[Samba] AD member server, some users suddenly can only connect to shares via ip address

Rowland Penny rpenny at samba.org
Thu Apr 25 14:24:25 UTC 2019 

On Thu, 25 Apr 2019 15:39:21 +0200
Neil Price via samba <samba at lists.samba.org> wrote:

> On 2019/04/25 14:44, Rowland Penny via samba wrote:
> > OK, post your smb.conf  
> 
> Thanks for help.... remember this has been working up to now and only
> a few users have the password prompt..  (btw "gibb.local" is a
> trusted samba3 domain used for migration, connecting as a gibb.local
> user does work)
> 
> getent passwd returns expected results, as does wbinfo -u
> 
> # Global parameters
> [global]
>          netbios name = PTA-CLUSTER
>          realm = AD.GIBB.CO.ZA
>          server string = Pretoria Cluster
>          workgroup = GIBB
>          ldap connection timeout = 20

You should remove the above, you do not use ldap with an AD Unix domain
member

>          ldap timeout = 60
 as above

>          log file = /var/log/samba/log.%m
>          max log size = 1000
>          syslog = 0
>          panic action = /usr/share/samba/panic-action %d
>          map to guest = Bad User
>          obey pam restrictions = Yes
>          pam password change = Yes
>          passwd chat = *Enter\snew\s*\spassword:* %n\n 
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>          passwd program = /usr/bin/passwd %u
>          security = ADS
>          server role = member server
>          unix password sync = Yes

You shouldn't have any Unix users that are in AD in /etc/passwd, so you
do not need the above line.

>          username map = /etc/samba/user.map
>          template homedir = /home/gibb/%U
>          winbind enum groups = Yes
>          winbind enum users = Yes
>          winbind refresh tickets = Yes
>          winbind request timeout = 120
>          dns proxy = No
>          wins server = 192.168.112.94 192.168.104.2

You do not use 'wins' with AD

>          idmap config gibb.local : range = 1600000-1999999
>          idmap config gibb.local : backend = rid

You said above that 'gibb.local' is a trusted domain that was used for
migration. Two questions about this, is 'gibb.local' the workgroup
name, if so, why does it have a dot in it ? Secondly, you mentioned
'migrate', do you mean you migrated 'gibb.local' (a PDC domain) to the
'GIBB' AD domain ? if so, you should immediately turn off 'gibb.local',
it will have the same SID as 'GIBB'
If this isn't the case, can you explain further what you mean by
'migrate' ?

>          idmap config gibb : range = 1000000-1599999
>          idmap config gibb : backend = rid
>          idmap config * : range = 3000-7999
>          idmap config * : backend = tdb

Rowland

More information about the samba mailing list