[Samba] Authentication problems with AD after migration of Samba from 3.5 to 3.6
Rowland penny
rpenny at samba.org
Fri Jan 15 18:27:24 UTC 2021
On 15/01/2021 15:58, Girouard, Yvon via samba wrote:
> Hi,
>
> We have updated Samba from 3.5 to 3.6 on 2 Linux RedHat 5.8 servers, both authenticating with AD.
Is there some reason why you upgraded to a dead version of Samba ? On a
dead OS ?
> On the first server everything is working as expected. On the second server, authentication with AD does not work. The OS version and configuration files are the same on both servers.
>
> Nsswitch.conf
> passwd: files winbind
> shadow: files winbind
> group: files winbind
> hosts: files dns winbind
'winbind' should only be in the passwd & group lines.
> Smb.conf
> [global]
> workgroup = DOM
> realm = DOM.REG.QC.CA
> netbios name = SERVER123
> ldap timeout = 200
> local master = no
> preferred master = no
> server string = Samba Server Version %v
> security = ADS
> encrypt passwords = yes
> log level = 10
> log file = /var/log/samba/%m.log
> max log size = 102400
> template shell = /bin/false
> load printers = no
> show add printer wizard = no
> printcap name = /dev/null
> disable spoolss = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind nested groups = yes
> winbind expand groups = 3
> winbind separator = +
> idmap config * : backend = tdb
> idmap config * : range = 120000-199999
> idmap config DOM : range = 20000-99999
There appears to be a line missing 'idmap config DOM : backend = rid'
Though the 'rid' part could be 'ad' if you have rfc2307 attributes in AD.
> max protocol = SMB2
> inherit acls = Yes
> store dos attributes = yes
> winbind cache time = 3600
> [sharefs]
> path = /sharefs
> browseable = yes
> writeable = yes
> inherit permissions = yes
> force group = images-rw
> create mask = 0664
> directory mask = 2775
> valid users = @shareauth, @shareadmin
> write list = @shareauth, @shareadmin
>
>
>
> Log on server that is not working
>
> [2020/12/21 18:10:52.084029, 10] auth/auth_builtin.c:44(check_guest_security)
> Check auth for: [user86]
> [2020/12/21 18:10:52.084583, 10] auth/auth.c:269(check_ntlm_password)
> check_ntlm_password: guest had nothing to say
> [2020/12/21 18:10:52.085139, 10] auth/auth_sam.c:75(auth_samstrict_auth)
> Check auth for: [user86]
> [2020/12/21 18:10:52.085691, 8] lib/util.c:1521(is_myname)
> is_myname("DOM") returns 0
> [2020/12/21 18:10:52.086250, 6] auth/auth_sam.c:88(auth_samstrict_auth)
> check_samstrict_security: DOM is not one of my local names (ROLE_DOMAIN_MEMBER)
> [2020/12/21 18:10:52.086809, 10] auth/auth.c:269(check_ntlm_password)
> check_ntlm_password: sam had nothing to say
> [2020/12/21 18:10:52.087364, 10] auth/auth_winbind.c:50(check_winbind_security)
> Check auth for: [user86]
> [2020/12/21 18:10:52.087977, 4] smbd/sec_ctx.c:214(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2020/12/21 18:10:52.088565, 4] smbd/uid.c:460(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2020/12/21 18:10:52.089129, 4] smbd/sec_ctx.c:314(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2020/12/21 18:10:52.089682, 5] ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2020/12/21 18:10:52.090235, 5] auth/token_util.c:527(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2020/12/21 18:10:52.154608, 4] smbd/sec_ctx.c:422(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2020/12/21 18:10:52.155917, 5] lib/username.c:171(Get_Pwnam_alloc)
> Finding user DOM+user86
> [2020/12/21 18:10:52.157044, 5] lib/username.c:116(Get_Pwnam_internals)
> Trying _Get_Pwnam(), username as lowercase is dom+user86
> [2020/12/21 18:10:52.159178, 5] lib/username.c:124(Get_Pwnam_internals)
> Trying _Get_Pwnam(), username as given is DOM+user86
> [2020/12/21 18:10:52.161287, 5] lib/username.c:134(Get_Pwnam_internals)
> Trying _Get_Pwnam(), username as uppercase is DOM+UDUBO86
Why did 'user86' change to 'UDUB086' ??????
Rowland
More information about the samba
mailing list