[Samba] Samba update cause windows incorrect password

Tue Apr 28 11:09:13 UTC 2020

On 28/04/2020 11:51, Enrico Morelli via samba wrote:
> On Tue, 28 Apr 2020 12:31:09 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>
>> Hai Rowland,
>>
>> Well, its based on that i have here.
>> I run still a mixed setup here. ( 2 different domains )
>>
>> 2 servers 4.1.x as PDC/member on wheezy. (DOMAINA )
>> 4.11.7 as AD-DC's (buster) DOMAINB
>>
>> All my windows clients login through AD-DC. (DOMAINB\username)
>> I use the "Passthrough" auth for the shares on the PDC.
>> (DOMAINA\username) I use GPO's to set the correct domain to pass..
>> And %username% for the usersnames
>>
>> 0 problems here with windows 10 and my "PDC" is set with security =
>> domain.
>>
>> Greetz,
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>> Rowland penny via samba
>>> Verzonden: dinsdag 28 april 2020 12:10
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Samba update cause windows incorrect password
>>>
>>> On 28/04/2020 10:39, L.P.H. van Belle via samba wrote:
>>>> Sure, i have a suggestion.
>>>>
>>>> security = user ? In samba 4.9.x ?  And using domain logings??
>>>>
>>>> Run man smb.conf
>>>> Search : security =
>>>>
>>>> Read : NOTE ABOUT USERNAME/PASSWORD VALIDATION where you see it.
>>>>
>>>> Then goto : map to guest (G)
>>>> Read that.
>>>>
>>>> Then goto : security (G)
>>>> And read that also.
>>>>
>>>> I think you didnt read the complete changelog between 4.5.x
>>> and 4.9.x also ;-)
>>>>   
>>>>>> To be able to loing, I've to select Other User, enter username
>>>>>> and password and all works fine. But if I logout and enter the
>>>>>> same password, Windows tells me "Incorrect password".
>>>> If you do that, your typing DOM\username ? Or only "username"
>>>>
>>>> Because, all windows logings now using COMPUTERNAME\username
>>>> localy. So if you enter "username" for the PDC login it passes
>>>> "
>>> COMPUTERNAME\username" to samba most probely.
>>>> I hope above helps you a bit, but as far i can see above is
>>> only a configuration issue.
>>>> You need to review the config and setup for security=domain.
>>> The OP is running Samba as a PDC, so 'security = user' is
>>> probably okay,
>>> but I would remove it entirely and let Samba decide what it
>>> should be ;-)
>>>
>>> What is missing is 'unix password sync = yes'
>>>
>>> If this was a Unix client, then you would need 'security =
>>> domain' and
>>> run winbind, but it is a PDC using tdbsam, so you probably
>>> don't. I say
>>> this because I haven't run a PDC for sometime and would urge
>>> the OP to
>>> upgrade to AD.
>>>
>>> Rowland
>>>
> Thanks to both, but at the end which is the best way to reconfigure my
> server without loose all my Windows machines?
> If I put security = domain I'm unable to login.
> security = ADS require kerberos and a lot of work, and at the end I'm
> not sure that all my windows machines will works fine.
>
> In my laboratory there are many windows 10 machines, the server shares
> a lot of folders and I can't afford not to let a lot of people work to
> do my tests.
>
> I'm a bit confusing

The first thing I would do, start winbind if it isn't already running.

If you run an NT4-style PDC, then any Linux clients need to use 
'security = domain' and run winbind, Louis says this is also required on 
the PDC, but I am not entirely sure this is correct, I don't remember 
doing this.

You only use 'security = ADS' on a Unix computer joined to an AD domain 
and adding it to a Unix client joined to an NT4-style domain will not 
make it an AD client.

If you only have Windows clients then I suggest you upgrade to AD, which 
your Windows 10 machines will work better with.

It is normal to set up a sandboxed network to test the upgrade, this way 
you can find and fix any problems before you do it for real on your 
production network.

Rowland