[Samba] Samba share server loses groups information every week, it is authenticated to a Samba4 AD DC

Mario Pio Russo mariopiorusso at ie.ibm.com
Thu Aug 13 14:32:30 UTC 2015 

Hi Rowland, just back from Hols here :)

so the smb.conf of the DC is the following:

# Global parameters
[global]
        workgroup = CCDC
        realm = CCDC.LAN
        netbios name = CCDC-SAMBA4-DC1
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes

        server services = -winbindd +winbind
        dns forwarder = 9.0.138.50
        #server services = -winbindd +winbind
        idmap config CCDC:backend = ad
        idmap config CCDC:schema_mode = rfc2307
        idmap config CCDC:range = 10000-40000


        # Store UIDs/GIDs for all other domains (including local
        # accounts/groups of this server) in a tdb file
        idmap config *:backend = tdb
        idmap config *:range = 2000-9999

        # Use home directory and shell information from AD
        winbind nss info = rfc2307

        tls enabled  = yes
        tls keyfile  = tls/myKey.pem
        tls certfile = tls/myCert.pem
        tls cafile   =

[netlogon]
        path = /var/lib/samba/sysvol/ccdc.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No




the smb.conf file of the file server is the following:


[global]

        write cache size = 131072

      vfs objects = full_audit
      full_audit:prefix = %u,%I,%m,%S
      # removed this, so we only log failures.
      # however will keep it here commented it out for future reference

      #full_audit:success = mkdir rename unlink rmdir open chown chmod
connect readlink
      full_audit:failure = mkdir rename unlink rmdir open chown chmod
connect readlink
      full_audit:facility = local7
      full_audit:priority = NOTICE


      server string = CSI Samba Server
      workgroup = CCDC
      netbios name = SEADOG
      realm = CCDC.LAN
      security = ads
      #security = domain
      wins server = 9.161.96.220
      server signing = mandatory
      #password server = 9.161.96.220

     map untrusted to domain = yes

      wins support = no
      wins proxy = no
      dns proxy = no
      name resolve order = wins host bcast

      winbind use default domain = yes

      winbind uid = 10000-20000
      winbind gid = 10000-20000
      winbind cache time = 15
      winbind enum users = yes
      winbind enum groups = yes

      # This is needed, a fake home folder so that users are able to ftp
      # this folder is empty but exists, do a getent passwd to see what I
mean
      template homedir = /home/winbind

      local master = no
      domain master = no

      # To o with ACL mapping to windows
      #
      dos filemode = Yes
      acl group control = Yes
      acl map full control = Yes
       map acl inherit = Yes

      guest account = nobody
      invalid users = root daemon bin sys sync games man lp mail news uucp
proxy www-data backup list irc gnats Debian-exim sshd ntpd

      log file = /var/log/samba/log.%m
      log level = 3

      max log size = 2000
      syslog = 0

      # using these options copied from clearcase.
      # back in the day we did research these to death
      #
#      socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
IPTOS_LOWDELAY TCP_NODELAY
      socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE
IPTOS_LOWDELAY TCP_NODELAY

      # This disables print options
      # we are not a print server
      #
      load printers = No
      disable spoolss = Yes

      smb ports = 139

      # every mount from the SAN has a lost+found folder
      # to avoid user confusion, have set this to hidden
      #
      hide files = /lost+found/

      aio read size = 1
      aio write size = 1
      follow symlinks          = no


........................... (here goes the share definition, cutting it as
don't think it's important)

these parameters come to my attention:


winbind uid = 10000-20000
      winbind gid = 10000-20000
      winbind cache time = 15
      winbind enum users = yes
      winbind enum groups = yes

I wonder if they cause the groups not be recognized anymore.

___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic33433.gif)



From:	Rowland Penny <rowlandpenny241155 at gmail.com>
To:	samba at lists.samba.org
Date:	04/08/2015 11:54
Subject:	Re: [Samba] Samba share server loses groups information every
            week, it is authenticated to a Samba4 AD DC
Sent by:	"samba" <samba-bounces at lists.samba.org>



On 04/08/15 11:19, Mario Pio Russo wrote:
> Hi allVersion 3.5.6
>
> I have a samba file share server , running on ubuntu 10. Samba version is
> 3.5.6.

Both of these have reached EOL.

>
> Originally this server was using a PDC server based on samba 3, and all
was
> ok. now the PDC server has been upgraded via samba-tool to version
4.2.2 .

So you are now running an AD domain instead of an NT4-style domain.

> The system itself works generally fine (afer a good amount of tuning and
> configuration), however I am now incurring in a peculiar issue:

Could we please see your fileserver and AD DC smb.confs (suitably
sanitized) to see what you have 'tuned'

> every week, at the weekend, the file share server Lose ALL the
information
> regarding the domain groups!
>
> basically all the shares that are assigned for sharing, reports in the
> group field the numeric version of the group, and not the name.
> Furthermore, when I run getent group , it does NOT show any domain group.

Know 'feature' , whilst 'getent passwd' will show the users (if samba is
set up correctly) 'getent group' will not, you need to use 'getent group
groupname'

> NOTE that this does not happen for the users. specific domain users are
> still associated with their corresponding directorys permissions,
> furthermore getent passwd returns correctlly all the domain users.
>
> this causes big problems as the users cannot access their directories as
> the groups are not recognised.
>
> the only way I am able to resolve this issue is to reboot the server
every
> week.

This sounds like a keytab problem.

Rowland

>
> I need some help in this way:
>
> 1) avoid that the groups are lost in the file share
> 2) find a way to re-associate the groups via command line without
rebooting
> the machine
>
> Any help is well accepted, also let me know if you need any log or
> configuration files.
>
> thank you!
>
___________________________________________________________________________________________

>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with
number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin
4
>
> (Embedded image moved to file: pic45265.gif)


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list