On Thu, 3 Oct 2024 15:39:29 +0200 Emmanuel Florac via samba <samba at lists.samba.org> wrote:> Hello, > > I'm trying to connect a Debian 11.x server (running Samba 4.13.13, old > version...) to an AD which is controlled by a Windows Server 2022 > (21H2) controller. > > The server joined the domain fine, it's listed among the domain > members normally, and user authentication works ("id <some domain > user>" works), however I can connect to the server just fine in two > user>cases :From the above, it sounds like you are joining Samba as a Unix domain member (security = ads)> > * From another linux machine, using smbclient, I can connect to my > share using a domain user; > > * From a Win11 machine which is NOT a member of the domain, I can > connect using credentials from a domain user; > > BUT from any machine which is a domain member, I can't reach my server > at all; it's not listed in the "Network", and accessing it directly > either with \\servername or \\servername\share fails instantly (with > an undefined, therefore completely unhelpful error 0x80004005). > > Now from https://wiki.samba.org/index.php/AD_Schema_Version_Support I > see that Samba 4.13.13 (which I'm running) apparently can't manage an > AD schema higher than Win2008R2 ... Could that be the source of my > problems? Apparently I'd need Samba 4.19+ (though I don't know what > sort of failures I'm supposed to encounter when running in an higher > than supported schema). > > In that case the only solution would be upgrading to Debian 12, then > installing Samba 4.20 from the backports. Is there any other way > around? >If this is a Unix domain member, then the schema is only used on the Windows DC, the Samba Unix domain member never sees it directly. This sounds like a SMBv1 problem (partially at least), where, because NetBIOS isn't being used, Network Browsing no longer works, but smbclient connecting to a share should. While Samba 4.13.13 is old (and you really should update to a much newer version), it should work as a Unix domain member. If it is a Unix domain member, please can you post the output of 'testparm -s', if it isn't, can you please explain in a bit more detail just how you have set up Samba. Rowland
Le Thu, 3 Oct 2024 15:21:07 +0100 Rowland Penny via samba <samba at lists.samba.org> ?crivait:> From the above, it sounds like you are joining Samba as a Unix domain > member (security = ads) >Yes absolutely.> > If this is a Unix domain member, then the schema is only used on the > Windows DC, the Samba Unix domain member never sees it directly. > > This sounds like a SMBv1 problem (partially at least), where, because > NetBIOS isn't being used, Network Browsing no longer works, but > smbclient connecting to a share should. >"smbclient" on Linux connects to the share just fine using domain user credentials. Only domain members can't...> While Samba 4.13.13 is old (and you really should update to a much > newer version), it should work as a Unix domain member. > > If it is a Unix domain member, please can you post the output of > 'testparm -s', if it isn't, can you please explain in a bit more > detail just how you have set up Samba.I don't have access to the machine right now but the config is straightforward : /etc/samba/smb.conf [global] workgroup = example security = ADS realm = EXAMPLE.LAN dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = Data %h winbind use default domain = yes winbind expand groups = 4 winbind nss info = rfc2307 winbind refresh tickets = Yes winbind offline logon = yes winbind normalize names = Yes idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config EXAMPLE : backend = rid idmap config EXAMPLE : range = 10000-999999 template shell = /bin/bash template homedir = /home/EXAMPLE/%U domain master = no local master = no preferred master = no os level = 20 map to guest = bad user host msdfs = no # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/user.map # For ACL support on domain member vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes # Share Setting Globally unix extensions = no reset on zero vc = yes veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide unreadable = yes # disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes That's a generic configuration I've been using on different domains, but never with an AD running higher than WS2016 I guess. -- ------------------------------------------------------------------------ Emmanuel Florac | Direction technique ------------------------------------------------------------------------ https://intellique.com +33 6 16 30 15 95 ------------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: Signature digitale OpenPGP URL: <http://lists.samba.org/pipermail/samba/attachments/20241003/23441712/attachment.sig>