How can the other users from Slapd log on to Samba?

Question

We run an open source image processing web application. This provides users with a Windows network drive for uploading gigabytes of image data. The application offers the convenience that a network drive is automatically made available for a new user created in the web application. The underlying technical structure is fairly complex: The web application writes a new user into a local LDAP.

LDAP records:

dn: cn=my.user,ou=users,dc=nodomain
sambaLMPassword: CAA85EBCA5013DA4E39701B5DB7D953C
sambaPrimaryGroupSID: S-1-5-21-2939508899-399288318-4273609636-100
displayName: My User
sambaLogonScript: _my.user.bat
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
userPassword:: e01ENX1oQ1MyYlRpZnl3eVlBdXhvSmdxc1N3PT0=
uid: my.user
cn: my.user
sambaPwdLastSet: 1590661108
loginShell: loginShell
sambaAcctFlags: [U          ]
gidNumber: 100
sambaPwdMustChange: 2147483647
sambaNTPassword: 76E562A44397461C150C451A0A97D45E
gecos: gecos
sambaSID: S-1-5-21-2939508899-399288318-4273609636-3017
description: description
homeDirectory: /usr/local/myapp/users/my.user
sambaKickoffTime: 0
sn: my.user
sambaPasswordHistory: 00000000000000000000000000000000000000
sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
structuralObjectClass: inetOrgPerson
entryUUID: 51216ed8-3518-103a-9360-e9248c519c0b
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20200528101828Z
uidNumber: 1007
entryCSN: 20200528135857.787124Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20200528135857Z

dn: cn=other.user,ou=users,dc=nodomain
sambaPrimaryGroupSID: S-1-5-21-2939508899-399288318-4273609636-100
displayName: Other User
sambaLogonScript: _other.user.bat
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
uidNumber: 1010
uid: other.user
cn: other.user
loginShell: loginShell
sambaAcctFlags: [U          ]
gidNumber: 100
sambaPwdMustChange: 2147483647
gecos: gecos
sambaSID: S-1-5-21-2939508899-399288318-4273609636-3021
description: description
homeDirectory: /usr/local/myapp/users/other.user
sambaKickoffTime: 0
sn: other.user
sambaPasswordHistory: 00000000000000000000000000000000000000
structuralObjectClass: inetOrgPerson
entryUUID: c65fc8da-4e3f-103a-9362-e9248c519c0b
creatorsName: cn=admin,dc=nodomain
createTimestamp: 20200629103354Z
userPassword:: e01ENX1PM0FNYzBuWW9UYlFqY1FUbVVGLy93PT0=
sambaLMPassword: 5EB9213C5086DC258401FE06348FE504
sambaNTPassword: B918CFBDEC4953CF990B0BE1F7682F3B
sambaPwdLastSet: 1601620989
sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
entryCSN: 20210204065218.718848Z#000000#000#000000
modifiersName: cn=admin,dc=nodomain
modifyTimestamp: 20210204065218Z

A new Linux user is thus introduced via Name Service Switch.

# /etc/nsswitch.conf

passwd:         compat systemd ldap
group:          compat systemd
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Result:

root@the-server:~# getent passwd
[…]
my.user:x:1007:100:gecos:/usr/local/myapp/users/my.user:loginShell
other.user:x:1010:100:gecos:/usr/local/myapp/users/other.user:loginShell

(A script uses sudo without a password to create the home folder and assign permissions.) In the Samba configuration, a network drive is generically created for all users via a [homes] section:

[global]
log level = 10
log file = /var/log/samba/log.%m

workgroup = MYWKGRP
unix extensions = no
wide links = yes
load printers = no
security = user
invalid users = root
encrypt passwords = yes
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=nodomain
ldap user suffix = ou=users
ldap group suffix = ou=groups
ldap admin dn = cn=admin,dc=nodomain
ldap ssl = no
ldap passwd sync = yes
ldap delete dn = no

[homes]
comment = Home Directories
path = /usr/local/myapp/users/%U
read only = no
browseable = no
valid users = %S
guest ok = no
inherit permissions = yes

Samba verifies the user's password against the entry in the LDAP.

It all worked in Ubuntu Xenial 16. After upgrading the server to Ubuntu 20 Focal Fossa, it is no longer possible to Samba for some users, while others can. (I believe only users that didn’t connect before the upgrade cannot connect, but I am guessing here.)

Example of a user that can log in successfully:

root@the-server:# smbclient \\\\localhost\\my.user -U my.user
WARNING: The "encrypt passwords" option is deprecated
Enter MYWKGRP\my.user's password:
Try "help" to get a list of possible commands.
smb: \> exit
root@the-server:#

Log:

[2021/02/04 16:22:10.170404,  4, pid=162911, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:363(ntlm_password_check)
  ntlm_password_check: Checking NTLMv2 password with domain [MYWKGRP]
[2021/02/04 16:22:10.170482,  4, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/check_samsec.c:183(sam_account_ok)
  sam_account_ok: Checking SMB password for user my.user
[2021/02/04 16:22:10.170530,  5, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/check_samsec.c:164(logon_hours_ok)
  logon_hours_ok: user my.user allowed to logon at this time (Thu Feb  4 16:22:10 2021
  )
[2021/02/04 16:22:10.170571,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)

...

2021/02/04 16:22:10.170893,  5, pid=162911, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2021/02/04 16:22:10.170922,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:22:10.170978,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user my.user
[2021/02/04 16:22:10.171010,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is my.user
[2021/02/04 16:22:10.171044,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:158(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [my.user]!

...

[2021/02/04 16:22:10.171930, 10, pid=162911, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:222(gencache_set_data_blob)
  gencache_set_data_blob: Adding cache entry with key=[ACCT_POL/minimum password age] and timeout=[Do Feb  4 16:23:10 2021 UTC] (60 seconds ahead)
[2021/02/04 16:22:10.172014,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/04 16:22:10.172055,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
[2021/02/04 16:22:10.172087,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:575(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 2
[2021/02/04 16:22:10.172118,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
[2021/02/04 16:22:10.172148,  5, pid=162911, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2021/02/04 16:22:10.172177,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:22:10.172249,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/04 16:22:10.172289,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user my.user
[2021/02/04 16:22:10.172320,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is my.user
[2021/02/04 16:22:10.172355,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/username.c:158(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [my.user]!
[2021/02/04 16:22:10.172415, 10, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/system_smbd.c:176(sys_getgrouplist)
  sys_getgrouplist: user [my.user]
[2021/02/04 16:22:10.173049,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
[2021/02/04 16:22:10.173089,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:575(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 2
[2021/02/04 16:22:10.173120,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:319(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
[2021/02/04 16:22:10.173150,  5, pid=162911, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2021/02/04 16:22:10.173179,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:22:10.173242,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:1307(smbldap_search_ext)
  smbldap_search_ext: base => [dc=nodomain], filter => [(&(objectClass=sambaGroupMapping)(gidNumber=100))], scope => [2]
[2021/02/04 16:22:10.173656,  4, pid=162911, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:2539(ldapsam_getgroup)
  ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(gidNumber=100))
[2021/02/04 16:22:10.173741,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/04 16:22:10.173779, 10, pid=162911, effective(0, 0), real(0, 0)] ../../source3/passdb/lookup_sid.c:1226(xid_to_sid)
  xid_to_sid: GID 100 -> S-1-22-2-100 fallback
[2021/02/04 16:22:10.173816,  5, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/server_info_sam.c:121(make_server_info_sam)
  make_server_info_sam: made server info for user my.user -> my.user
[2021/02/04 16:22:10.173865,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/04 16:22:10.173906,  3, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:266(auth_check_ntlm_password)
  auth_check_ntlm_password: sam_ignoredomain authentication for user [my.user] succeeded

...

[2021/02/04 16:22:10.174071,  5, pid=162911, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:22:10.174132,  4, pid=162911, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/04 16:22:10.174165,  5, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:293(auth_check_ntlm_password)
  check_ntlm_password:  PAM Account for user [my.user] succeeded
[2021/02/04 16:22:10.174231,  3, pid=162911, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [MYWKGRP]\[my.user] at [Do, 04 Feb 2021 16:22:10.174206 UTC] with [NTLMv2] status [NT_STATUS_OK] workstation [THE-SERVER] remote host [ipv4:127.0.0.1:35408] became [THE-SERVER]\[my.user] [S-1-5-21-2939508899-399288318-4273609636-3017]. local host [ipv4:127.0.0.1:445] 
  {"timestamp": "2021-02-04T16:22:10.174358+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "ipv4:127.0.0.1:445", "remoteAddress": "ipv4:127.0.0.1:35408", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "MYWKGRP", "clientAccount": "my.user", "workstation": "THE-SERVER", "becameAccount": "my.user", "becameDomain": "THE-SERVER", "becameSid": "S-1-5-21-2939508899-399288318-4273609636-3017", "mappedAccount": "my.user", "mappedDomain": "MYWKGRP", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 24104}}
[2021/02/04 16:22:10.174433,  2, pid=162911, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:322(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [my.user] -> [my.user] -> [my.user] succeeded

Example of a user that fails to log in:

root@the-server:# smbclient \\\\localhost\\other.user -U other.user
WARNING: The "encrypt passwords" option is deprecated
Enter MYWKGRP\my.user's password:
session setup failed: NT_STATUS_LOGON_FAILURE
root@the-server:#

(Note that the password is correct, I can log into the web application with it.)

Log:

[2021/02/04 16:23:53.337983,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:363(ntlm_password_check)
  ntlm_password_check: Checking NTLMv2 password with domain [MYWKGRP]
[2021/02/04 16:23:53.338052,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:377(ntlm_password_check)
  ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [MYWKGRP]
[2021/02/04 16:23:53.338109,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:391(ntlm_password_check)
  ntlm_password_check: Checking NTLMv2 password without a domain
[2021/02/04 16:23:53.338151,  3, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:403(ntlm_password_check)
  ntlm_password_check: NTLMv2 password check failed
[2021/02/04 16:23:53.338181,  3, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:448(ntlm_password_check)
  ntlm_password_check: Lanman passwords NOT PERMITTED for user other.user
[2021/02/04 16:23:53.338210,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:485(ntlm_password_check)
  ntlm_password_check: Checking LMv2 password with domain MYWKGRP
[2021/02/04 16:23:53.338250,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:514(ntlm_password_check)
  ntlm_password_check: Checking LMv2 password with upper-cased version of domain MYWKGRP
[2021/02/04 16:23:53.338290,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:543(ntlm_password_check)
  ntlm_password_check: Checking LMv2 password without a domain
[2021/02/04 16:23:53.338329,  4, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:574(ntlm_password_check)
  ntlm_password_check: Checking NT MD4 password in LM field
[2021/02/04 16:23:53.338359,  3, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/auth/ntlm_check.c:595(ntlm_password_check)
  ntlm_password_check: LM password and LMv2 failed for user other.user, and NT MD4 password in LM field not permitted
[2021/02/04 16:23:53.338394,  4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:215(push_sec_ctx)

...

[2021/02/04 16:23:53.338710,  5, pid=163119, effective(0, 0), real(0, 0)] ../../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2021/02/04 16:23:53.338739,  5, pid=163119, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups

...

[2021/02/04 16:23:53.339502, 10, pid=163119, effective(0, 0), real(0, 0), class=tdb] ../../source3/lib/gencache.c:222(gencache_set_data_blob)
  gencache_set_data_blob: Adding cache entry with key=[ACCT_POL/bad lockout attempt] and timeout=[Do Feb  4 16:24:53 2021 UTC] (60 seconds ahead)
[2021/02/04 16:23:53.339580,  4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2021/02/04 16:23:53.339628,  4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
[2021/02/04 16:23:53.339628,  4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/04 16:23:53.339661,  9, pid=163119, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/passdb.c:2243(pdb_increment_bad_password_count)
  No lockout policy, don't track bad passwords

...

[2021/02/04 16:23:53.339815,  5, pid=163119, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:873(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2021/02/04 16:23:53.339873,  4, pid=163119, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:1975(ldapsam_update_sam_account)
  ldapsam_update_sam_account: user other.user to be modified has dn: cn=other.user,ou=users,dc=nodomain
[2021/02/04 16:23:53.339907,  2, pid=163119, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:1168(init_ldap_from_sam)
  init_ldap_from_sam: Setting entry for user: other.user
[2021/02/04 16:23:53.339942,  4, pid=163119, effective(0, 0), real(0, 0), class=passdb] ../../source3/passdb/pdb_ldap.c:1988(ldapsam_update_sam_account)
  ldapsam_update_sam_account: mods is empty: nothing to update for user: other.user
[2021/02/04 16:23:53.339984,  4, pid=163119, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2021/02/04 16:23:53.340021,  5, pid=163119, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:257(auth_check_ntlm_password)
  auth_check_ntlm_password: sam_ignoredomain authentication for user [other.user] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2021/02/04 16:23:53.340066,  2, pid=163119, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth.c:343(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [other.user] -> [other.user] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2021/02/04 16:23:53.340134,  2, pid=163119, effective(0, 0), real(0, 0), class=auth_audit] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [MYWKGRP]\[other.user] at [Do, 04 Feb 2021 16:23:53.340109 UTC] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [THE-SERVER] remote host [ipv4:127.0.0.1:35426] mapped to [MYWKGRP]\[other.user]. local host [ipv4:127.0.0.1:445] 
  {"timestamp": "2021-02-04T16:23:53.340268+0000", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:127.0.0.1:445", "remoteAddress": "ipv4:127.0.0.1:35426", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "MYWKGRP", "clientAccount": "other.user", "workstation": "THE-SERVER", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "other.user", "mappedDomain": "MYWKGRP", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 21900}}
[2021/02/04 16:23:53.340347,  5, pid=163119, effective(0, 0), real(0, 0)] ../../source3/auth/auth_ntlmssp.c:191(auth3_check_password)
  Checking NTLMSSP password for MYWKGRP\other.user failed: NT_STATUS_WRONG_PASSWORD, authoritative=1
[2021/02/04 16:23:53.340384,  5, pid=163119, effective(0, 0), real(0, 0), class=auth] ../../auth/ntlmssp/ntlmssp_server.c:386(ntlmssp_server_auth_send)
  ntlmssp_server_auth_send: Checking NTLMSSP password for MYWKGRP\other.user failed: NT_STATUS_WRONG_PASSWORD

Further investigation and thought:

• I tried setting either client use spnego = no, or client ntlmv2 auth = no, or both of them in the smb.conf, and each time restarted smbd and nmbd, but it didn’t change anything. Also tried setting client ntlmv2 auth = yes, because I read here that this kind ouf auth is based on an NTLM password hash. But it didn’t help either.
• Maybe here is a related question, but the answers seem not applicable, or I don’t understand what I have to do.
• Authentication should not require running smbpasswd for users that cannot log in. The web application is writing the full LDAP entry, and Samba should pick up all it needs to know from there. This is how it works since a decade now. (And how it does for my.user. I didn’t run smbpasswd for my.user. I did run it to set the LDAP password, which is OK of course. I also did this again after the upgrade, in case it was lost.)
• I read about windbind which was part of Samba in the past and now must be installed and used as its own library. This seems to be an issue when authenticating to a Microsoft Active Directory, but as I am authenticating to Slapd on localhost, as far as I get it, I don’t need it, and I didn’t yet try to install anything of it yet.
• creating a new user in LDAP → cannot log in
• deleting a formerly working user from LDAP and recreate it (with new, previously unassigned user number) → still can log in
• setting the parent directory of the user homes (here /usr/local/myapp/users) to group sambashare and permissions 1770 doesn’t fix it