One more followup. I looked into migrating my samba machines to bullseye. The config I had on buster works but with one change reqired. On bullseye machines I need to add this to the configuration
username map script = /etc/samba/usermap.sh The usermap.sh works similarly to the script pasted in this bug: https://bugzilla.samba.org/show_bug.cgi?id=14901 ie it converts a 'DOMAIN\someuser' string to 'someuser', depending on whether DOMAIN is an expected value or not. This is not required on buster, more on that below. With the usermap script turned off I get this behaviour: linux$ smbclient //bullseye/someshare Unable to initialize messaging context Enter DOMAIN\someuser's password: Anonymous login successful tree connect failed: NT_STATUS_ACCESS_DENIED linux$ smbclient -U someuser //bullseye/someshare Unable to initialize messaging context Enter DOMAIN\someuser's password: session setup failed: NT_STATUS_LOGON_FAILURE linux$ smbclient -U DOMAIN\\someuser //bullseye/someshare Unable to initialize messaging context Enter DOMAIN\someuser's password: session setup failed: NT_STATUS_LOGON_FAILURE cmd> net use y: \\bullseye\someshare /user:someuser <pass> System error 86 has occurred The specified network password is not correct. cmd> net use y: \\bullseye\someshare /user:DOMAIN\someuser <pass> System error 86 has occurred The specified network password is not correct. With the usermap script turned on, the above tests work fine. The upstream patch that makes the the new log output I saw is here https://gitlab.com/samba-team/samba/-/commit/0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e Upstream merged it here https://gitlab.com/samba-team/samba/-/merge_requests/2253/diffs?commit_id=2901af811a9b58a23178a9b5b23101c7e40b2cc4#4e051b3c8fb609985df5c571fff0f3c69ecb396a However the buster version has this change in it, while bullseye does not. $ git remote -v origin https://salsa.debian.org/samba-team/samba.git (fetch) origin https://salsa.debian.org/samba-team/samba.git (push) $ git diff buster-security bullseye-security -- source3/auth/auth_util.c ... skip over a bunch of other changes ... @@ -1881,32 +1898,7 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain , return NT_STATUS_NO_MEMORY; } - passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false); - if (!passwd && !*username_was_mapped) { - struct dom_sid_buf buf; - uid_t uid; - bool ok; - - DBG_DEBUG("Failed to find authenticated user %s via " - "getpwnam(), fallback to sid_to_uid(%s).\n", - dom_user, dom_sid_str_buf(sid, &buf)); - - ok = sid_to_uid(sid, &uid); - if (!ok) { - DBG_ERR("Failed to convert SID %s to a UID (dom_user[%s])\n", - dom_sid_str_buf(sid, &buf), dom_user); - return NT_STATUS_NO_SUCH_USER; - } - passwd = getpwuid_alloc(mem_ctx, uid); - if (!passwd) { - DBG_ERR("Failed to find local account with UID %lld for SID %s (dom_user[%s])\n", - (long long)uid, - dom_sid_str_buf(sid, &buf), - dom_user); - return NT_STATUS_NO_SUCH_USER; - } - real_username = talloc_strdup(mem_ctx, passwd->pw_name); - } + passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, true ); if (!passwd) { DEBUG(3, ("Failed to find authenticated user %s via " "getpwnam(), denying access.\n", dom_user)); I'm not sure why the difference. Neither the upstream_4.13 or upstream_4.9 branches seem to have the patch (now) but seem to have other changes that have similar effect. None of this is intended as a complaint of any kind, just observations in case someone else hits this problem. Kind regards Vince
