[Samba] After Suse Enterprise upgrade from 11.4 to 15.4 PCs fails authentication when trying to mount Samba share

Rowland Penny rpenny at samba.org
Thu Feb 9 20:38:18 UTC 2023 


On 09/02/2023 20:00, John Adamski (Work Account) wrote:
> Thanks for the reply. I have a question or two to clarify what you stated.
> 
> First the ranges in the idmap settings was what the SUSE tech that had the case suggested.  I just left them large after they closed the case.  I will try setting them back to normal range.

The problem is, if you change the ranges, you change file ownership, so 
by that guy changing them, they changed file ownership if any new files 
have been created.

> 
> Second the password server line has been include and excluded on different tries, I think was left in from last things the SUSE tech had me try.  I will comment out and see if that helps.
> 
> Now to my clarification question(s):
> 
> I don't understand these comments:
> 
>> idmap config GRACELAND:unix_nss_info = yes
> 
> Only used with the 'ad' idmap backend
> 
>>           idmap config GRACELAND : backend = tdb
> 
> Here is the biggy, the 'tdb' idmap shouldn't be used for the main domain, you should be using 'ad', 'rid', 'autorid' or 'nss' idmap backends
> 
> I am not sure which config lines you are talking about and what they should be instead. Can you clarify?
> 

There are various idmap backends:
You can read the documentation for each backend by entering 'man 
idmap-BACKEND' where 'BACKEND' can be:
tdb
ad
rid
autorid
nss
NOTE: there are others, but they are the main ones used.

tdb: This an allocating backend and is used for the default domain '*'

ad: This requires that users are given a UidNumber attribute containing 
a unique number in the DOMAIN range, Domain Users must also have a 
gidNumber attribute. Any group that you require to be visible to Unix 
must also have a gidNumber attribute. You can also use the other RFC2307 
attributes

rid: This calculates the Unix user and group ID's from the user or group 
RID using the low DOMAIN range set in smb.conf

autorid: works similar to 'rid' but is used for multiple domains.

nss: requires local users and groups to match AD user and groups

NOTE: 'DOMAIN' above refers to the worgroup name.

The 'idmap config' lines that I referred to only have relevance if you 
use the 'ad' idmap backend

You said:
The ERP requires local Linux user accounts and local group for security 
so can't get this from AD.

I don't know if you noticed my reply:

Yes you can

Properly set up, Samba makes AD users into local users.

If you accept that the output from 'getent passwd A_USERNAME' shows 
local users, then:

getent passwd rowland
rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash

Means that 'rowland is a local user, right ?

Then what do you make of this:

rowland at devstation:~$ grep 'rowland' /etc/passwd
rowland at devstation:~$

Rowland is not in /etc/passwd

And

rowland at devstation:~$ wbinfo -u | grep rowland
rowland

wbinfo reads from AD, so 'rowland' only exists in AD, but is a local 
Unix user.

Any further questions etc, please ask.

Rowland

More information about the samba mailing list