[Samba] After Suse Enterprise upgrade from 11.4 to 15.4 PCs fails authentication when trying to mount Samba share

John Adamski (Work Account) adamski at graceland.edu
Thu Feb 9 18:09:48 UTC 2023

Our ERP server was on SLES 11.4 and we upgraded to SLES 15.4 last September and have had a problem since with Samba shares on the SLES server accessed by windows desktops. Can't authenticate not translating the Windows side user to Linux side user. Not exactly sure if windows GUID to UID or username to username .  It seems the translations that use to take place with username not happing anymore and I never figured out why.

The upgrade process was migrate from 11.4 to 15.1 and then to 15.4 as a migration, SLES didn't have a direct path from 11.4 to 15.4.  For the most part the upgrade of the OS went ok.  

We had been using the samba shares for years without problems until upgrading to 15.4.  I had an open case with SUSE shortly after the upgrade but they basically said its not a break-fix  but a configuration problem and they couldn't help.  Did offer an outrageous priced consulting option.  I did get from the SUSE "expert" that looked at the case when we disagreed with them not helping, and he said 15.4 Samba was a major rewrite and that is probably why we are having problems.  But still agreed a consulting problem not support problem.

 We paid a local VR that had a RHEL expert, but he could figure out why not working and said SUSE seemed to be very different then other Linux he worked on.  Also posted on SUSE forum, no help there.  So trying Samba forum.

The ERP requires local Linux user accounts and local group for security so can't get this from AD.  When SUSE had me try SSSD the SLES server could see and get information from AD and users now had local and AD groups which caused a big mess.  Even though the server could get AD information still could authenticate to mount the shares. I undid all those changes.  I'm just trying to get a simple and easy to maintain configuration so PC can mount a SLES home directory and transfer files back and forth. 

As I understand how worked on 11.4 was using Samba and winbind, PAM and Kerberos might have been in the mix I can't remember.

Here are the specs for the server and domain controllers in the network, the windows PC are all win10 21H2 or 22H2.  I've and so many changes over the last months not sure what is what any more.  

cat /etc/os-release

PRETTY_NAME="SUSE Linux Enterprise Server 15 SP4"

smbd -V
Version 4.15.8-git.527.8d0c05d313e150400.3.16.11-SUSE-oS15.0-x86_64

The DC's are Windows Server 2019 (version 1809 build 17763.3887)

from different opensuse server to SLES server I get this

smbclient -L //xxxxxx
Password for [WORKGROUP\xxxxxx]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        tmp             Disk      Temporary file space
        IPC$            IPC       IPC Service (Samba 4.15.8-git.527.8d0c05d313e150400.3.16.11-SUSE-oS15.0-x86_64)
SMB1 disabled -- no workgroup available

if I try to connect to one of the shares from the openSUSE server to the SLES server I get this:

smbclient //xxxxxx/tmp
Password for [WORKGROUP\xxxxxx]:
Anonymous login successful
tree connect failed: NT_STATUS_ACCESS_DENIED

if I try form windows to the SLES server I get this in the logs of the SLES:

from the /var/log/samba/log.smbd

[2023/02/08 14:51:37.411728,  0] ../../source3/auth/auth_util.c:1928(check_account)
  check_account: Failed to convert SID S-1-1-11-111111111-111111111-1111111111-11111 to a UID (dom_user[GRACELAND\xxxxxx])

from /var/log/warn

2023-02-08T14:51:37.412164-06:00 nova smbd[17655]: [2023/02/08 14:51:37.411728,  0] ../../source3/auth/auth_util.c:1928(check_account)
2023-02-08T14:51:37.412291-06:00 nova smbd[17655]:   check_account: Failed to convert SID S-1-1-11-111111111-111111111-1111111111-11111 to a UID (dom_user[GRACELAND\xxxxxx])

-=-=-=-=-=-=-=-=-=- SMB.CONF -=-=-=-=-=-=-=-=-=-=-

 cat smb.conf
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2015-05-01
        workgroup = GRACELAND
#kerberos method = secrets and keytab
password server = xxxxxx.graceland.edu
        realm = GRACELAND.EDU
        security = ADS
#follow symlinks = yes
#wide links = yes
#unix extensions = no
        netbios name = nova
#passdb backend = ldapsam:ldap://xxxxxx.graceland.edu
#log level = 10
        usershare allow guests = No
        wins support = No
#debug level = 7
#enable core files = yes
#username map script = /bin/echo
#username map script = /etc/samba/StripDomainName.sh
        idmap config * : backend = tdb
        idmap config * : range = 10000-199999
idmap config GRACELAND:unix_nss_info = yes
        idmap config GRACELAND : backend = tdb
#idmap config SAMDOM:schema_mode = rfc2307
        idmap config GRACELAND : range = 200000-2000200000
        ldap admin dn = CN=xxxxxx,CN=Users,DC=graceland,DC=edu
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Machines
        ldap passwd sync = Yes
        ldap suffix = dc=graceland,dc=edu
        ldap user suffix = ou=Users
        ldap ssl = off
#passdb backend = tdbsam
        allow insecure wide links = yes
        client ipc signing = auto
        wins server =

        comment = Home Directories
        valid users = %S
        browseable = no
        read only = no
        inherit acls = yes
        follow symlinks = yes
        wide links = yes

        comment = Temporary file space
        inherit acls = Yes
        path = /tmp
        read only = No

-=-=-=-=-=-=-=-=-=-=- resolv.conf -=-=-=-=-=-=-=-=-=-=-

### /etc/resolv.conf is a symlink to /run/netconfig/resolv.conf
### autogenerated by netconfig!
# Before you change this file manually, consider to define the
# static DNS configuration using the following variables in the
# /etc/sysconfig/network/config file:
# or disable DNS configuration updates via netconfig by setting:
# See also the netconfig(8) manual page and other documentation.
### Call "netconfig update -f" to force adjusting of /etc/resolv.conf.
#### GU deleted symbolic link to /var/run/netconfig/resolv.conf and hardcoded
domain graceland.edu
search graceland.edu
nameserver xxx.xxx.xxx.xxx
nameserver xxx.xxx.xxx.xxx

-=-=-=-=-=-=-=-=-=-=- krb5.conf -=-=-=-=-=-=-=-=-=-=-

cat krb5.conf
    default_realm = GRACELAND.EDU
    clockskew = 500
#   dns_lookup_realm = true
#   dns_lookup_kdc = true
#   forwardable = true
#   default_ccache_name = FILE:/tmp/krb5cc_%{uid}
#   default_tkt_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac
#   default_tgs_enctypes = aes128-cts-hmac-sha1-96  rc4-hmac
#   permitted_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac
#   proxiable = false
#   noaddresses = false
#   allow_weak_crypto = false

    .graceland.edu = GRACELAND.EDU
    graceland.edu = GRACELAND.EDU

    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log

        default_domain = graceland.edu
        admin_server = xxxxxx.graceland.edu
        kdc = xxxxxx.graceland.edu

pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        minimum_uid = 1
        external = sshd
        use_shmem = sshd

-=-=-=-=-=-=-=-=-=-=- idmap.conf -=-=-=-=-=-=-=-=-=-=-

Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
Domain = localdomain


Nobody-User = nobody
Nobody-Group = nobody

John David Adamski
Sr. Sysadmin/DBA
Graceland University

More information about the samba mailing list