[Samba] Users created in last few years cannot login after 4.7 -> 4.8 + winbind

[Paul Raines]

I think that is fair to say about my old accounts where names and IDs
do not match.  But the crazy thing is it is those accounts which work fine
and it is the new accounts where I did make the names and IDs match where
things do not work!

I am still confused about the supplemental groups thing.  Are you saying
Samba will not support a mode where 'security = ads' for authentication
against AD but there are groups defined "locally" (and not in AD) that
can be used in smb.conf for things like 'valid users' and 'force group'?

Does using 'security = ads' actually REQUIRE that winbind also be used
in NIS (nsswitch.conf/pam) now?

I have tried 'security = domain' as the smb.conf man page mostly describes 
this as what I want but using this always results in

Checking NTLMSSP password for MYDOMAIN\user failed: NT_STATUS_LOGON_FAILURE

for any user login without winbind running.  When I run winbind, winbind
hangs and can only be killed by a kill -9 signal. Even 'wbinfo --own-domain'
just hangs forever.  Runing winbind in the foreground with -d 10 it seems
to be constantly trying to connect to the DC and failing with

Connecting to 172.18.1.18 at port 445
fcntl_lock 25 6 0 1 0
fcntl_lock: fcntl lock gave errno 11 (Resource temporarily unavailable)
fcntl_lock: lock failed at offset 0 count 1 op 6 type 0 (Resource temporarily 
unavailable)



On Tue, 8 Jan 2019 5:19pm, Rowland Penny wrote:

> On Tue, 8 Jan 2019 16:25:55 -0500 (EST)
> Paul Raines <raines at nmr.mgh.harvard.edu> wrote:
>
>>
>> It appears there is still misunderstanding about my situation/setup.
>> Sorry, I know this is strange.
>>
>> I have an LDAP server for my Linux infrastructure that is totally
>> seperate from the corporate AD Windows domain.  At one point my LDAP
>> did have the samba schema installed with my its own SID's and
>> smbpasswd's in it. My web app for users to change their Linux
>> password would on the backend set their 'userPassword' and
>> 'sambaNTPassword' via separate calls to keep them in sync.
>>
>> But when the edict to do single sign on to the coporate AD happened I
>> stopped using any of the samba schema in my LDAP server.  And I set
>> each user's 'userPassword' field to something like '{SASL}per2' to
>> use passthru on the LDAP authentication end.  And I configured samba
>> to use corporate AD with the username map
>>
>> Corporate is definitely NOT going to let me copy 'sambaNTPassword'
>> from them or let me setup my own domain to trust.  The later would
>> probably not work anyway due to the mismatch with names/uids.
>>
>
> You are either going to have to do one of two things, stick with 4.7.x
> (which isn't a good thing in the long term), or explain to 'corporate'
> that it is going to cost them a lot of money to fix this.
>
> Your setup would best be described as a lash up
>
> I do not think there is an easy way to fix your problem, except for
> using your AD. It would have been a lot easier if you hadn't done
> something stupid like having your users in your ldap and AD with
> different names. I know Samba is capable of being bent to do some
> strange things, but you are trying to bend it too far.
>
> You will not like this, but you are going to have to work with it.
> There have been numerous changes since 4.7.0 and it is very unlikely
> that whatever has broken your setup will be reversed.
>
> Rowland
>
>
>