> But then it obviously killed all my UID/GID mappings.
>>
>> I can't understand what's wrong in this setup and why the AD
>> backend is
>> suddenly not working after this smb upgrade. When I rollback to the
>> prior version, everything comes back as normal.
>>
>> It looks like I have the same issue on a CentOS 7 server
>> where I could
>> rollback samba before finding a working solution.
>>
>> Any advise would be nice, thanks in advance!
>>
>> --
>>
>> Thibault
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:https://lists.samba.org/mailman/options/samba
>>
>
--
Thibault Roulet
Linux system engineer
EPFL - ISIC-GE - BCH 1212
T: +41 21 69 39397