[Samba] 4.8+ started requiring full UPN for logon

Eugene Pankov e at ajenti.org
Mon Mar 11 10:49:10 UTC 2019


Hi guys,

It appears that Samba 4.8 breaks the Windows' ability to log in without
specifying a matching domain name.
Since the upgrade, logging in with just the username or .\username has
become impossible, and only SAMBAHOSTNAME\username still works.
I'm running an Apple OpenDirectory + nslcd setup. The username (e_user)
still resolves properly via NSS.

Is there anything I could have missed when upgrading?

Auth attempt log:

  check_ntlm_password:  Checking password for unmapped user
[WIN-9F1GSF1XXXX]\[e_user]@[WIN-9F1GSF1XXXX] with the new password interface
  check_ntlm_password:  mapped user is:
[WIN-9F1GSF1XXXX]\[e_user]@[WIN-9F1GSF1XXXX]
  Check auth for: [e_user]
  auth_check_ntlm_password: anonymous had nothing to say
  Check auth for: [e_user]
  is_myname("WIN-9F1GSF1XXXX") returns 0
  check_samstrict_security: WIN-9F1GSF1XXXX is not one of my local names or
domain name (DC)
  auth_check_ntlm_password: sam had nothing to say


Globals:

  disable netbios = Yes
  dns proxy = No
  domain logons = Yes
  ldap admin dn = uid=diradmin,cn=users,dc=directory,dc=xxx,dc=com
  ldap ssl = no
  ldap suffix = dc=directory,dc=xxx,dc=com
  map to guest = Bad User
  ntlm auth = ntlmv1-permitted
  nt pipe support = No
  passdb backend = ldapsam:ldap://directory.xxx.com
  security = USER
  server min protocol = NT1
  server string = XXX SMB
  workgroup = XXX
  idmap config * : backend = tdb
  map archive = No
  map readonly = no
  nt acl support = No

Cheers,
Eugene


More information about the samba mailing list