[Samba] on linux samba file shares, groups and user are randomlly lost. Using samba4 as Domain controller

Mario Pio Russo mariopiorusso at ie.ibm.com
Tue Sep 1 11:04:24 UTC 2015

Good day All

I am re proposing this topic as it keeps happening in our enviroment and is
creating some trouble now.

I have 1 samba file share server, and a different samba4 AD server.

the file server has been recently updated to Ubuntu 14 and its native samba
4.1.6. The samba4 AD is on Ubuntu 14 and on sernet-samba 4.2.2.

what happens is that every 4~5 days the file share server loses randomly
the groups/users associations. when doing ls on the shares, I do not see
the domain users / groups but I just see their uid. when I try to access
those shares, it gives permission denied. The only option is to reboot the
file server. after reboot all comes back to normal. I can see the
user/groups when "ls" and I can access mount the shares. but after a while
all comes back again. Note that when the system is not working, getent
group does not show anything, but wbinfo -g shows the groups correctlly. On
the AD, I have disabled the winbindd and I am using the original winbind.

Here is the  2 smb.conf files (Note, i have cut off most of the shares )

Samba file share:

        workgroup = CCDC
        realm = CCDC.LAN
        server string = CSI Samba Server
        server role = member server
        security = ADS
        map untrusted to domain = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 2000
        #smb ports = 139
        name resolve order = wins, host, bcast
        server signing = required
        socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE
        load printers = No
        disable spoolss = Yes
        local master = No
        domain master = No
        dns proxy = No
        wins server =
        template homedir = /home/winbind
        winbind cache time = 15
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        idmap config * : range = 10000-20000
        full_audit:priority = NOTICE
        full_audit:facility = local7
        full_audit:failure = mkdir rename unlink rmdir open chown chmod
connect readlink
        full_audit:prefix = %u,%I,%m,%S
        idmap config * : backend = tdb
        invalid users = root, daemon, bin, sys, sync, games, man, lp, mail,
news, uucp, proxy, www-data, backup, list, irc, g
nats, Debian-exim, sshd, ntpd
        acl group control = Yes
        aio read size = 1
        aio write size = 1
        map acl inherit = Yes
        hide files = /lost+found/
        follow symlinks = No
        dos filemode = Yes
        vfs objects = full_audit

      comment              = ICS - CSI mantis build and daily kits folder
      path                 = /export/ICS/CSI/workplace
      valid users          = @"domainusers"
      force create mode    = 750
      force directory mode = 740
      writeable            = Yes
      browseable           = Yes

      comment              = ICS - CSI Admins Share
      path                 = /export/ICS/CSI/labadmins
      valid users          = @smbLabAdmins
      force create mode    = 750
      force directory mode = 740
      writeable            = Yes
      browseable           = Yes

samba AD :

# Global parameters
        workgroup = CCDC
        realm = CCDC.LAN
        netbios name = CCDC-SAMBA4-DC1
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes

        server services = -winbindd +winbind
        dns forwarder =
        #server services = -winbindd +winbind
        idmap config CCDC:backend = ad
        idmap config CCDC:schema_mode = rfc2307
        idmap config CCDC:range = 10000-40000

        # Store UIDs/GIDs for all other domains (including local
        # accounts/groups of this server) in a tdb file
        idmap config *:backend = tdb
        idmap config *:range = 2000-9999

        # Use home directory and shell information from AD
        winbind nss info = rfc2307

        tls enabled  = yes
        tls keyfile  = tls/myKey.pem
        tls certfile = tls/myCert.pem
        tls cafile   =

        path = /var/lib/samba/sysvol/ccdc.lan/scripts
        read only = No

        path = /var/lib/samba/sysvol
        read only = No

Funny thing is that I can't find anything relevant in the logs of the file
share server.

Any help is really appreciated.

Thank you


Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic39243.gif)

More information about the samba mailing list