[Samba] authentication problem

[Pisch Tamás]

One step forward. On the problematic clients, I can access the shares
with \\ip_address\share_name format...
I can ping srv8 from the problematic clients.

Pisch Tamás <pischta at gmail.com> ezt írta (időpont: 2020. jan. 20., H, 10:52):
>
> > Not sysprepping is asking for problems.. Your computer SIDs are now the same.
> Yes, I knew about the SID problem. I used NT4 style Samba, and I
> didn't have problem with it. I use AD for 5 months. We have ~60 PCs
> and laptops. We use Linux on some of them. I cloned them too.
> I made a fresh install on a Windows client, and cloned it with
> sysprep, but the same authentication problem appeared in 2-3 days. Any
> other idea? I can connect to the sysvol on the DCs. Why DCs accept the
> same clients?
>
> > Always sysprep, im currently rolling out new w10 pc's atm
> Ok, I will, but I'm not satisfied with it. I use the local
> Administrator account, and I make some customization in that, but with
> sysprep, I have to create a user, and then enable the Administrator
> account after the first login. Ok, maye I need to read some docs about
> it...
>
> > Read: https://thesolving.com/server-room/when-and-how-to-use-sysprep/
> >
> > Tip, use this order to setup.
> > - start a new computer, setup , at the first page the w10 install stops and is asking questions.
> >  CTRL+SHIFT+F3, now it reboots and logs in as Administrator automaticly.
> >  Configure the computer, install the needed software, everything you need/want.
> >  ( NOTE, i only install/remove software, all other parts are done in GPO's. )
> >  Cleanup the crap from W10.
> >  runas Administrator Powershell:
> >  and run : Get-AppxPackage -allusers | where-object {$_.name ?notlike "*store*"} | Remove-AppxPackage
> >  the removed all crap apps, excludeing windows store ( adviced to keep that, can give problem to get it back )
> >  run sysprep.
> > - if you use fixed IP, first set the fixed IP, reboot
> > - Change PC name, reboot
> > - Add to domain, reboot
> > Done, resulting in , alway correct DNS entries. ;-)
> Thanks :)
>
> Pisch Tamás <pischta at gmail.com> ezt írta (időpont: 2020. jan. 10., P, 10:37):
> >
> > > You also have these lines:
> > >
> > > logon path = ""
> > > name resolve order = lmhosts host bcast
> > >
> > > You should remove these, they have no place in an AD smb.conf
> >
> > The smb.conf manpage mention that:
> > 'Disable the use of roaming profiles by setting the value of this
> > parameter to the empty string. For example, logon path = "".'
> > I don't want roaming profiles, so I thought I need this parameter. Is
> > it enough if user profiles has empty Profile Path entries?
> > "Disabling of all roaming profile use requires that the user account
> > settings must also be blank."
> > What does it mean exactly?
> > name resolve order: I removed this settings from dcs. man offers wins
> > bcast settings for security = ADS, and SRV8 has that setting.
> >
> > > Now we come to a line that you should add to all the smb.conf files:
> > >
> > > winbind refresh tickets = yes
> > >
> > > This will ensure that your kerberos tickets will be refreshed.
> >
> > For this, I need libpam-winbind, according to the manual.
> > I've read that:
> > "Note: For a DC you do not need libpam-winbind libnss-winbind
> > libpam-krb5, unless you require AD users to login "
> > I think, to login locally. I don't want them to login locally, so I
> > thought I don't want these on DCs. Do I really need libpam-winbind,
> > and 'winbind refresh tickets' on DCs?
> > I set it up on SRV8 and DC3.
> >
> > I still have the auth problem. 1-2 months ago I reinstalled the
> > computhers that had this problem, and after that the authentication
> > problem disappeared, but I wouldn't like to do it frequently.
> > Another question, but might be related to this problem.
> > I usually reinstall computers from clone image file, but I don't use
> > sysprep. What problem(s) can cause that?