samba - Aug 2024 - Upgrade from 4.13 to 4.20 failed

What?s the content of krb conf file and resolv.conf?

Your smb.conf file looks good and tidy to me.
On 6 Aug 2024 at 20:42 +0200, Anders ?stling via samba <samba at
lists.samba.org>, wrote:
> Hello
> I have an older Debian 11 with Samba 4.13 as domain member serving som
> industrial systems with files.
> Today I decided to upgrade both Debian (to 12) and Samba (to 4.17 and
> then 4.20). The upgrade using the backport repo worked after some
> extra steps. Som dependencies had to be installed separately (winbind
> and samba-common-bin) before the main samba package was installed. So
> far so good. The services started up correctly after a reboot.
>
> When I tested the first client, I was unable to connect to any of the
> shares on the server. The error message on the client side was Access
> Denied and in the server's client machine and winbind logs I found
> repeated "Failed to find a local account DOMAIN\username. The domain
> was of course correct as was the username, same as before the upgrade
> process.
>
> The server is a virtual machine so I made a copy of the Deb 12/Samba
> 4.20 and restored the saved VM files. After a restart of Deb 11/Samba
> 4.13, the clients was able to connect to the shares again. I did not
> change anything in the smb.conf file, so this may or may not be the
> reason for the failure.
>
> Here is my samba config (masked domain)
>
> [global]
> security = ADS
> workgroup = HPXX
> realm = HO-PLAT.SE
> server role = member server
> log file = /var/log/samba/%m.log
> log level = 2 winbind:5
> bind interfaces only = yes
> interfaces = lo enp1s0
>
> # Needed due to the ancient industrial system with Linux/Samba 3.x
>
> client min protocol = NT1
> server min protocol = NT1
>
> winbind use default domain = yes
>
> winbind enum users = yes
> winbind enum groups = yes
>
> username map = /etc/samba/user.map
> min domain uid = 0
>
> winbind refresh tickets = Yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> vfs objects = acl_xattr
> map acl inherit = yes
> acl_xattr:ignore system acls = yes
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
>
> idmap config HPXX: backend = rid
> idmap config HPXX : range = 10000-999999
>
> [bock]
> path = /data/BOCK2
> read only = no
> hide unreadable = yes
>
> [laser]
> path = /data/LASER
> read only = no
> hide unreadable = yes
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

/etc/resolv.conf (Both DC's (windows) listed)

domain ho-pla.se
search ho-pla.se
nameserver 10.0.2.10
nameserver 10.0.2.64

 /etc/krb5.conf

[libdefaults]
  dns_lookup_realm = false
  dns_lookup_kdc = true
  default_realm = HO-PLA.SE

On Tue, Aug 6, 2024 at 9:01?PM Luis Peromarta via samba
<samba at lists.samba.org> wrote:
>
> What?s the content of krb conf file and resolv.conf?
>
> Your smb.conf file looks good and tidy to me.
> On 6 Aug 2024 at 20:42 +0200, Anders ?stling via samba <samba at
lists.samba.org>, wrote:
> > Hello
> > I have an older Debian 11 with Samba 4.13 as domain member serving som
> > industrial systems with files.
> > Today I decided to upgrade both Debian (to 12) and Samba (to 4.17 and
> > then 4.20). The upgrade using the backport repo worked after some
> > extra steps. Som dependencies had to be installed separately (winbind
> > and samba-common-bin) before the main samba package was installed. So
> > far so good. The services started up correctly after a reboot.
> >
> > When I tested the first client, I was unable to connect to any of the
> > shares on the server. The error message on the client side was Access
> > Denied and in the server's client machine and winbind logs I found
> > repeated "Failed to find a local account DOMAIN\username. The
domain
> > was of course correct as was the username, same as before the upgrade
> > process.
> >
> > The server is a virtual machine so I made a copy of the Deb 12/Samba
> > 4.20 and restored the saved VM files. After a restart of Deb 11/Samba
> > 4.13, the clients was able to connect to the shares again. I did not
> > change anything in the smb.conf file, so this may or may not be the
> > reason for the failure.
> >
> > Here is my samba config (masked domain)
> >
> > [global]
> > security = ADS
> > workgroup = HPXX
> > realm = HO-PLAT.SE
> > server role = member server
> > log file = /var/log/samba/%m.log
> > log level = 2 winbind:5
> > bind interfaces only = yes
> > interfaces = lo enp1s0
> >
> > # Needed due to the ancient industrial system with Linux/Samba 3.x
> >
> > client min protocol = NT1
> > server min protocol = NT1
> >
> > winbind use default domain = yes
> >
> > winbind enum users = yes
> > winbind enum groups = yes
> >
> > username map = /etc/samba/user.map
> > min domain uid = 0
> >
> > winbind refresh tickets = Yes
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> >
> > vfs objects = acl_xattr
> > map acl inherit = yes
> > acl_xattr:ignore system acls = yes
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> >
> > idmap config HPXX: backend = rid
> > idmap config HPXX : range = 10000-999999
> >
> > [bock]
> > path = /data/BOCK2
> > read only = no
> > hide unreadable = yes
> >
> > [laser]
> > path = /data/LASER
> > read only = no
> > hide unreadable = yes
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


-- 
------ -------------------- 8 ------------------ ------
"A wise man once told me - Any idiot can do backups, but it takes a
genius to successfully restore"

Anders ?stling
+46 768 716 165 (Mobil)