[Samba] problems after migrating NT domain to AD (samba 4.7.x)

Rowland penny rpenny at samba.org
Sat Sep 28 19:29:54 UTC 2019 

On 28/09/2019 19:40, Bartłomiej Solarz-Niesłuchowski via samba wrote:
> Dear List,
>
> My domain +/- works, so I try to fix rest services based on domain 
> NT/AD....
>
> I use WiFi authorization with PEAP/MSCHAPv2 + freeradius (before 
> migration it works).
>
> And after migration autorization does not work.
>
> Freeradius server is on samba domain member.
>
> So i check domain connectivity:
>
> [root at see-you-later samba]# net ads testjoin
> Join is OK
> [root at see-you-later samba]# wbinfo -a test%XXXX
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
> [root at see-you-later samba]# wbinfo -g
>
> here list of domain group
>
> smb.conf
>
> [global]
>        dos charset = CP852
>         unix charset = UTF8
>         workgroup = WSISIZ.EDU.PL
>         realm = ad.wsisiz.edu.pl
>         server role = member server
>         security = ads
>         allow trusted domains = No
>         log level = 0
>         time server = Yes
>         deadtime = 60
>         hostname lookups = Yes
>         printcap cache time = 600
>         printcap name = cups
>         wins support = Yes
>         remote browse sync = oxygene.ibspan.waw.pl antarctica china 
> direct odyssey
>         winbind use default domain = Yes
>         create mask = 0644
>         inherit acls = Yes
>         remote browse sync = oceanic.wsisiz.edu.pl
>         create mask = 0644
>         hosts allow = 127., 213.135.34.0/255.255.255.0, 
> 213.135.44.0/255.255.252.0, 213.135.48.0/255.255.254.0, 
> 2001:1a68:a::/48, ::1
>         hide dot files = No
>         ea support = Yes
>         map acl inherit = Yes
>         cups options = raw
>         hide dot files = No
>         store dos attributes = Yes
>         wide links = Yes
>         acl allow execute always = yes
>         ntlm auth = mschapv2-and-ntlmv2-only

I suspect you are back on a red-hat distro here or at least you are 
using sssd, if so do this:

yum remove sssd*

you cannot use sssd with Samba on a Unix domain member, you must use 
winbind, sssd and winbind are mutually exclusive.

Samba does not provide support for sssd because we do not produce it, 
you will need to ask on the sssd-users mailing list.

If you are not using sssd, your smb.conf does not have any 'idmap 
config'  lines, see here for more info:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

More information about the samba mailing list