[Samba] Authentication issue after updating samba on CentOS 7 (from yum)

Alex samba at abisoft.biz
Wed Dec 22 16:34:20 UTC 2021 

Hello Rowland,

Thank you for your prompt reply!

[skip]

>> 
>> smb.conf:
>> [global]
>>    workgroup = DOMAIN
>>    server string = vm-corp
>>    netbios name = VM-CORP
>>    realm = DOMAIN.BIZ
>>    security = ads
>>    template shell = /sbin/nologin

> So, your users never log into the server directly, just via Samba.

Most users don't. Some of them that are allowed have a shell defined in the AD (loginShell attribute).

>>     idmap config * : backend = tdb
>>     idmap config * : range = 16777216-33554431

> Is there some reason for that range ? It will allow you 16777215 users
> & groups for something that requires only about 200.

I think it's a legacy. Don't remember why it's here. I'll try to remove it.

>>     idmap config DOMAIN:backend = ad
>>     idmap config DOMAIN:schema_mode = rfc2307
>>     idmap config DOMAIN:range = 400-999999

> Again why the strange range, do you have users & groups with uidNumber
> & gidNumber attributes that low ?

This is also a legacy thing. There're users in the AD with uidNumber starting from 400.

>>     idmap config DOMAIN:unix_primary_group = yes

> Do your users have gidNumber attributes.

Yes, they do. This came from MS Services for Unix.

>>     idmap config DOMAIN:unix_nss_info = yes

> This is interesting, you only need that if your users have a
> unixHomeDirectory attribute (at least), yet you are not using '[homes]'
> below.

Yes, they do have unixHomeDirectory attribute.

>>    winbind use default domain = true
>>    winbind offline logon = false
>>    winbind enum users = Yes
>>    winbind enum groups = Yes

> You do not need the 'enum' lines, it works without them.

There was an issue w/o the enum lines. Unfortunately, I don't remember exactly what it was, probably couldn't retrieve groups from the AD with "getent group" command.

>> [username]
>>         comment = username's home
>>         path = /home/username
>>         read only = No
>>         create mode = 0660
>>         valid users = username

> As noted above, why are you not using '[homes]' ?

It's b/c most users are prohibited from using this server. So, I allowed homes on this server for just a few of them directly.

>> 
>> I tried to create the username_map_script.sh and add the following
>> lines (as mentioned in 
>> https://bugzilla.samba.org/show_bug.cgi?id=14901):
>>     min domain uid = 500

> Try changing the '500' to '0'

>>     username map script = /etc/samba/username_map_script.sh

> Change that to:
> username map script = /etc/samba/user.map

> Create /etc/samba/user.map containing:
> !root = DOMAIN\Administrator

Assuming you meant "username map = /etc/samba/user.map" here. I did that both (changed min uid to 0 and set a user.map file) - still can't log in :(

-- 
Best regards,
Alexander Kolesnik

More information about the samba mailing list