[Samba] Authentication failure after upgrade from 4.5.8 to 4.13.13

Rowland Penny rpenny at samba.org
Sat Aug 6 06:22:05 UTC 2022 

On Fri, 2022-08-05 at 12:52 -0700, Curtis Spencer via samba wrote:
> > I didn't mention 'map untrusted to domain' because it doesn't
> > matter
> > whether it has anything to do with the problem or not (I do not
> > think
> > it has), it was removed and it is very unlikely to come back.
> 
> Ok, thanks. I just noticed that when running `testparm` I wanted to
> check.
> I'm not entirely sure what that is doing or if it matters in this
> case.
> 
> > It has been quite sometime since I had anything to with an NT4-
> > style
> > domain (which yours is for all intents and purposes), but I think
> > you
> > need to add 'idmap config' lines, something like these:
> > 
> > idmap config * : backend = tdb
> > idmap config * : range = 3000-7999
> > idmap config EXAMPLE : backend = rid
> > idmap config EXAMPLE : range = 10000-999999
> > 
> > Though you may need to use a different backend for the 'EXAMPLE'
> > domain
> > ('ad' for instance if you have uidNumber & gidNumber attributes).
> > You
> > may also have to 'play' with the 'range' numbers.
> 
> Thanks. I tried adding these and tried different backends (replaced
> `rid`
> with `ad`) and changed the range numbers to `3000-5999` and `6000-
> 999999`,
> respectively to work with the UIDs of users in OpenLDAP (the UID of
> `test_user` is 6139) but was still unable able to authenticate and am
> still
> getting the same error as before.
> 
> > I would highly recommend upgrading to AD, it is much simpler and is
> > the
> > way forward, NT4-style domains are the past and will go away.
> 
> Yes, we are planning to replace our OpenLDAP domain in the not too
> distant
> future. I was hoping to get Samba working in the interim.
> 
> Any other things I can try or thoughts on how to find the underlying
> authentication issue?
> 
> Thanks,
> 
> Curtis

Before Samba 4.8.0 , the smbd daemon could talk directly to AD (and
presumably a PDC), but from 4.8.0 , smbd must now go via winbind if
'security' is set to either 'domain' or 'ADS'. 
As I said, it has been quite some time since I used an NT4-style domain
member, but I would imagine that it will be similar to an AD domain
member. This means no local users with the same name as domain users
and the 'passwd' and 'group' lines in /etc/nsswitch.conf must use
'winbind'  e.g.
passwd files winbind
group files winbind

You will also need the libpam-winbind and libnss-winbind packages
installed. 

Sorry I cannot be much more help, but I haven't used an NT4-style
domain in years.

Rowland

More information about the samba mailing list