[Samba] authentication problem

Tue Jan 21 14:44:32 UTC 2020

I would turn up your log level and look very closely at it. I had a similar
issue. For me it was a Kerberos issue, so when I switched to the IP
address, it fell back to NTLM and that's why it worked.

On Mon, Jan 20, 2020 at 10:29 AM Pisch Tamás via samba <
samba at lists.samba.org> wrote:

> One step forward. On the problematic clients, I can access the shares
> with \\ip_address\share_name format...
> I can ping srv8 from the problematic clients.
>
> Pisch Tamás <pischta at gmail.com> ezt írta (időpont: 2020. jan. 20., H,
> 10:52):
> >
> > > Not sysprepping is asking for problems.. Your computer SIDs are now
> the same.
> > Yes, I knew about the SID problem. I used NT4 style Samba, and I
> > didn't have problem with it. I use AD for 5 months. We have ~60 PCs
> > and laptops. We use Linux on some of them. I cloned them too.
> > I made a fresh install on a Windows client, and cloned it with
> > sysprep, but the same authentication problem appeared in 2-3 days. Any
> > other idea? I can connect to the sysvol on the DCs. Why DCs accept the
> > same clients?
> >
> > > Always sysprep, im currently rolling out new w10 pc's atm
> > Ok, I will, but I'm not satisfied with it. I use the local
> > Administrator account, and I make some customization in that, but with
> > sysprep, I have to create a user, and then enable the Administrator
> > account after the first login. Ok, maye I need to read some docs about
> > it...
> >
> > > Read: https://thesolving.com/server-room/when-and-how-to-use-sysprep/
> > >
> > > Tip, use this order to setup.
> > > - start a new computer, setup , at the first page the w10 install
> stops and is asking questions.
> > >  CTRL+SHIFT+F3, now it reboots and logs in as Administrator
> automaticly.
> > >  Configure the computer, install the needed software, everything you
> need/want.
> > >  ( NOTE, i only install/remove software, all other parts are done in
> GPO's. )
> > >  Cleanup the crap from W10.
> > >  runas Administrator Powershell:
> > >  and run : Get-AppxPackage -allusers | where-object {$_.name ?notlike
> "*store*"} | Remove-AppxPackage
> > >  the removed all crap apps, excludeing windows store ( adviced to keep
> that, can give problem to get it back )
> > >  run sysprep.
> > > - if you use fixed IP, first set the fixed IP, reboot
> > > - Change PC name, reboot
> > > - Add to domain, reboot
> > > Done, resulting in , alway correct DNS entries. ;-)
> > Thanks :)
> >
> > Pisch Tamás <pischta at gmail.com> ezt írta (időpont: 2020. jan. 10., P,
> 10:37):
> > >
> > > > You also have these lines:
> > > >
> > > > logon path = ""
> > > > name resolve order = lmhosts host bcast
> > > >
> > > > You should remove these, they have no place in an AD smb.conf
> > >
> > > The smb.conf manpage mention that:
> > > 'Disable the use of roaming profiles by setting the value of this
> > > parameter to the empty string. For example, logon path = "".'
> > > I don't want roaming profiles, so I thought I need this parameter. Is
> > > it enough if user profiles has empty Profile Path entries?
> > > "Disabling of all roaming profile use requires that the user account
> > > settings must also be blank."
> > > What does it mean exactly?
> > > name resolve order: I removed this settings from dcs. man offers wins
> > > bcast settings for security = ADS, and SRV8 has that setting.
> > >
> > > > Now we come to a line that you should add to all the smb.conf files:
> > > >
> > > > winbind refresh tickets = yes
> > > >
> > > > This will ensure that your kerberos tickets will be refreshed.
> > >
> > > For this, I need libpam-winbind, according to the manual.
> > > I've read that:
> > > "Note: For a DC you do not need libpam-winbind libnss-winbind
> > > libpam-krb5, unless you require AD users to login "
> > > I think, to login locally. I don't want them to login locally, so I
> > > thought I don't want these on DCs. Do I really need libpam-winbind,
> > > and 'winbind refresh tickets' on DCs?
> > > I set it up on SRV8 and DC3.
> > >
> > > I still have the auth problem. 1-2 months ago I reinstalled the
> > > computhers that had this problem, and after that the authentication
> > > problem disappeared, but I wouldn't like to do it frequently.
> > > Another question, but might be related to this problem.
> > > I usually reinstall computers from clone image file, but I don't use
> > > sysprep. What problem(s) can cause that?
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>