[Samba] authentication problem

Thu Jan 9 09:55:43 UTC 2020

On 09/01/2020 07:41, Pisch Tamás via samba wrote:
> Hi,
>
> I have 4 Samba servers DC1, DC2, DC3, SRV8. DC3 is a domain controller and
> file server, SRV8 is a file server.
> Sometimes one/another computer cannot mount network shares from SRV8. We
> can log in on that computer, but when we try to mount a network share,
> Windows asks credentials for the share, but doesn't accept it. When we log
> in with another user on the same computer, the result is the same. Same
> users can mount shares on other computers. On the computer which cannot
> mount shares from SRV8, I can mount shares from DC3.
> I restarted the Samba services on SRV8, and after that, I could mount
> shares on the computer what failed before. Next day I couldn't mount shares
> on it again, and the restart of the Samba services didn't help.
> Next try: I unjoined the computer from the domain, and joined it again: I
> could mount the shares again, but next day the problem came back. Today, I
> did the trick again, and I see the shares... I'm sure about that it will
> fail again. What could be the problem?
>
> smb.conf on SRV8:
> [global]
> bind interfaces only = Yes
> dos charset = CP852
> interfaces = lo eth0
> log file = /var/log/samba/%m.log
> log level = 1 auth:5
> logon path = ""
> name resolve order = lmhosts host bcast
> realm = XYZ.XYZ.HU
> security = ADS
> template homedir = /home/%D/users/%U
> template shell = /bin/bash
> unix charset = UTF8
> username map = /etc/samba/user.map
> workgroup = XYZ
> idmap config perczel : range = 10000-999999
> idmap config perczel : backend = rid
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> csc policy = disable
> map acl inherit = Yes
> store dos attributes = Yes
> vfs objects = acl_xattr
>
> [example]
> path = /home/xyz/example
> read only = No
>
> smb.conf on DCs:
> [global]
> bind interfaces only = Yes
> dns forwarder = 208.67.220.220
> interfaces = lo eth0
> logon home = \\srv8\users\%U
> logon path = ""
> name resolve order = lmhosts host bcast
> netbios name = DC1
> realm = XYZ.XYZ.HU
> server role = active directory domain controller
> template shell = /bin/bash
> workgroup = XYZ
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/xyz.xyz.hu/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> Samba version: 4.10.11 on Debian Buster

OK, I take it you missed this:

idmap config perczel : backend = rid

If your workgroup isn't 'PERCZEL' then change it in the 'idmap config' lines

There are a couple of default lines in SRV8:

unix charset = UTF8
store dos attributes = Yes

You can remove these.

You also have these lines:

logon path = ""
name resolve order = lmhosts host bcast

You should remove these, they have no place in an AD smb.conf

You should also remove these lines from the DCs (for the same reason):

logon home = \\srv8\users\%U
logon path = ""
name resolve order = lmhosts host bcast

Now we come to a line that you should add to all the smb.conf files:

winbind refresh tickets = yes

This will ensure that your kerberos tickets will be refreshed.

Rowland