Rowland Penny
2022-Aug-05 17:55 UTC
[Samba] Authentication failure after upgrade from 4.5.8 to 4.13.13
On Fri, 2022-08-05 at 10:15 -0700, Curtis Spencer via samba wrote:> > You didn't upgrade far enough, you need to (in my opinion) upgrade > > to > > AD, Samba is working hard on removing SMBv1 and your setup requires > > it. > > It was turned off by default at 4.11.0, so you could try adding > > these > > lines to your smb.conf: > > > > client min protocol = NT1 > > server min protocol = NT1 > > > > You may also have to add: > > ntlm auth = yes > > > > Also ensure that winbind is running. > > Thanks. I tried adding all three lines as well as just the first two. > I > restarted smbd and winbind each time and ensured they were both > running. > However, I still see this in `/var/log/samba/log.smbd` (the log is > the same > with and without `ntlm auth = yes`):I didn't mention 'map untrusted to domain' because it doesn't matter whether it has anything to do with the problem or not (I do not think it has), it was removed and it is very unlikely to come back. It has been quite sometime since I had anything to with an NT4-style domain (which yours is for all intents and purposes), but I think you need to add 'idmap config' lines, something like these: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config EXAMPLE : backend = rid idmap config EXAMPLE : range = 10000-999999 Though you may need to use a different backend for the 'EXAMPLE' domain ('ad' for instance if you have uidNumber & gidNumber attributes). You may also have to 'play' with the 'range' numbers. I would highly recommend upgrading to AD, it is much simpler and is the way forward, NT4-style domains are the past and will go away. Rowland
Curtis Spencer
2022-Aug-05 19:52 UTC
[Samba] Authentication failure after upgrade from 4.5.8 to 4.13.13
> I didn't mention 'map untrusted to domain' because it doesn't matter > whether it has anything to do with the problem or not (I do not think > it has), it was removed and it is very unlikely to come back.Ok, thanks. I just noticed that when running `testparm` I wanted to check. I'm not entirely sure what that is doing or if it matters in this case.> It has been quite sometime since I had anything to with an NT4-style > domain (which yours is for all intents and purposes), but I think you > need to add 'idmap config' lines, something like these: > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config EXAMPLE : backend = rid > idmap config EXAMPLE : range = 10000-999999 > > Though you may need to use a different backend for the 'EXAMPLE' domain > ('ad' for instance if you have uidNumber & gidNumber attributes). You > may also have to 'play' with the 'range' numbers.Thanks. I tried adding these and tried different backends (replaced `rid` with `ad`) and changed the range numbers to `3000-5999` and `6000-999999`, respectively to work with the UIDs of users in OpenLDAP (the UID of `test_user` is 6139) but was still unable able to authenticate and am still getting the same error as before.> I would highly recommend upgrading to AD, it is much simpler and is the > way forward, NT4-style domains are the past and will go away.Yes, we are planning to replace our OpenLDAP domain in the not too distant future. I was hoping to get Samba working in the interim. Any other things I can try or thoughts on how to find the underlying authentication issue? Thanks, Curtis