[Samba] Upgrade from 4.11.6 to 4.12.2 created authentication issues

James Atwell james.atwell365 at gmail.com
Sun May 17 22:03:32 UTC 2020 

On 5/17/2020 5:17 PM, Rowland penny via samba wrote:
> On 17/05/2020 21:54, James Atwell wrote:
>> I assume it's trying to create a tmp krb5.conf because the user I'm 
>> logged into the domain member isn't a domain user? The tmp krb5.conf 
>> never gets created even if I run as sudo. etc/krb5.conf does exist 
>> though.
>
> You are logging into a domain joined machine as a local user and then 
> wonder why you are having problems ?
>
> Unless the user is root, there is a line like this in the smb.conf 
> 'username map = /etc/samba/user.map' and the 'user.map' contains 
> '!root = DOMAIN\Administrator', where 'DOMAIN' is your netbios domain.
>
>>
>> I'm not tied to Ubuntu or Ubuntu 16.04 or 18.04.
>
> It should work on 16.04, try sorting the above problem out first.
>
> Rowland
>
>
>
Funny how you read what you are doing wrong and it makes sense ;)

I added the line in my smb.conf and created the user.map file. Same 
issue as before.

This is my smb.conf from the domain member.

[global]
         security = ADS
         workgroup = SAMBA
         realm = SAMBA.LOCAL

         log file = /var/log/samba/%m.log
         log level = 1

         # Default ID mapping configuration for local BUILTIN accounts
         # and groups on a domain member. The default (*) domain:
         # - must not overlap with any domain ID mapping configuration!
         # - must use a read-write-enabled back end, such as tdb.
         # - Adding just this is not enough
         # - You must set a DOMAIN backend configuration, see below
         idmap config * : backend = tdb
         idmap config * : range = 3000-7999
         idmap config CIMG : backend = rid
         idmap config CIMG : range = 10000-999999

         # Template settings for login shell and home directory
         winbind nss info = template
         template shell = /bin/bash
         template homedir = /home/%U
         username map = /etc/samba/user.map


root at osticket:~# net ads user info administrator -U administrator
Enter administrator's password:
gss_init_sec_context failed with [ Miscellaneous failure (see text): 
encryption type 3 not supported]
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An 
internal error occurred.
gss_init_sec_context failed with [ Miscellaneous failure (see text): 
encryption type 3 not supported]
gss_init_sec_context failed with [ Miscellaneous failure (see text): 
encryption type 3 not supported]
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An 
internal error occurred.

root at osticket:~# net ads info -U administrator
Enter administrator's password:
LDAP server: 172.16.232.29
LDAP server name: pfdc1.samba.local
Realm: SAMBA.LOCAL
Bind Path: dc=SAMBA,dc=LOCAL
LDAP port: 389
Server time: Sun, 17 May 2020 18:00:35 EDT
KDC server: 172.16.232.29
Server time offset: 0

-James

More information about the samba mailing list