[Samba] Authentication failure after upgrade from 4.5.8 to 4.13.13

Rowland Penny rpenny at samba.org
Fri Aug 5 17:55:44 UTC 2022

On Fri, 2022-08-05 at 10:15 -0700, Curtis Spencer via samba wrote:
> > You didn't upgrade far enough, you need to (in my opinion) upgrade
> > to
> > AD, Samba is working hard on removing SMBv1 and your setup requires
> > it.
> > It was turned off by default at 4.11.0, so you could try adding
> > these
> > lines to your smb.conf:
> > 
> > client min protocol = NT1
> > server min protocol = NT1
> > 
> > You may also have to add:
> > ntlm auth = yes
> > 
> > Also ensure that winbind is running.
> Thanks. I tried adding all three lines as well as just the first two.
> I
> restarted smbd and winbind each time and ensured they were both
> running.
> However, I still see this in `/var/log/samba/log.smbd` (the log is
> the same
> with and without `ntlm auth = yes`):

I didn't mention 'map untrusted to domain' because it doesn't matter
whether it has anything to do with the problem or not (I do not think
it has), it was removed and it is very unlikely to come back.

It has been quite sometime since I had anything to with an NT4-style
domain (which yours is for all intents and purposes), but I think you
need to add 'idmap config' lines, something like these:

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 10000-999999

Though you may need to use a different backend for the 'EXAMPLE' domain
('ad' for instance if you have uidNumber & gidNumber attributes). You
may also have to 'play' with the 'range' numbers.

I would highly recommend upgrading to AD, it is much simpler and is the
way forward, NT4-style domains are the past and will go away.


More information about the samba mailing list