[Samba] Samba 3.6 member server auth problems after DC upgrade 2012 R2 -> 2019

Pim Zandbergen pim at zandbergen.org
Thu Oct 29 17:13:40 UTC 2020 

I have this old Centos 6 server running Samba 3.6 as a member server
in a domain with two Windows Server 2012R2 DC's.

Through a series of promotions and demotions, the DC's were replaced
with Windows Server 2019 DC's.

Although I expected problems to arise from that, this has been working
fine for months, until the Samba server was reset by the server's
watchdog card.

Suddenly, clients would no longer be able to authenticate to the Samba
server. "getent passwd" would only list local users.
Users could no longer ssh to the samba server using AD credentials.

Yet, "net ads testjoin" would report the AD join is OK.
And "wbinfo -u" would successfully list all AD users.
No messages were logged in /var/log/samba/* that indicated an error.

Normal operation would resume after reintroducing a third DC running
2012R2, and have Samba explicitly use that DC using
"password server = the2012r2dc".

I am assuming that Windows Server 2019 security needs to be
compromised to accommodate a Samba 3.6 member server. Probably some
Kerberos parameter. I would prefer to do that, and demote the 2012R2
DC, until I can replace/update the Samba 3.6 server.

What would I need to change to the Server 2019's security to make
this work?

smb.conf:

[global]
workgroup                  = EXAMPLE
realm                      = EXAMPLE.COM
security                   = ads
server string              = CentOS 6 - Samba %v
printing                   = cups
printcap name              = cups
load printers              = yes
socket options             = TCP_NODELAY
dns proxy                  = no
time server                = yes
encrypt passwords          = yes
disable netbios            = yes
smb ports                  = 445
idmap config * : backend   = rid
idmap config * : range     = 200000-299999
template homedir           = /home/%U
template shell             = /bin/bash
winbind use default domain = yes
winbind offline logon      = false
follow symlinks            = yes
wide links                 = yes
unix extensions            = no
max protocol               = SMB2
server signing             = auto

[homes]
comment             = Home Directories
browseable          = no
writable            = yes
guest ok            = no

More information about the samba mailing list