[Samba] Authentication issue after updating samba on CentOS 7 (from yum)

Alex samba at abisoft.biz
Wed Dec 22 17:25:48 UTC 2021


>> > >     idmap config * : backend = tdb
>> > >     idmap config * : range = 16777216-33554431
>> > Is there some reason for that range ? It will allow you 16777215
>> > users
>> > & groups for something that requires only about 200.
>> 
>> I think it's a legacy. Don't remember why it's here. I'll try to
>> remove it.

> You are probably stuck with it.

Anyway, they don't seem to correlate with the current issue, right?

>> 
>> > >     idmap config DOMAIN:unix_primary_group = yes
>> > Do your users have gidNumber attributes.
>> 
>> Yes, they do. This came from MS Services for Unix.

> Have you actually checked, MS-SFU didn't add a gidNumber attribute to
> users, unless you told it to.

Yes, of course. Here is a sample of AD user entry: https://paste.ee/p/7X6N0

>> > >    winbind use default domain = true
>> > >    winbind offline logon = false
>> > >    winbind enum users = Yes
>> > >    winbind enum groups = Yes
>> > You do not need the 'enum' lines, it works without them.
>> 
>> There was an issue w/o the enum lines. Unfortunately, I don't
>> remember exactly what it was, probably couldn't retrieve groups from
>> the AD with "getent group" command.

> Adding those lines would not fix such a problem, either it would work
> or it wouldn't. All those lines do is to get 'getent user' to display
> all users and 'getent group' to display all groups, along with slowing
> everything down.

So, I was right :) I don't see any slowness, actually. Everything worked pretty good before this update has come.

>> 
>> > > [username]
>> > >         comment = username's home
>> > >         path = /home/username
>> > >         read only = No
>> > >         create mode = 0660
>> > >         valid users = username
>> > As noted above, why are you not using '[homes]' ?
>> 
>> It's b/c most users are prohibited from using this server. So, I
>> allowed homes on this server for just a few of them directly.

> So does that mean you have multiple '[username]' shares in smb.conf ?

Yeah, just like this one. I skipped them for the letter's size sake.

>>  I did that both (changed min uid to 0 and set a user.map file) -
>> still can't log in :(

> This is very strange, I am using Samba 4.15.3 with this smb.conf and I
> can log in:

[skip]

Any ideas what to do?

-- 
Best regards,
Alex




More information about the samba mailing list