Il 12/02/19 20:38, Andreas Hasenack ha scritto: > Ok, can you please share your configuration files so I can give it a > try? of course! > - smb.conf # Global parameters [global] allow trusted domains = No client ipc signing = if_required dns proxy = No log file = /var/log/samba/log.%m map to guest = Bad User max log size = 1000 obey pam restrictions = Yes pam password change = Yes panic action = /usr/share/samba/panic-action %d passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/bin/passwd %u security = DOMAIN server signing = required server string = %h server (Samba, Ubuntu) template shell = /bin/bash unix password sync = Yes usershare allow guests = Yes winbind enum groups = Yes winbind enum users = Yes winbind expand groups = 1 winbind offline logon = Yes workgroup = MYDOMAIN idmap config * : range = 25000-30000 idmap config dominiocsa : range = 10000-24999 idmap config dominiocsa : backend = rid idmap config * : backend = tdb [printers] browseable = No comment = All Printers create mask = 0700 path = /var/spool/samba printable = Yes [print$] comment = Printer Drivers path = /var/lib/samba/printers > - pam_winbbind config $ egrep -v "^(#|;|$)" /etc/security/pam_winbind.conf [global] debug = yes debug_state = yes cached_login = yes > - relevant /etc/pam.d/ files for the service you are trying (ssh, common-* probably) $ egrep -v "^(#|$)" /etc/pam.d/sshd @include common-auth account required pam_nologin.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_loginuid.so session optional pam_keyinit.so force revoke @include common-session session optional pam_motd.so motd=/run/motd.dynamic session optional pam_motd.so noupdate session optional pam_mail.so standard noenv # [1] session required pam_limits.so session required pam_env.so # [1] session required pam_env.so user_readenv=1 envfile=/etc/default/locale session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open @include common-password $ egrep -v "^(#|$)" /etc/pam.d/common-auth auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so $ egrep -v "^(#|$)" /etc/pam.d/common-account account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so account requisite pam_deny.so account required pam_permit.so $ egrep -v "^(#|$)" /etc/pam.d/common-password password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 default=ignore] pam_winbind.so use_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so password optional pam_gnome_keyring.so > Also, have you run testparm on your config just to rule out syntax errors and other checks? yes, of course. This is the output of testparm before showing the dump of the "service definition": Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[printers]" Processing section "[print$]" Loaded services file OK. WARNING: The 'client ipc signing' value may mean SMB signing is not used when contacting a domain controller or other server. This setting is not recommended; please be aware of the security implications when using this configuration setting. Server role: ROLE_DOMAIN_MEMBER [...]> Finally, I would suggest to really drop the network instead of running > "winbind offline", as I think that is a more realistic test. ok, many thanks Piviul