[Samba] Homes shares randomly dissapear on AD-DC'S
Achim Gottinger
achim at ag-web.biz
Wed Jul 9 02:42:51 MDT 2014
Am 09.07.2014 09:54, schrieb Achim Gottinger:
> Am 08.07.2014 12:34, schrieb Achim Gottinger:
>> Am 08.07.2014 11:23, schrieb Achim Gottinger:
>>> Hi,
>>>
>>> I have an strange issue on our company network. We run samba4
>>> ad-dc's on four branches as separate sites, they are connected via
>>> ipsec tunnels, all servers are debian wheezy systems using sernet
>>> 4.1.9-8 samba packages.
>>> We use roaming profiles with folder redirection configured via
>>> GPo's. In tree of the four branches users suddenly losse the
>>> connection to their home shares, since their appdata and desktop
>>> folders are redirected there desktop goes blank and all types of
>>> errors pop up. If i look at the samba server i can see the all
>>> shares are still available beside the homes share and the sare with
>>> the username. It's fixable with an samba restart on the server side.
>>> It never happens on the main site just at the branches.
>>> First this happen every two weeks or so on tree branches thougt i
>>> can prevent it by restarting samba every night but that did not help.
>>> Two days ago i upgraded samba from 4.1.4-7 to 4.1.9-8 and since then
>>> it happes twice a day.
>>>
>>> Here's the config we use at all four locations with differen netbios
>>> name's of course.
>>>
>>> # Global parameters
>>> [global]
>>> workgroup = DOMAIN
>>> realm = domain.local
>>> netbios name = SERVER
>>> server role = active directory domain controller
>>> idmap_ldb:use rfc2307 = yes
>>> dns forwarder = 192.168.160.200
>>> template shell = /bin/bash
>>> log level = 3
>>> wins support = Yes
>>> deadtime = 10
>>> socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120
>>> TCP_KEEPINTVL=10 TCP_KEEPCNT=5
>>> ea support = yes
>>> store dos attributes = yes
>>> map readonly = no
>>> map archive = no
>>> map system = no
>>> map hidden = no
>>> strict allocate = yes
>>> acl allow execute always = yes
>>> vfs objects = dfs_samba4, acl_xattr, aio_pthread
>>> aio read size = 1024
>>> aio write size = 1024
>>> csc policy = disable
>>> reset on zero vc = yes
>>> idmap config * : range = 3000000-4000000
>>>
>>> [netlogon]
>>> root preexec = /etc/samba/scripts/user.py "%U"
>>> path = /var/lib/samba/sysvol/fot.local/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>>
>>> [profiles]
>>> path = /data/profiles
>>> read only = no
>>>
>>> [homes]
>>> read only = No
>>>
>>> [data]
>>> path = /data/data
>>> read only = No
>>> inherit acls = Yes
>>>
>>> [applic]
>>> path = /data/applic
>>> read only = No
>>> inherit acls = Yes
>>>
>>> [printers]
>>> comment = All Printers
>>> path = /var/lib/samba/printing
>>> browseable = Yes
>>> read only = No
>>> printable = Yes
>>>
>>> [print$]
>>> comment = Point and Print Printer Drivers
>>> path = /var/lib/samba/drivers
>>> read only = No
>>>
>>> Unfortunately i have no error messages from log.smbd, had the log
>>> level increased from1 to 3 and it seems to rotate once it reaches
>>> 5MB, another thing i have to investigate now, there is no logrotate
>>> configuration which interferes here.
>>> I remember seeing errors like "service [username]not found trying
>>> [username] as a printer".
>>>
>>> Once it starts to happen for one user others can work for an while
>>> and access there home shares but they loose them in an timeframe of
>>> about an hour.
>>>
>>> Have some of you seens such an behavior? It looks kinda dubious here
>>> atm. :-)
>>>
>>> achim~
>>>
>> Hmm only differnce between main site and the branches was this
>> setting only defined at the main site.
>>
>> reset on zero vc = yes
>>
>> Added it to the branches configs, increased log level to 5 and max
>> log size to 500MB and have to wait if the issue appears again
> Good morning,
>
> So far i got called from two branches this morning, both with the same
> issue homes shares where not available.
>
> Samba services got restarted during daily backup at around 5am. An
> employee started at 7:30am and was able to work without issues till
> ~8:05am.
> Only have level 3 logs and an 50Mb limit on the two affected branches.
> Uploaded such an log snippet here
> https://gist.github.com/achim71/4b43d24b4813706a03e3#file-gistfile1-txt
>
> First ~200 lines show normal behaviour for employee vs. At line 250 it
> starts to get dubious for user md. There are alot of permission denied
> errors for chdir /home/DOMAIN/md.
> This folder is owned by by DOMAIN\md:DOMAIN\Domain-Users with 700
> perms and no additional acl's. It normaly works without any
> modifications on the filesystem side.
These show up during normal behaving samba as well, the user can work
without issues atm.
>
> At line 576 another user (berlin) tries to log in and his home
> directory can not be resolved.
>
> While writing this i found winbind issues at my branches machines. For
> example "wbinfo -i berlin" works at the main site but not at the
> branches. Same with "getent passwd", it does not list domain users at
> the branches. ls -l however does resolve uer and group names correct.
> This does not seem to have an impact for windows users however.
wbinfo / getent passwd work at one branch and on the main site but not
on two others. I use unscd for caching, restarted it but it did not help.
/etc/nsswitch.conf is identical on all machines,
passwd: files winbind
group: files winbind
shadow: files winbind
hosts: files dns wins
smb.conf only differs in netbios name and dns forwarder.
/etc/resolve.conf points to the respective servers
/etc/krb5.conf is identical.
Was
[libdefaults]
default_realm = FOT.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
Changed it to
[libdefaults]
default_realm = FOT.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
to match with /var/lib/samba/private/krb5.conf, just in case.
samba-tool dbcheck passes clean on all servers.
samba-tool drs showrepl shows no errors.
Time is in sync.
>
> achim~
>
More information about the samba
mailing list