[Samba] IOS connections to Samba 4 worked for years, now authentication fails

Rowland Penny rpenny at samba.org
Sun Sep 30 09:26:31 UTC 2018

On Sat, 29 Sep 2018 16:27:36 -0700
"Deft Developer" <dev at hymes.name> wrote:

> I will do the best I can to provide all the needed info.
> I will focus on 1 server, GABRIEL, and one share "garage"
> It is a samba AD member server on a local subnet.
> Here, samba was compiled from sources, release 4.8.3 .
> Samba was built and installed on CentOS 7.5.1804
> This samba rungs with a user directory prefix, because it is not the
> CentOS release. That can't be un-installed because of other
> dependencies. SELinux runs on this system, but there are no denials
> being logged anywhere. Nor are there any filesystem or permissions
> errors being logged. The smb.conf file is at the end of this message.
> iOS devices worked well enough on Samba  CentOS rpms of 4.3 and 4.4,
> but we had many  Active Directory issues on CentOS's 4.5. In
> particular, adcli dumps core, and machine accounts always expire. So
> I updated to 4.8 , and eventually got all Windows and Linux platforms
> working together. After that is when I noticed that I could not
> authenticate anymore with Apple iOS devices. Apple devices update
> their Apps and OSs all the time, so it is not certain which Apple
> change, or Samba change broke authentication.

You have quite a few default settings in your smb.conf and a few things
I don't fully understand why you have them.

Your main 'idmap congig' block is this:

idmap config PANDIMONIUM:backend = ad
idmap config PANDIMONIUM:schema_mode = template
idmap config PANDIMONIUM:range = 751001100-751001999
idmap config PANDIMONIUM:unix_nss_info = no
idmap config PANDIMONIUM:unix_primary_group = yes

Why are you using 'template' with the 'ad' backend, it doesn't exist:

From 'man idmap_ad'

schema_mode = <rfc2307 | sfu | sfu20>
Defines the schema that idmap_ad should use when querying Active Directory
regarding user and group information. 
This can be either the RFC2307 schema support included in Windows 2003 R2
or the Service for Unix (SFU) schema. 
For SFU 3.0 or 3.5 please choose "sfu", for SFU 2.0 please choose "sfu20".
Please note that the behavior of primary group membership is controlled
by the unix_primary_group option.

Is there some reason for using such a high range ?

'unix_nss_info = no' is the default.

I think your thinking behind the 'template' setting is these two lines:

logon path = /home/%D/%U/profile
logon home = /home/%D/%U

Two things wrong with those two lines, the 'ad' backend will pull that
info from AD (provided it is set) and the format is wrong, it expects
something like '//fileserver/share'

the last comment about your smb .conf is that you have set 'guest ok'
on the [garage] share, but the guest user will never get anywhere near
the share ;-)

I would change your smb.conf to this:

        workgroup = PANDIMONIUM
        realm = PANDIMONIUM.ORG
        security = ADS
        server string = Gabriel %v
        netbios name = GABRIEL
        interfaces = lo enp4s0
        log file = /var/log/samba/log.%m
        max log size = 50
        log level = 2 auth:3

        # Default idmap config for local BUILTIN accounts and groups
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        # idmap config for the PANDIMONIUM domain
        idmap config PANDIMONIUM:backend = ad
        idmap config PANDIMONIUM:range = 751001100-751001999
        idmap config PANDIMONIUM:unix_primary_group = yes
        template shell = /bin/bash

        kerberos method = secrets and keytab
        local master = no
        preferred master = no
        unix extensions = no
        allow insecure wide links = yes
        username map = /home/PANDIMONIUM/hsheldon/opt/samba-4/etc/samba/user.map

        path = /usr/exports/garage
        invalid users = root
        write list = hsheldon administrator @admins ajahr idunhr bruzicka
        read only = No
        hide dot files = no
        comment = Storage and Workspace
        case sensitive = yes

I would also investigate 'man vfs_catia', 'man vfs_fruit' and 'man


More information about the samba mailing list