# Updated Samba file share stopped recognizing domain user account



## Avery Freeman (Jul 11, 2018)

Hi,

so I have two file servers running FreeBSD, they just stopped being accessible about a week ago.  The dreaded 'never-ending password entering' problem.

I thought it might be updates, so I upgraded one of them and left the other one the same.  The non-upgraded one is:

```
$ smbd --version
Version 4.7.6
$ freebsd-version
11.1-RELEASE-p10
```
The other is:

```
# smbd --version
Version 4.7.7
# freebsd-version
11.2-RELEASE
```

My `/usr/local/etc/smb4.conf global` is practically the same for both of them, just the names are different.  Here's an example:

```
[global]
        netbios name = FEBMARCH
        security = ADS
        workgroup = WEBTOOL
        realm = WEBTOOL.SPACE
        client use spnego = yes
        client signing = yes
        server signing = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes

        log file = /var/log/samba4/%m.log
        log level = 1

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        idmap config WEBTOOL : backend = ad
        idmap config WEBTOOL : schema_mode = rfc2307
        idmap config WEBTOOL : range = 10000-999999
        idmap config WEBTOOL : unix_nss_info = yes
        idmap config WEBTOOL : unix_primary_group = yes

        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind offline logon = yes
        ;winbind nested groups = yes
        winbind refresh tickets = yes
        winbind nss info = rfc2307
```

Testparm is good.  I tried commenting out any of the encryption or protocol-related settings in the first paragraph, or explicitly setting them to no, but it doesn't seem to make a difference.

my ntp is synced to the domain controllers and appears to be fine:

```
$ ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*LOCAL(0)        .LOCL.          10 l   37   64  377    0.000    0.000   0.001
2012dc01.webtoo 23.131.160.7     3 u   44   64  377    0.463  -2099.8   8.328
2012dc02.webtoo .LOCL.           1 u    6   64  377    0.182  -2436.5   4.379
```


It's perplexing because it had been working great for months and nothing really changed.  I have a WS2012R2 AD environment - I even thought it might be updates on the domain controllers so I rolled them both back to a snapshot taken in May and turned off auto updates - still no access to samba shares.

Anyone have any ideas?

FWIW I can't seem to get Debian Stretch samba to work either.  OpenSUSE and Ubuntu 18.04 were no problem, though.  It's all very strange...

Thanks!

Edit:  Additionally, `wbinfo -u / -g` and  `getent passwd / group` return domain users and groups without hesitation.

Edit edit:  I did manage to get on both of them by destroying key and re-joining the domain invoking (as root):

```
# kdestroy
# kinit
# net ads join -k
# net ads status
```

But the updated one no longer recognizes my domain user account - I had to access the share with administrator ... any ideas why that might be?


----------

