[Samba] After Suse Enterprise upgrade from 11.4 to 15.4 PCs fails authentication when trying to mount Samba share
John Adamski (Work Account)
adamski at graceland.edu
Thu Feb 9 20:00:15 UTC 2023
Thanks for the reply. I have a question or two to clarify what you stated.
First the ranges in the idmap settings was what the SUSE tech that had the case suggested. I just left them large after they closed the case. I will try setting them back to normal range.
Second the password server line has been include and excluded on different tries, I think was left in from last things the SUSE tech had me try. I will comment out and see if that helps.
Now to my clarification question(s):
I don't understand these comments:
> idmap config GRACELAND:unix_nss_info = yes
Only used with the 'ad' idmap backend
> idmap config GRACELAND : backend = tdb
Here is the biggy, the 'tdb' idmap shouldn't be used for the main domain, you should be using 'ad', 'rid', 'autorid' or 'nss' idmap backends
I am not sure which config lines you are talking about and what they should be instead. Can you clarify?
John
-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Thursday, February 9, 2023 12:49 PM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
> -=-=-=-=-=-=-=-=-=- SMB.CONF -=-=-=-=-=-=-=-=-=-=-
In my opinion this is where your problems start
>
> cat smb.conf
> # smb.conf is the main Samba configuration file. You find a full
> commented # version at
> /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the # samba-doc package is installed.
> # Date: 2015-05-01
> [global]
> workgroup = GRACELAND
> #kerberos method = secrets and keytab
> password server = xxxxxx.graceland.edu
You should not set the password server. let Samba find the best DC
> realm = GRACELAND.EDU
> security = ADS
> netbios name = nova
> usershare allow guests = No> John David Adamski Sr.
> Sysadmin/DBA Graceland University
>
> wins support = No
> #debug level = 7
> #enable core files = yes
> #username map script = /bin/echo
> #username map script = /etc/samba/StripDomainName.sh
I take it that is to remove 'GRACELAND\' from the user names, if so, what is wrong with 'winbind use default domain = yes' ?
You should be using the username map to map Administrator to root.
> idmap config * : backend = tdb
> idmap config * : range = 10000-199999
Okay, but I wouldn't have use that range
> idmap config GRACELAND:unix_nss_info = yes
Only used with the 'ad' idmap backend
> idmap config GRACELAND : backend = tdb
Here is the biggy, the 'tdb' idmap shouldn't be used for the main domain, you should be using 'ad', 'rid', 'autorid' or 'nss' idmap backends
> #idmap config SAMDOM:schema_mode = rfc2307
Again only used with the 'ad' idmap backend
> idmap config GRACELAND : range = 200000-2000200000
> ldap admin dn = CN=xxxxxx,CN=Users,DC=graceland,DC=edu
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Machines
> ldap passwd sync = Yes
> ldap suffix = dc=graceland,dc=edu
> ldap user suffix = ou=Users
> ldap ssl = off
This is a Unix domain member 'security = ADS' says that, so you shouldn't have the 'ldap' lines, they will do nothing other than potentially messing things up.
> #passdb backend = tdbsam
> allow insecure wide links = yes
> client ipc signing = auto
> wins server =
>
> [homes]
> comment = Home Directories
> valid users = %S
> browseable = no
> read only = no
> inherit acls = yes
> follow symlinks = yes
> wide links = yes
>
> [tmp]
> comment = Temporary file space
> inherit acls = Yes
> path = /tmp
> read only = No
>
>
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list