[Samba] on linux samba file shares, groups and user are randomlly lost. Using samba4 as Domain controller
Rowland Penny
rowlandpenny241155 at gmail.com
Tue Sep 1 12:49:31 UTC 2015
On 01/09/15 12:04, Mario Pio Russo wrote:
>
> Good day All
>
> I am re proposing this topic as it keeps happening in our enviroment and is
> creating some trouble now.
>
> I have 1 samba file share server, and a different samba4 AD server.
>
> the file server has been recently updated to Ubuntu 14 and its native samba
> 4.1.6. The samba4 AD is on Ubuntu 14 and on sernet-samba 4.2.2.
>
> what happens is that every 4~5 days the file share server loses randomly
> the groups/users associations. when doing ls on the shares, I do not see
> the domain users / groups but I just see their uid. when I try to access
> those shares, it gives permission denied. The only option is to reboot the
> file server. after reboot all comes back to normal. I can see the
> user/groups when "ls" and I can access mount the shares. but after a while
> all comes back again. Note that when the system is not working, getent
> group does not show anything, but wbinfo -g shows the groups correctlly. On
> the AD, I have disabled the winbindd and I am using the original winbind.
>
> Here is the 2 smb.conf files (Note, i have cut off most of the shares )
>
> Samba file share:
>
> [global]
> workgroup = CCDC
> realm = CCDC.LAN
> server string = CSI Samba Server
> server role = member server
> security = ADS
> map untrusted to domain = Yes
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 2000
> #smb ports = 139
> name resolve order = wins, host, bcast
> server signing = required
> socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE
> IPTOS_LOWDELAY TCP_NODELAY
> load printers = No
> disable spoolss = Yes
> local master = No
> domain master = No
> dns proxy = No
> wins server = 9.161.96.220
> template homedir = /home/winbind
> winbind cache time = 15
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> idmap config * : range = 10000-20000
> full_audit:priority = NOTICE
> full_audit:facility = local7
> full_audit:failure = mkdir rename unlink rmdir open chown chmod
> connect readlink
> full_audit:prefix = %u,%I,%m,%S
> idmap config * : backend = tdb
> invalid users = root, daemon, bin, sys, sync, games, man, lp, mail,
> news, uucp, proxy, www-data, backup, list, irc, g
> nats, Debian-exim, sshd, ntpd
> acl group control = Yes
> aio read size = 1
> aio write size = 1
> map acl inherit = Yes
> hide files = /lost+found/
> follow symlinks = No
> dos filemode = Yes
> vfs objects = full_audit
>
> [workplace]
> comment = ICS - CSI mantis build and daily kits folder
> path = /export/ICS/CSI/workplace
> valid users = @"domainusers"
> force create mode = 750
> force directory mode = 740
> writeable = Yes
> browseable = Yes
>
> [labadmins]
> comment = ICS - CSI Admins Share
> path = /export/ICS/CSI/labadmins
> valid users = @smbLabAdmins
> force create mode = 750
> force directory mode = 740
> writeable = Yes
> browseable = Yes
>
>
>
>
> samba AD :
>
> # Global parameters
> [global]
> workgroup = CCDC
> realm = CCDC.LAN
> netbios name = CCDC-SAMBA4-DC1
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> server services = -winbindd +winbind
> dns forwarder = 9.0.138.50
> #server services = -winbindd +winbind
> idmap config CCDC:backend = ad
> idmap config CCDC:schema_mode = rfc2307
> idmap config CCDC:range = 10000-40000
>
>
> # Store UIDs/GIDs for all other domains (including local
> # accounts/groups of this server) in a tdb file
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # Use home directory and shell information from AD
> winbind nss info = rfc2307
>
> tls enabled = yes
> tls keyfile = tls/myKey.pem
> tls certfile = tls/myCert.pem
> tls cafile =
>
> [netlogon]
> path = /var/lib/samba/sysvol/ccdc.lan/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
>
> Funny thing is that I can't find anything relevant in the logs of the file
> share server.
>
> Any help is really appreciated.
>
> Thank you
>
> ___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
>
> (Embedded image moved to file: pic39243.gif)
OK, I recommend you change your smb.conf files to these:
[global]
workgroup = CCDC
realm = CCDC.LAN
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = CSI Samba Server
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind cache time = 15
winbind refresh tickets = Yes
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config CCDC : backend = rid
idmap config CCDC : range = 10000-20000
map untrusted to domain = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 2000
#smb ports = 139
name resolve order = wins, host, bcast
server signing = required
load printers = No
disable spoolss = Yes
local master = No
domain master = No
dns proxy = No
wins server = 9.161.96.220
template homedir = /home/winbind
full_audit:priority = NOTICE
full_audit:facility = local7
full_audit:failure = mkdir rename unlink rmdir open chown chmod
connect readlink
full_audit:prefix = %u,%I,%m,%S
invalid users = root, daemon, bin, sys, sync, games, man, lp,
mail,news, uucp, proxy, www-data, backup, list, irc, gnats, Debian-exim,
sshd, ntpd
acl group control = Yes
aio read size = 1
aio write size = 1
map acl inherit = Yes
hide files = /lost+found/
follow symlinks = No
dos filemode = Yes
vfs objects = acl_xattr full_audit
store dos attributes = Yes
[workplace]
comment = ICS - CSI mantis build and daily kits folder
path = /export/ICS/CSI/workplace
valid users = @"domainusers"
force create mode = 750
force directory mode = 740
writeable = Yes
browseable = Yes
[labadmins]
comment = ICS - CSI Admins Share
path = /export/ICS/CSI/labadmins
valid users = @smbLabAdmins
force create mode = 750
force directory mode = 740
writeable = Yes
browseable = Yes
# Global parameters
[global]
workgroup = CCDC
realm = CCDC.LAN
netbios name = CCDC-SAMBA4-DC1
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
server services = -winbindd +winbind
dns forwarder = 9.0.138.50
tls enabled = yes
tls keyfile = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile =
[netlogon]
path = /var/lib/samba/sysvol/ccdc.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
I would also recommend Installing the 'acl' & 'attr' packages (if not
already installed), read up on using POSIX ACLs and lose the 'force'
lines in the member server conf and use POSIX ACLs instead.
Rowland
More information about the samba
mailing list