[Samba] SAMBA4 - Trusted relationship lost every Weeks

Rowland Penny rpenny at samba.org
Wed Aug 16 07:57:08 UTC 2017


On Wed, 16 Aug 2017 09:05:32 +0200
Julien TEHERY via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> 
> Here is our smb.conf.
> 
> Please note that this server uses nss resolution for DOMAIN_B users
> and idmap_ldap backend to resolve DOMAIN_A users.
> 
> Trusted relationship between works well for other services between
> those two domains. Only samba4 fileserver needs to rejoin DOMAIN_A
> domain (AD 2008 server) every week.
> 
> #======================= Global Settings 
> =====================================
> [global]
>          server string = FILESERVER
>          socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>          realm = DOMAIN_A
>          workgroup = DOMAIN_A
>          os level = 80
>          bind interfaces only = yes
>          interfaces = eth0
> 
>          ## Encoding ##
>          dos charset = 850
>          #display charset = UTF8
> 
>          ## Name resolution ##
>          dns proxy = no
>          wins support = no
>          name resolve order =  host wins bcast lmhosts
> 
>          ## Logs ##
>          max log size = 50
>          log level = 10
>          log file = /var/log/samba/%m.log
>          syslog only = no
>          syslog = 0
>          panic action = /usr/share/samba/panic-action %d
> 
>          ## Passwords ##
>          security = ADS
>          encrypt passwords = true
>          unix password sync = no
>          passwd program = /usr/bin/passwd %u
>          passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
> *Retype\snew\sUNIX\spassword:* %n\n .
>          invalid users = root
> 
>          ## Restrictions ##
>          hide special files = no
>          hide unreadable = no
>          hide dot files = no
> 
>          ## Resolve office save problems ##
>          oplocks = no
> 
>          ## ACL SUPPORT ##
>          nt acl support = yes
>          acl check permissions = yes
>          acl group control = yes
> 
>      # WINBIND
>      ldap ssl =off
>      ldap admin dn = cn=SuperUser,dc=domain_a,dc=com
>      ldap suffix = dc=domain_a,dc=xm
>          ldap timeout = 90
>          ldap connection timeout = 20
>          winbind nested groups = yes
>          winbind expand groups = yes
>          winbind cache time = 5
>          winbind enum users = yes
>          winbind enum groups = yes
>          winbind separator = +
>          winbind use default domain = no
>          allow trusted domains = yes
> 
>      # IDMAP MDMAD XM
>      #GLOBAL
>          idmap config *: backend = tdb
>          idmap config *: range = 19000-19999
>      #DOMAIN_A
>      idmap config DOMAIN_A : backend      = ldap
>      idmap config DOMAIN_A : range        = 20000-9999999999
>      idmap config DOMAIN_A : ldap_url     = ldap://myldap.domain_a.com
>      idmap config DOMAIN_A : ldap_base_dn =
> ou=Idmap,dc=domain_a,dc=com idmap config DOMAIN_A : ldap_user_dn =
> cn=SuperUser,dc=domain_a,dc=com #DOMAIN_B
>          idmap config DOMAIN_B backend      = nss
>          idmap config DOMAIN_B: range = 500-19000
> 
>          guest account = nobody
>          map to guest = Bad User
> 
> 
> Le 13/08/2017 à 10:58, Rowland Penny via samba a écrit :
> > On Sun, 13 Aug 2017 10:42:44 +0200
> > Julien TEHERY via samba <samba at lists.samba.org> wrote:
> >
> >> Hi All,
> >>
> >> Answering to myself, this problem still occurs again and again,
> >> every week as I mentioned before.
> >> Rejoining the domain each time for samba4 file server is the only
> >> workaround.
> >>
> >> What could be the origin of this kind of problem?
> >>
> > Can you post your smb.conf.
> >
> > Rowland
> >
> 
> 

You did say that this machine is joined to the AD domain (DOMAIN
A), didn't you ?

If so, why, if 'security = ADS' is in smb.conf, are you trying to use
ldap to connect to the AD DC ?????

Can I suggest you read 'man smb.conf', 'man idmap_rid' 'man idmap_ad',
'man idmap_nss' and finally this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Sorry to be the bearer of bad news, but your smb.conf is a mess, you
should be using the winbind 'ad' or 'rid' backend for DOMAIN_A (as an
aside, I do hope that workgroup DOMAIN_A != realm DOMAIN_A). You should
also probably be using the winbind 'rid' backend for DOMAIN_B and ALL
ranges should not overlap.

Can I also ask, why are you still using Samba 3.5.x ?
It went EOL 5 years ago.

Rowland



More information about the samba mailing list