[Samba] Samba update cause windows incorrect password

Rowland penny rpenny at samba.org
Tue Apr 28 11:09:13 UTC 2020

On 28/04/2020 11:51, Enrico Morelli via samba wrote:
> On Tue, 28 Apr 2020 12:31:09 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>> Hai Rowland,
>> Well, its based on that i have here.
>> I run still a mixed setup here. ( 2 different domains )
>> 2 servers 4.1.x as PDC/member on wheezy. (DOMAINA )
>> 4.11.7 as AD-DC's (buster) DOMAINB
>> All my windows clients login through AD-DC. (DOMAINB\username)
>> I use the "Passthrough" auth for the shares on the PDC.
>> (DOMAINA\username) I use GPO's to set the correct domain to pass..
>> And %username% for the usersnames
>> 0 problems here with windows 10 and my "PDC" is set with security =
>> domain.
>> Greetz,
>> Louis
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>> Rowland penny via samba
>>> Verzonden: dinsdag 28 april 2020 12:10
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Samba update cause windows incorrect password
>>> On 28/04/2020 10:39, L.P.H. van Belle via samba wrote:
>>>> Sure, i have a suggestion.
>>>> security = user ? In samba 4.9.x ?  And using domain logings??
>>>> Run man smb.conf
>>>> Search : security =
>>>> Then goto : map to guest (G)
>>>> Read that.
>>>> Then goto : security (G)
>>>> And read that also.
>>>> I think you didnt read the complete changelog between 4.5.x
>>> and 4.9.x also ;-)
>>>>>> To be able to loing, I've to select Other User, enter username
>>>>>> and password and all works fine. But if I logout and enter the
>>>>>> same password, Windows tells me "Incorrect password".
>>>> If you do that, your typing DOM\username ? Or only "username"
>>>> Because, all windows logings now using COMPUTERNAME\username
>>>> localy. So if you enter "username" for the PDC login it passes
>>>> "
>>> COMPUTERNAME\username" to samba most probely.
>>>> I hope above helps you a bit, but as far i can see above is
>>> only a configuration issue.
>>>> You need to review the config and setup for security=domain.
>>> The OP is running Samba as a PDC, so 'security = user' is
>>> probably okay,
>>> but I would remove it entirely and let Samba decide what it
>>> should be ;-)
>>> What is missing is 'unix password sync = yes'
>>> If this was a Unix client, then you would need 'security =
>>> domain' and
>>> run winbind, but it is a PDC using tdbsam, so you probably
>>> don't. I say
>>> this because I haven't run a PDC for sometime and would urge
>>> the OP to
>>> upgrade to AD.
>>> Rowland
> Thanks to both, but at the end which is the best way to reconfigure my
> server without loose all my Windows machines?
> If I put security = domain I'm unable to login.
> security = ADS require kerberos and a lot of work, and at the end I'm
> not sure that all my windows machines will works fine.
> In my laboratory there are many windows 10 machines, the server shares
> a lot of folders and I can't afford not to let a lot of people work to
> do my tests.
> I'm a bit confusing

The first thing I would do, start winbind if it isn't already running.

If you run an NT4-style PDC, then any Linux clients need to use 
'security = domain' and run winbind, Louis says this is also required on 
the PDC, but I am not entirely sure this is correct, I don't remember 
doing this.

You only use 'security = ADS' on a Unix computer joined to an AD domain 
and adding it to a Unix client joined to an NT4-style domain will not 
make it an AD client.

If you only have Windows clients then I suggest you upgrade to AD, which 
your Windows 10 machines will work better with.

It is normal to set up a sandboxed network to test the upgrade, this way 
you can find and fix any problems before you do it for real on your 
production network.


More information about the samba mailing list