[Samba] on linux samba file shares, groups and user are randomlly lost. Using samba4 as Domain controller
Mario Pio Russo
mariopiorusso at ie.ibm.com
Tue Sep 1 13:24:53 UTC 2015
Great thanks, I'll test your config files now!
some questions before:
> I would also recommend Installing the 'acl' & 'attr' packages (if not
already installed),
those are installed and at the latest version on the file share server, are
they needed on the AD too (I would think no)?
> read up on using POSIX ACLs and lose the 'force' lines in the member
server conf and use POSIX ACLs instead.
Sorry but I don't get this, what do you mean? some parameters in the
smb.conf to seutp? thanks!
___________________________________________________________________________________________
Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
(Embedded image moved to file: pic32058.gif)
From: Rowland Penny <rowlandpenny241155 at gmail.com>
To: samba at lists.samba.org
Date: 01/09/2015 13:54
Subject: Re: [Samba] on linux samba file shares, groups and user are
randomlly lost. Using samba4 as Domain controller
Sent by: "samba" <samba-bounces at lists.samba.org>
On 01/09/15 12:04, Mario Pio Russo wrote:
>
> Good day All
>
> I am re proposing this topic as it keeps happening in our enviroment and
is
> creating some trouble now.
>
> I have 1 samba file share server, and a different samba4 AD server.
>
> the file server has been recently updated to Ubuntu 14 and its native
samba
> 4.1.6. The samba4 AD is on Ubuntu 14 and on sernet-samba 4.2.2.
>
> what happens is that every 4~5 days the file share server loses randomly
> the groups/users associations. when doing ls on the shares, I do not see
> the domain users / groups but I just see their uid. when I try to access
> those shares, it gives permission denied. The only option is to reboot
the
> file server. after reboot all comes back to normal. I can see the
> user/groups when "ls" and I can access mount the shares. but after a
while
> all comes back again. Note that when the system is not working, getent
> group does not show anything, but wbinfo -g shows the groups correctlly.
On
> the AD, I have disabled the winbindd and I am using the original winbind.
>
> Here is the 2 smb.conf files (Note, i have cut off most of the shares )
>
> Samba file share:
>
> [global]
> workgroup = CCDC
> realm = CCDC.LAN
> server string = CSI Samba Server
> server role = member server
> security = ADS
> map untrusted to domain = Yes
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 2000
> #smb ports = 139
> name resolve order = wins, host, bcast
> server signing = required
> socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE
> IPTOS_LOWDELAY TCP_NODELAY
> load printers = No
> disable spoolss = Yes
> local master = No
> domain master = No
> dns proxy = No
> wins server = 9.161.96.220
> template homedir = /home/winbind
> winbind cache time = 15
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> idmap config * : range = 10000-20000
> full_audit:priority = NOTICE
> full_audit:facility = local7
> full_audit:failure = mkdir rename unlink rmdir open chown chmod
> connect readlink
> full_audit:prefix = %u,%I,%m,%S
> idmap config * : backend = tdb
> invalid users = root, daemon, bin, sys, sync, games, man, lp,
mail,
> news, uucp, proxy, www-data, backup, list, irc, g
> nats, Debian-exim, sshd, ntpd
> acl group control = Yes
> aio read size = 1
> aio write size = 1
> map acl inherit = Yes
> hide files = /lost+found/
> follow symlinks = No
> dos filemode = Yes
> vfs objects = full_audit
>
> [workplace]
> comment = ICS - CSI mantis build and daily kits
folder
> path = /export/ICS/CSI/workplace
> valid users = @"domainusers"
> force create mode = 750
> force directory mode = 740
> writeable = Yes
> browseable = Yes
>
> [labadmins]
> comment = ICS - CSI Admins Share
> path = /export/ICS/CSI/labadmins
> valid users = @smbLabAdmins
> force create mode = 750
> force directory mode = 740
> writeable = Yes
> browseable = Yes
>
>
>
>
> samba AD :
>
> # Global parameters
> [global]
> workgroup = CCDC
> realm = CCDC.LAN
> netbios name = CCDC-SAMBA4-DC1
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> server services = -winbindd +winbind
> dns forwarder = 9.0.138.50
> #server services = -winbindd +winbind
> idmap config CCDC:backend = ad
> idmap config CCDC:schema_mode = rfc2307
> idmap config CCDC:range = 10000-40000
>
>
> # Store UIDs/GIDs for all other domains (including local
> # accounts/groups of this server) in a tdb file
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # Use home directory and shell information from AD
> winbind nss info = rfc2307
>
> tls enabled = yes
> tls keyfile = tls/myKey.pem
> tls certfile = tls/myCert.pem
> tls cafile =
>
> [netlogon]
> path = /var/lib/samba/sysvol/ccdc.lan/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
>
> Funny thing is that I can't find anything relevant in the logs of the
file
> share server.
>
> Any help is really appreciated.
>
> Thank you
>
>
___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with
number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin
4
>
> (Embedded image moved to file: pic39243.gif)
OK, I recommend you change your smb.conf files to these:
[global]
workgroup = CCDC
realm = CCDC.LAN
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = CSI Samba Server
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind cache time = 15
winbind refresh tickets = Yes
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config CCDC : backend = rid
idmap config CCDC : range = 10000-20000
map untrusted to domain = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 2000
#smb ports = 139
name resolve order = wins, host, bcast
server signing = required
load printers = No
disable spoolss = Yes
local master = No
domain master = No
dns proxy = No
wins server = 9.161.96.220
template homedir = /home/winbind
full_audit:priority = NOTICE
full_audit:facility = local7
full_audit:failure = mkdir rename unlink rmdir open chown chmod
connect readlink
full_audit:prefix = %u,%I,%m,%S
invalid users = root, daemon, bin, sys, sync, games, man, lp,
mail,news, uucp, proxy, www-data, backup, list, irc, gnats, Debian-exim,
sshd, ntpd
acl group control = Yes
aio read size = 1
aio write size = 1
map acl inherit = Yes
hide files = /lost+found/
follow symlinks = No
dos filemode = Yes
vfs objects = acl_xattr full_audit
store dos attributes = Yes
[workplace]
comment = ICS - CSI mantis build and daily kits folder
path = /export/ICS/CSI/workplace
valid users = @"domainusers"
force create mode = 750
force directory mode = 740
writeable = Yes
browseable = Yes
[labadmins]
comment = ICS - CSI Admins Share
path = /export/ICS/CSI/labadmins
valid users = @smbLabAdmins
force create mode = 750
force directory mode = 740
writeable = Yes
browseable = Yes
# Global parameters
[global]
workgroup = CCDC
realm = CCDC.LAN
netbios name = CCDC-SAMBA4-DC1
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
server services = -winbindd +winbind
dns forwarder = 9.0.138.50
tls enabled = yes
tls keyfile = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile =
[netlogon]
path = /var/lib/samba/sysvol/ccdc.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
I would also recommend Installing the 'acl' & 'attr' packages (if not
already installed), read up on using POSIX ACLs and lose the 'force'
lines in the member server conf and use POSIX ACLs instead.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list