[Samba] Samba update cause windows incorrect password
rpenny at samba.org
Tue Apr 28 11:09:13 UTC 2020
On 28/04/2020 11:51, Enrico Morelli via samba wrote:
> On Tue, 28 Apr 2020 12:31:09 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>> Hai Rowland,
>> Well, its based on that i have here.
>> I run still a mixed setup here. ( 2 different domains )
>> 2 servers 4.1.x as PDC/member on wheezy. (DOMAINA )
>> 4.11.7 as AD-DC's (buster) DOMAINB
>> All my windows clients login through AD-DC. (DOMAINB\username)
>> I use the "Passthrough" auth for the shares on the PDC.
>> (DOMAINA\username) I use GPO's to set the correct domain to pass..
>> And %username% for the usersnames
>> 0 problems here with windows 10 and my "PDC" is set with security =
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>> Rowland penny via samba
>>> Verzonden: dinsdag 28 april 2020 12:10
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Samba update cause windows incorrect password
>>> On 28/04/2020 10:39, L.P.H. van Belle via samba wrote:
>>>> Sure, i have a suggestion.
>>>> security = user ? In samba 4.9.x ? And using domain logings??
>>>> Run man smb.conf
>>>> Search : security =
>>>> Read : NOTE ABOUT USERNAME/PASSWORD VALIDATION where you see it.
>>>> Then goto : map to guest (G)
>>>> Read that.
>>>> Then goto : security (G)
>>>> And read that also.
>>>> I think you didnt read the complete changelog between 4.5.x
>>> and 4.9.x also ;-)
>>>>>> To be able to loing, I've to select Other User, enter username
>>>>>> and password and all works fine. But if I logout and enter the
>>>>>> same password, Windows tells me "Incorrect password".
>>>> If you do that, your typing DOM\username ? Or only "username"
>>>> Because, all windows logings now using COMPUTERNAME\username
>>>> localy. So if you enter "username" for the PDC login it passes
>>> COMPUTERNAME\username" to samba most probely.
>>>> I hope above helps you a bit, but as far i can see above is
>>> only a configuration issue.
>>>> You need to review the config and setup for security=domain.
>>> The OP is running Samba as a PDC, so 'security = user' is
>>> probably okay,
>>> but I would remove it entirely and let Samba decide what it
>>> should be ;-)
>>> What is missing is 'unix password sync = yes'
>>> If this was a Unix client, then you would need 'security =
>>> domain' and
>>> run winbind, but it is a PDC using tdbsam, so you probably
>>> don't. I say
>>> this because I haven't run a PDC for sometime and would urge
>>> the OP to
>>> upgrade to AD.
> Thanks to both, but at the end which is the best way to reconfigure my
> server without loose all my Windows machines?
> If I put security = domain I'm unable to login.
> security = ADS require kerberos and a lot of work, and at the end I'm
> not sure that all my windows machines will works fine.
> In my laboratory there are many windows 10 machines, the server shares
> a lot of folders and I can't afford not to let a lot of people work to
> do my tests.
> I'm a bit confusing
The first thing I would do, start winbind if it isn't already running.
If you run an NT4-style PDC, then any Linux clients need to use
'security = domain' and run winbind, Louis says this is also required on
the PDC, but I am not entirely sure this is correct, I don't remember
You only use 'security = ADS' on a Unix computer joined to an AD domain
and adding it to a Unix client joined to an NT4-style domain will not
make it an AD client.
If you only have Windows clients then I suggest you upgrade to AD, which
your Windows 10 machines will work better with.
It is normal to set up a sandboxed network to test the upgrade, this way
you can find and fix any problems before you do it for real on your
More information about the samba