[Samba] Homes shares randomly dissapear on AD-DC'S

Achim Gottinger achim at ag-web.biz
Wed Jul 9 01:54:04 MDT 2014 

Am 08.07.2014 12:34, schrieb Achim Gottinger:
> Am 08.07.2014 11:23, schrieb Achim Gottinger:
>> Hi,
>>
>> I have an strange issue on our company network. We run samba4 ad-dc's 
>> on four branches as separate sites, they are connected via ipsec 
>> tunnels, all servers are debian wheezy systems using sernet 4.1.9-8 
>> samba packages.
>> We use roaming profiles with folder redirection configured via GPo's. 
>> In tree of the four branches users suddenly losse the connection to 
>> their home shares, since their appdata and desktop folders are 
>> redirected there desktop goes blank and all types of errors pop up. 
>> If i look at the samba server i can see the all shares are still 
>> available beside the homes share and the sare with the username. It's 
>> fixable with an samba restart on the server side. It never happens on 
>> the main site just at the branches.
>> First this happen every two weeks or so on tree branches thougt i can 
>> prevent it by restarting samba every night but that did not help.
>> Two days ago i upgraded samba from 4.1.4-7 to 4.1.9-8 and since then 
>> it happes twice a day.
>>
>> Here's the config we use at all four locations with differen netbios 
>> name's of course.
>>
>> # Global parameters
>> [global]
>>         workgroup = DOMAIN
>>         realm = domain.local
>>         netbios name = SERVER
>>         server role = active directory domain controller
>>         idmap_ldb:use rfc2307 = yes
>>         dns forwarder = 192.168.160.200
>>         template shell = /bin/bash
>>         log level = 3
>>         wins support = Yes
>>         deadtime = 10
>>         socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120 
>> TCP_KEEPINTVL=10 TCP_KEEPCNT=5
>>         ea support = yes
>>         store dos attributes = yes
>>         map readonly = no
>>         map archive = no
>>         map system = no
>>         map hidden = no
>>         strict allocate = yes
>>         acl allow execute always = yes
>>         vfs objects = dfs_samba4, acl_xattr, aio_pthread
>>         aio read size = 1024
>>         aio write size = 1024
>>         csc policy = disable
>>         reset on zero vc = yes
>>         idmap config * : range = 3000000-4000000
>>
>> [netlogon]
>>         root preexec = /etc/samba/scripts/user.py "%U"
>>         path = /var/lib/samba/sysvol/fot.local/scripts
>>         read only = No
>>
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>>
>> [profiles]
>>         path = /data/profiles
>>         read only = no
>>
>> [homes]
>>         read only = No
>>
>> [data]
>>         path = /data/data
>>         read only = No
>>         inherit acls = Yes
>>
>> [applic]
>>         path = /data/applic
>>         read only = No
>>         inherit acls = Yes
>>
>> [printers]
>>         comment = All Printers
>>         path = /var/lib/samba/printing
>>         browseable = Yes
>>         read only = No
>>         printable = Yes
>>
>> [print$]
>>         comment = Point and Print Printer Drivers
>>         path = /var/lib/samba/drivers
>>         read only = No
>>
>> Unfortunately i have no error messages from log.smbd, had the log 
>> level increased from1 to 3 and it seems to rotate once it reaches 
>> 5MB, another thing i have to investigate now, there is no logrotate 
>> configuration which interferes here.
>> I remember seeing errors like "service [username]not found trying 
>> [username] as a printer".
>>
>> Once it starts to happen for one user others can work for an while 
>> and access there home shares but they loose them in an timeframe of 
>> about an hour.
>>
>> Have some of you seens such an behavior? It looks kinda dubious here 
>> atm. :-)
>>
>> achim~
>>
> Hmm only differnce between main site and the branches was this setting 
> only defined at the main site.
>
> reset on zero vc = yes
>
> Added it to the branches configs, increased log level to 5 and max log 
> size to 500MB and have to wait if the issue appears again
Good morning,

So far i got called from two branches this morning, both with the same 
issue homes shares where not available.

Samba services got restarted during daily backup at around 5am. An 
employee started at 7:30am and was able to work without issues till ~8:05am.
Only have level 3 logs and an 50Mb limit on the two affected branches.
Uploaded such an log snippet here 
https://gist.github.com/achim71/4b43d24b4813706a03e3#file-gistfile1-txt

First ~200 lines show normal behaviour for employee vs. At line 250 it 
starts to get dubious for user md. There are alot of permission denied 
errors for chdir /home/DOMAIN/md.
This folder is owned by by DOMAIN\md:DOMAIN\Domain-Users with 700 perms 
and no additional acl's. It normaly works without any modifications on 
the filesystem side.

At line 576 another user (berlin) tries to log in and his home directory 
can not be resolved.

While writing this i found winbind issues at my branches machines. For 
example "wbinfo -i berlin" works at the main site but not at the 
branches. Same with "getent passwd", it does not list domain users at 
the branches. ls -l however does resolve uer and group names correct.
This does not seem to have an impact for windows users however.

achim~

More information about the samba mailing list