[Samba] Samba share server loses groups information every week, it is authenticated to a Samba4 AD DC

Tue Aug 4 10:50:34 UTC 2015

On 04/08/15 11:19, Mario Pio Russo wrote:
> Hi allVersion 3.5.6
>
> I have a samba file share server , running on ubuntu 10. Samba version is
> 3.5.6.

Both of these have reached EOL.

>
> Originally this server was using a PDC server based on samba 3, and all was
> ok. now the PDC server has been upgraded via samba-tool to version 4.2.2 .

So you are now running an AD domain instead of an NT4-style domain.

> The system itself works generally fine (afer a good amount of tuning and
> configuration), however I am now incurring in a peculiar issue:

Could we please see your fileserver and AD DC smb.confs (suitably 
sanitized) to see what you have 'tuned'

> every week, at the weekend, the file share server Lose ALL the information
> regarding the domain groups!
>
> basically all the shares that are assigned for sharing, reports in the
> group field the numeric version of the group, and not the name.
> Furthermore, when I run getent group , it does NOT show any domain group.

Know 'feature' , whilst 'getent passwd' will show the users (if samba is 
set up correctly) 'getent group' will not, you need to use 'getent group 
groupname'

> NOTE that this does not happen for the users. specific domain users are
> still associated with their corresponding directorys permissions,
> furthermore getent passwd returns correctlly all the domain users.
>
> this causes big problems as the users cannot access their directories as
> the groups are not recognised.
>
> the only way I am able to resolve this issue is to reboot the server every
> week.

This sounds like a keytab problem.

Rowland

>
> I need some help in this way:
>
> 1) avoid that the groups are lost in the file share
> 2) find a way to re-associate the groups via command line without rebooting
> the machine
>
> Any help is well accepted, also let me know if you need any log or
> configuration files.
>
> thank you!
> ___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
>
> (Embedded image moved to file: pic45265.gif)