[Samba] authentication problem

L.P.H. van Belle belle at bazuin.nl
Fri Jan 10 10:19:44 UTC 2020


Not sysprepping is asking for problems.. Your computer SIDs are now the same.   
Always sysprep, im currently rolling out new w10 pc's atm 
Read: https://thesolving.com/server-room/when-and-how-to-use-sysprep/

Tip, use this order to setup.
- start a new computer, setup , at the first page the w10 install stops and is asking questions.
 CTRL+SHIFT+F3, now it reboots and logs in as Administrator automaticly.
 Configure the computer, install the needed software, everything you need/want. 
 ( NOTE, i only install/remove software, all other parts are done in GPO's. ) 
 Cleanup the crap from W10. 
 runas Administrator Powershell: 
 and run : Get-AppxPackage -allusers | where-object {$_.name ?notlike "*store*"} | Remove-AppxPackage 
 the removed all crap apps, excludeing windows store ( adviced to keep that, can give problem to get it back ) 
 run sysprep. 
- if you use fixed IP, first set the fixed IP, reboot
- Change PC name, reboot
- Add to domain, reboot 
Done, resulting in , alway correct DNS entries. ;-) 

Short version of how i setup my pc's. 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Pisch Tamás via samba
> Verzonden: vrijdag 10 januari 2020 10:38
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] authentication problem
> > You also have these lines:
> >
> > logon path = ""
> > name resolve order = lmhosts host bcast
> >
> > You should remove these, they have no place in an AD smb.conf
> The smb.conf manpage mention that:
> 'Disable the use of roaming profiles by setting the value of this
> parameter to the empty string. For example, logon path = "".'
> I don't want roaming profiles, so I thought I need this parameter. Is
> it enough if user profiles has empty Profile Path entries?
> "Disabling of all roaming profile use requires that the user account
> settings must also be blank."
> What does it mean exactly?
> name resolve order: I removed this settings from dcs. man offers wins
> bcast settings for security = ADS, and SRV8 has that setting.
> > Now we come to a line that you should add to all the smb.conf files:
> >
> > winbind refresh tickets = yes
> >
> > This will ensure that your kerberos tickets will be refreshed.
> For this, I need libpam-winbind, according to the manual.
> I've read that:
> "Note: For a DC you do not need libpam-winbind libnss-winbind
> libpam-krb5, unless you require AD users to login "
> I think, to login locally. I don't want them to login locally, so I
> thought I don't want these on DCs. Do I really need libpam-winbind,
> and 'winbind refresh tickets' on DCs?
> I set it up on SRV8 and DC3.

No, but what if you want to login.. 
The solution to this is very simple, create an group on AD and/or on linux, give it and GID (incase of AD group)
And add something like the lines below in sshd_config. 

# Allow groups ( samba/windows groups GID is a must ) 
AllowGroups ssh-allow-from-ad localAdminGroup 

> I still have the auth problem. 1-2 months ago I reinstalled the
> computhers that had this problem, and after that the authentication
> problem disappeared, but I wouldn't like to do it frequently.
> Another question, but might be related to this problem.
> I usually reinstall computers from clone image file, but I don't use
> sysprep. What problem(s) can cause that?
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list