[Samba] After Suse Enterprise upgrade from 11.4 to 15.4 PCs fails authentication when trying to mount Samba share

Rowland Penny rpenny at samba.org
Thu Feb 9 18:49:21 UTC 2023 


On 09/02/2023 18:09, John Adamski (Work Account) via samba wrote:
> Our ERP server was on SLES 11.4 and we upgraded to SLES 15.4 last September and have had a problem since with Samba shares on the SLES server accessed by windows desktops. Can't authenticate not translating the Windows side user to Linux side user. Not exactly sure if windows GUID to UID or username to username .  It seems the translations that use to take place with username not happing anymore and I never figured out why.
> 
> The upgrade process was migrate from 11.4 to 15.1 and then to 15.4 as a migration, SLES didn't have a direct path from 11.4 to 15.4.  For the most part the upgrade of the OS went ok.
> 
> We had been using the samba shares for years without problems until upgrading to 15.4.  I had an open case with SUSE shortly after the upgrade but they basically said its not a break-fix  but a configuration problem and they couldn't help.  Did offer an outrageous priced consulting option.  I did get from the SUSE "expert" that looked at the case when we disagreed with them not helping, and he said 15.4 Samba was a major rewrite and that is probably why we are having problems.  But still agreed a consulting problem not support problem.
> 
>   We paid a local VR that had a RHEL expert, but he could figure out why not working and said SUSE seemed to be very different then other Linux he worked on.  Also posted on SUSE forum, no help there.  So trying Samba forum.
> 
> The ERP requires local Linux user accounts and local group for security so can't get this from AD.

Yes you can.

   When SUSE had me try SSSD the SLES server could see and get 
information from AD and users now had local and AD groups which caused a 
big mess.  Even though the server could get AD information still could 
authenticate to mount the shares. I undid all those changes.  I'm just 
trying to get a simple and easy to maintain configuration so PC can 
mount a SLES home directory and transfer files back and forth.
> 
> As I understand how worked on 11.4 was using Samba and winbind, PAM and Kerberos might have been in the mix I can't remember.
> 
> Here are the specs for the server and domain controllers in the network, the windows PC are all win10 21H2 or 22H2.  I've and so many changes over the last months not sure what is what any more.
> 

> -=-=-=-=-=-=-=-=-=- SMB.CONF -=-=-=-=-=-=-=-=-=-=-

In my opinion this is where your problems start

> 
>   cat smb.conf
> # smb.conf is the main Samba configuration file. You find a full commented
> # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
> # samba-doc package is installed.
> # Date: 2015-05-01
> [global]
>          workgroup = GRACELAND
> #kerberos method = secrets and keytab
> password server = xxxxxx.graceland.edu

You should not set the password server. let Samba find the best DC

>          realm = GRACELAND.EDU
>          security = ADS
>          netbios name = nova
>          usershare allow guests = No> John David Adamski
> Sr. Sysadmin/DBA
> Graceland University
> 
>          wins support = No
> #debug level = 7
> #enable core files = yes
> #username map script = /bin/echo
> #username map script = /etc/samba/StripDomainName.sh

I take it that is to remove 'GRACELAND\' from the user names, if so, 
what is wrong with 'winbind use default domain = yes' ?

You should be using the username map to map Administrator to root.

>          idmap config * : backend = tdb
>          idmap config * : range = 10000-199999

Okay, but I wouldn't have use that range

> idmap config GRACELAND:unix_nss_info = yes

Only used with the 'ad' idmap backend

>          idmap config GRACELAND : backend = tdb

Here is the biggy, the 'tdb' idmap shouldn't be used for the main 
domain, you should be using 'ad', 'rid', 'autorid' or 'nss' idmap backends

> #idmap config SAMDOM:schema_mode = rfc2307

Again only used with the 'ad' idmap backend

>          idmap config GRACELAND : range = 200000-2000200000

>          ldap admin dn = CN=xxxxxx,CN=Users,DC=graceland,DC=edu
>          ldap group suffix = ou=Groups
>          ldap idmap suffix = ou=Idmap
>          ldap machine suffix = ou=Machines
>          ldap passwd sync = Yes
>          ldap suffix = dc=graceland,dc=edu
>          ldap user suffix = ou=Users
>          ldap ssl = off

This is a Unix domain member 'security = ADS' says that, so you 
shouldn't have the 'ldap' lines, they will do nothing other than 
potentially messing things up.

> #passdb backend = tdbsam
>          allow insecure wide links = yes
>          client ipc signing = auto
>          wins server =
> 
> [homes]
>          comment = Home Directories
>          valid users = %S
>          browseable = no
>          read only = no
>          inherit acls = yes
>          follow symlinks = yes
>          wide links = yes
> 
> [tmp]
>          comment = Temporary file space
>          inherit acls = Yes
>          path = /tmp
>          read only = No
> 
> 
> -=-=-=-=-=-=-=-=-=-=- resolv.conf -=-=-=-=-=-=-=-=-=-=-
> 
> ### /etc/resolv.conf is a symlink to /run/netconfig/resolv.conf
> ### autogenerated by netconfig!
> #
> # Before you change this file manually, consider to define the
> # static DNS configuration using the following variables in the
> # /etc/sysconfig/network/config file:
> #     NETCONFIG_DNS_STATIC_SEARCHLIST
> #     NETCONFIG_DNS_STATIC_SERVERS
> #     NETCONFIG_DNS_FORWARDER
> # or disable DNS configuration updates via netconfig by setting:
> #     NETCONFIG_DNS_POLICY=''
> #
> # See also the netconfig(8) manual page and other documentation.
> #
> ### Call "netconfig update -f" to force adjusting of /etc/resolv.conf.
> ####
> #### GU deleted symbolic link to /var/run/netconfig/resolv.conf and hardcoded
> ####
> domain graceland.edu
> search graceland.edu
> nameserver xxx.xxx.xxx.xxx
> nameserver xxx.xxx.xxx.xxx

I take it that the first nameserver is a DC

> 
> 
> -=-=-=-=-=-=-=-=-=-=- krb5.conf -=-=-=-=-=-=-=-=-=-=-
> 
> 
> cat krb5.conf
> [libdefaults]
>      default_realm = GRACELAND.EDU
>      clockskew = 500
> #   dns_lookup_realm = true
> #   dns_lookup_kdc = true
> #   forwardable = true
> #   default_ccache_name = FILE:/tmp/krb5cc_%{uid}
> #   default_tkt_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac
> #   default_tgs_enctypes = aes128-cts-hmac-sha1-96  rc4-hmac
> #   permitted_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac
> #   proxiable = false
> #   noaddresses = false
> #   allow_weak_crypto = false
> 
> [domain_realm]
>      .graceland.edu = GRACELAND.EDU
>      graceland.edu = GRACELAND.EDU
> 
> [logging]
>      kdc = FILE:/var/log/krb5/krb5kdc.log
>      admin_server = FILE:/var/log/krb5/kadmind.log
>      default = SYSLOG:NOTICE:DAEMON
> 
> [realms]
>      GRACELAND.EDU = {
>          default_domain = graceland.edu
>          admin_server = xxxxxx.graceland.edu
>          kdc = xxxxxx.graceland.edu
>      }
> 
> [appdefaults]
> pam = {
>          ticket_lifetime = 1d
>          renew_lifetime = 1d
>          forwardable = true
>          proxiable = false
>          minimum_uid = 1
>          external = sshd
>          use_shmem = sshd
> 
> -=-=-=-=-=-=-=-=-=-=- idmap.conf -=-=-=-=-=-=-=-=-=-=-

Nothing to do with Samba, it is for NFS

> [General]
> 
> Verbosity = 0
> Pipefs-Directory = /var/lib/nfs/rpc_pipefs
> Domain = localdomain
> 
> [Mapping]
> 
> Nobody-User = nobody
> Nobody-Group = nobody
> 
> 

Rowland

More information about the samba mailing list