[Samba] Samba update cause windows incorrect password

Wed Apr 29 10:46:19 UTC 2020

Thanks for the suggestions. When I'll can go to work I'll start to test the 
Ad solution. All my clients are Windows and the only things I need is the 
client authentication and permit to some user to access to some shared 
folders from the server.

Have you some tutorials/books to help me to configure everything?

Thanks again
-----------------------------------------------------------
Enrico Morelli
System Administrator | Programmer | Web Developer

CERM - Polo Scientifico
via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
-----------------------------------------------------------

In data 28 aprile 2020 1:09:46 PM Rowland penny via samba 
<samba at lists.samba.org> ha scritto:

> On 28/04/2020 11:51, Enrico Morelli via samba wrote:
>> On Tue, 28 Apr 2020 12:31:09 +0200
>> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>>
>>> Hai Rowland,
>>>
>>> Well, its based on that i have here.
>>> I run still a mixed setup here. ( 2 different domains )
>>>
>>> 2 servers 4.1.x as PDC/member on wheezy. (DOMAINA )
>>> 4.11.7 as AD-DC's (buster) DOMAINB
>>>
>>> All my windows clients login through AD-DC. (DOMAINB\username)
>>> I use the "Passthrough" auth for the shares on the PDC.
>>> (DOMAINA\username) I use GPO's to set the correct domain to pass..
>>> And %username% for the usersnames
>>>
>>> 0 problems here with windows 10 and my "PDC" is set with security =
>>> domain.
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>>>> Rowland penny via samba
>>>> Verzonden: dinsdag 28 april 2020 12:10
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Samba update cause windows incorrect password
>>>>
>>>> On 28/04/2020 10:39, L.P.H. van Belle via samba wrote:
>>>>> Sure, i have a suggestion.
>>>>>
>>>>> security = user ? In samba 4.9.x ?  And using domain logings??
>>>>>
>>>>> Run man smb.conf
>>>>> Search : security =
>>>>>
>>>>> Read : NOTE ABOUT USERNAME/PASSWORD VALIDATION where you see it.
>>>>>
>>>>> Then goto : map to guest (G)
>>>>> Read that.
>>>>>
>>>>> Then goto : security (G)
>>>>> And read that also.
>>>>>
>>>>> I think you didnt read the complete changelog between 4.5.x
>>>> and 4.9.x also ;-)
>>>>>
>>>>>>> To be able to loing, I've to select Other User, enter username
>>>>>>> and password and all works fine. But if I logout and enter the
>>>>>>> same password, Windows tells me "Incorrect password".
>>>>> If you do that, your typing DOM\username ? Or only "username"
>>>>>
>>>>> Because, all windows logings now using COMPUTERNAME\username
>>>>> localy. So if you enter "username" for the PDC login it passes
>>>>> "
>>>> COMPUTERNAME\username" to samba most probely.
>>>>> I hope above helps you a bit, but as far i can see above is
>>>> only a configuration issue.
>>>>> You need to review the config and setup for security=domain.
>>>> The OP is running Samba as a PDC, so 'security = user' is
>>>> probably okay,
>>>> but I would remove it entirely and let Samba decide what it
>>>> should be ;-)
>>>>
>>>> What is missing is 'unix password sync = yes'
>>>>
>>>> If this was a Unix client, then you would need 'security =
>>>> domain' and
>>>> run winbind, but it is a PDC using tdbsam, so you probably
>>>> don't. I say
>>>> this because I haven't run a PDC for sometime and would urge
>>>> the OP to
>>>> upgrade to AD.
>>>>
>>>> Rowland
>>>>
>> Thanks to both, but at the end which is the best way to reconfigure my
>> server without loose all my Windows machines?
>> If I put security = domain I'm unable to login.
>> security = ADS require kerberos and a lot of work, and at the end I'm
>> not sure that all my windows machines will works fine.
>>
>> In my laboratory there are many windows 10 machines, the server shares
>> a lot of folders and I can't afford not to let a lot of people work to
>> do my tests.
>>
>> I'm a bit confusing
>
> The first thing I would do, start winbind if it isn't already running.
>
> If you run an NT4-style PDC, then any Linux clients need to use
> 'security = domain' and run winbind, Louis says this is also required on
> the PDC, but I am not entirely sure this is correct, I don't remember
> doing this.
>
> You only use 'security = ADS' on a Unix computer joined to an AD domain
> and adding it to a Unix client joined to an NT4-style domain will not
> make it an AD client.
>
> If you only have Windows clients then I suggest you upgrade to AD, which
> your Windows 10 machines will work better with.
>
> It is normal to set up a sandboxed network to test the upgrade, this way
> you can find and fix any problems before you do it for real on your
> production network.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba