After upgrade to 15.4 Samba home shares not accessible

1

About two months ago I upgraded our production ERP server from SLES 11.4 to SLES 15.4 and for the most part things went ok. One of the last remaining open problems is that since the upgrade users haven’t been able to map their Linux home directory to their Windows PC. Prior to the upgrade we didn’t have any problems mapping Linux home directory in Windows. Shortly before the ERP server was upgraded all the Windows Domain Controllers were upgraded from w2k12r2 to w2k19. The old SLES 11.4 still worked, but the ERP test server that was on SLES 15.2 stopped working. I know w2k19 made changes on how Windows DCs interact with Linux/Unix. I do not understand the changes but am guessing that these changes and the changes in 15.4 combines have caused us not to get the local Linux home directory to map to Windows PC.

The samba shares give the following error in /var/log/warn when I try to get to my Linux home directory from my PC after I enter username and password to authenticate.

2022-12-06T09:34:10.602376-06:00 echo smbd[26761]: [2022/12/06 09:34:10.601846, 0, pid=26761, effective(0, 0), real(0, 0), class=auth] …/…/source3/auth/auth_util.c:1928(check_account)
2022-12-06T09:34:10.602510-06:00 echo smbd[26761]: check_account: Failed to convert SID S-1-5-21-152988233-385876754-1545874412-12524 to a UID (dom_user[GRACELAND\adamski])
2022-12-06T09:34:10.656229-06:00 echo smbd[26762]: [2022/12/06 09:34:10.655725, 0, pid=26762, effective(0, 0), real(0, 0), class=auth] …/…/source3/auth/auth_util.c:1928(check_account)
2022-12-06T09:34:10.656366-06:00 echo smbd[26762]: check_account: Failed to convert SID S-1-5-21-152988233-385876754-1545874412-12524 to a UID (dom_user[GRACELAND\adamski])

I can’t seem to get the configuration correct now on SLES 15.4. As best as I can understand the problem seems to be translating the Windows SID to the Linux UID so both sides know which user they are talking about. I believe in 11.4 we used Kerberos and PAM/winbind to authenticate. The old configuration not working and mostly changed smb.conf but still not working.

Has anyone gotten a SLES 15.4 and Windows Server 2019 Domain Controller to play nice?

My krb5.conf file (little to no changes from the SLES 11.4 config)
[libdefaults]
default_realm = DOMAINNAME.EDU
clockskew = 500
default_ccache_name = FILE:/tmp/krb5cc_%{uid}

[domain_realm]
.domainname.edu = DOMAINNAME.EDU
domainname.edu = DOMAINNAME.EDU

[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON

[realms]
domainname.EDU = {
default_domain = domainname.edu
admin_server = dcxx.domainname.edu
kdc = dcxx.domainname.edu
}

[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
external = sshd
use_shmem = sshd

The smb.conf file had most of the changes I have tried to get this to work.

smb.conf is the main Samba configuration file. You find a full commented

version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the

samba-doc package is installed.

Date: 2015-05-01

[global]
workgroup = DOMAINNAME
password server = dcxx.domainname.edu
realm = DOMAINNAME.EDU
security = ADS
netbios name = echo
log level = 10
usershare allow guests = No
wins support = No
idmap config * : backend = tdb
idmap config * : range = 100000-40000000
idmap config DOMAINNAME:unix_nss_info = yes
idmap config DOMAINNAME : backend = tdb
idmap config DOMAINNAME : base_rid = 0
idmap config DOMAINNAME : range = 100000-40000000
ldap admin dn = CN=ldapuser,CN=Users,DC=domainname,DC=edu
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = Yes
ldap suffix = dc=dcxx,dc=domainname,dc=edu
ldap user suffix = ou=Users
ldap ssl = off
allow insecure wide links = yes
client ipc signing = auto
wins server =
winbind use default domain = true

[homes]
comment = Home Directories
valid users = %S
browseable = no
read only = no
inherit acls = yes
follow symlinks = yes
wide links = yes

[tmp]
comment = Temporary file space
inherit acls = Yes
path = /tmp
read only = No

Any help or suggestions are welcome and if need another config file I can post that.

John