[Samba] After Suse Enterprise upgrade from 11.4 to 15.4 PCs fails authentication when trying to mount Samba share

Rowland Penny rpenny at samba.org
Fri Feb 10 18:43:15 UTC 2023



On 10/02/2023 18:22, John Adamski (Work Account) wrote:
> Rowland,
> 
> Thanks for the information, not sure I get it all.  Samba never been my thing so never tried to learn all there is.
> 
> I went back to a pre-upgrade backup copy of the smb.conf file as I was sure we didn't us the idmap and that was what the SUSE tech changed the config file to use.   We used ldap mostly in the past (SLES 11.4).
> 
> ***pre-upgrade***
> Smbd --version
> Version 3.6.3-94.34.1-3868-SUSE-CODE11-x86_64

That is a very old version

> 
> Smb.conf (only global section)
> 
> [global]
> 	workgroup = GRACELAND
> 	passdb backend = ldapsam:ldap://xxxxxx.graceland.edu
> 	map to guest = Bad User
> 	logon path = \\%L\profiles\.msprofile
> 	logon home = \\%L\%U\.9xprofile
> 	logon drive = P:
> 	usershare allow guests = No
> 	netbios name = xxxxxx
> 	wins support = No
> 	server string = Samba Server
> 	log file = /var/log/samba/log.%m
> 	max log size = 1000
> 	ldap admin dn = CN=xxxxxx,CN=Users,DC=graceland,DC=edu
> 	ldap group suffix = ou=Groups
> 	ldap idmap suffix = ou=Idmap
> 	ldap machine suffix = ou=Machines
> 	ldap passwd sync = Yes
> 	ldap ssl = Off
> 	ldap suffix = dc=xxxxxx,dc=graceland,dc=edu
> 	ldap user suffix = ou=Users
>                security = ADS
>                realm = GRACELAND.EDU
> 	allow insecure wide links = yes
> 	client ipc signing = auto
>                max protocol = smb2
> 	wins server =

If it wasn't for the 'security = ADS' and realm lines, I would have said 
that was for a member of an NT4-style domain, not an AD domain member.

> 
> 
> *** current production server ***
> smbd --version
> Version 4.15.8-git.527.8d0c05d313e150400.3.16.11-SUSE-oS15.0-x86_64  (our test/dev server on Version 4.15.13-git.591)
> 
> Smb.conf (only global section)
> 
> [global]
>          workgroup = GRACELAND
>          realm = GRACELAND.EDU
>          security = ADS
>          netbios name = xxxxxx
>          log level = 10
>          usershare allow guests = No
>          wins support = No
>          idmap config * : backend = tdb
>          idmap config * : range = 10000-199999
>          idmap config GRACELAND:unix_nss_info = yes
>          idmap config GRACELAND : backend = tdb
>          idmap config GRACELAND : base_rid = 0
>          idmap config GRACELAND : range = 10000-199999

You really need to use another idmap backend for the 'GRACELAND' 
backend, if unsure, use 'rid'
You also need to use disparate ranges, they cannot be the same.

>          allow insecure wide links = yes
>          client ipc signing = auto
>          wins server =
>          winbind use default domain = true
> 
> 
> 
> I'm more familiar with ldap, and the SUSE tech didn't seem to like it or want to debug why the old config didn't work on the newer version. Hench the major rewrite of the smb.conf file.  Would it be better to keep plowing ahead with the current config using idmap or going back to ldap and figuring out why ldap stopped working with the upgrade?

Do not use ldap against an AD DC (I take it the DC is an AD DC)

> 
> The problem I had right after upgrading was when I tried to join the server to the domain and that what I originally opened the call with SUSE about. Since I couldn't get the server on the domain samba didn't work.  I was thinking it was a Samba/Kerberos config problem, but SUSE went on their own direction.
> 
> This is the error when trying to join the domain  {I'm using the test/dev  right now}
> 
> net ads join -U administrator
> 
> Password for [GRACELAND\administrator]:
> fetch_ldap_pw: neither ldap secret retrieved!
> pdb_init_ldapsam_common: Failed to retrieve LDAP password from secrets.tdb
> pdb backend ldapsam:ldap://dc02.graceland.edu did not correctly init (error was NT_STATUS_NO_MEMORY)

That shows that it doesn't like the ldap lines, the totally unrequired 
lines on a Unix AD domain member.

Try this smb.conf:

[global]
         workgroup = GRACELAND
         realm = GRACELAND.EDU
         security = ADS
         log level = 10
         usershare allow guests = No
         idmap config * : backend = tdb
         idmap config * : range = 3000-7999
         idmap config GRACELAND : backend = rid
         idmap config GRACELAND : range = 10000-199999
         allow insecure wide links = yes
         client ipc signing = auto
         winbind use default domain = yes

It is a start, there will be other lines to add after you have joined 
the AD domain.

Rowland



More information about the samba mailing list