Windows 10 login fails at Samba NT domain member

dummzeuch

4/9/23, 1:24 PM

I have the following setup:

A Samba server PDC acting as the Primary Domain Controller of a NT domain MYDOMAIN (not Active Directory!)
A Windows 10 pro PC Win10 which is also a member of that domain
A (new) second Samba server MS1 which is supposed to be a member of that domain. It was added to that domain using the "/usr/bin/net join -U Administrator%Password" command and there was no error.
There are no Windows servers involved.
This is not a test installation but a production environment in a small company, so there are other Windows 10 PCs accessing PDC and simply changing the PDC configuration is not an option. (I'm what amounts for the network administrator for that company.)
Samba version on both servers is 4.7.6-Ubuntu

With a given domain user account MYUSER I can log on fine to Win10. From there I can also access all the shares of PDC.

But the problem is: I cannot access any shares of MS1.

Windows explorer shows a logon dialog for the share and when I supply MYUSER and the password (again) it says "Access is denied".

On the command line "net use \\MS1\ShareName" results in the error "The password is invalid for \\MS1\ShareName", followed by a prompt for username and password for MS1. Entering MYUSER and the password the results in "System error 5 has occurred. Access is denied."

In the log on MS1 for the IP of Win10 I find the following entry:

[2021/12/09 13:57:41.755023,  0] ../source3/auth/auth_util.c:1259(check_account)
  check_account: Failed to convert SID S-1-5-21-2503006329-1497337827-313999797-1274
  to a UID (dom_user[MYDOMAIN\MYUSER])

Google found no match for this error message.

testparm on MS1 gives me the following output:

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[homes]"
NOTE: Service homes is flagged unavailable.
Processing section "[ShareName]"
Loaded services file OK.
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

Server role: ROLE_DOMAIN_MEMBER

I tried to add an entry for idmap range but it did not make any difference.

I also tried to add MYUSER as a Linux user on MS1 with the same password as in the domain. It did not make any difference.

I'm at a loss on how to investigate this further. Which logs to look into and which configuration options to check.

Google turned up lots of hits but all of them were referring to an Active Directory installation. Unfortunately "simply" updating to ADS is not possible at the moment as that would possibly break other services.

543

0 + 0

domain

samba

samba4

Jiri B

5/5/23, 7:02 AM

After authenticating the user smbd needs to map the user to a local UID/GID, that is the purpose of identity mapping. Increase 'debug level = 10' and check for more details. grep `_Get_Pwnam` in smb log. If you see it fails in `check_account` function, then you most probably don't have working idmap, see idmap_<backend> man page (eg. 'rid', 'ad'...). See an example of failing idmap - https://gist.github.com/jirib/c5170a0ce75f28faef0943d481111375

Jiri B

5/5/23, 7:07 AM

Another question: what UID/GID should have your MYDOMAIN\myuser have? An autogenerated, an explicitly defined UID/GID a should it be mapped to a local Linux account?

dummzeuch

5/5/23, 8:46 AM

@JiriB The original idea was to automatically also replicate the Linux users and use the same IDs. Unfortunately I have been taken off this project for now due to higher priority work, so it will take a while until I get back to this issue. I appreciate your input though. It might get a moot point because moving to AD now also became an option. I got a test installation (DC, SDC + MS) with AD running which seems to work for file serving, but there is still email to be considered.

Jiri B

5/5/23, 9:01 AM

Try to check SUSE KB article about various idmap backends pros/cons - https://www.suse.com/support/kb/doc/?id=000017458

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Windows 10 login fails at Samba NT domain member

TH: การเข้าสู่ระบบ Windows 10 ล้มเหลวที่สมาชิกโดเมน Samba NT

RO: Conectarea la Windows 10 eșuează la membrul domeniului Samba NT

RU: Ошибка входа в Windows 10 у члена домена Samba NT

VI: Đăng nhập Windows 10 không thành công tại thành viên miền Samba NT

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.