[Samba] SAMBA4 - Trusted relationship lost every Weeks
Rowland Penny
rpenny at samba.org
Wed Aug 16 07:57:08 UTC 2017
On Wed, 16 Aug 2017 09:05:32 +0200
Julien TEHERY via samba <samba at lists.samba.org> wrote:
> Hi,
>
>
> Here is our smb.conf.
>
> Please note that this server uses nss resolution for DOMAIN_B users
> and idmap_ldap backend to resolve DOMAIN_A users.
>
> Trusted relationship between works well for other services between
> those two domains. Only samba4 fileserver needs to rejoin DOMAIN_A
> domain (AD 2008 server) every week.
>
> #======================= Global Settings
> =====================================
> [global]
> server string = FILESERVER
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> realm = DOMAIN_A
> workgroup = DOMAIN_A
> os level = 80
> bind interfaces only = yes
> interfaces = eth0
>
> ## Encoding ##
> dos charset = 850
> #display charset = UTF8
>
> ## Name resolution ##
> dns proxy = no
> wins support = no
> name resolve order = host wins bcast lmhosts
>
> ## Logs ##
> max log size = 50
> log level = 10
> log file = /var/log/samba/%m.log
> syslog only = no
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
>
> ## Passwords ##
> security = ADS
> encrypt passwords = true
> unix password sync = no
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n .
> invalid users = root
>
> ## Restrictions ##
> hide special files = no
> hide unreadable = no
> hide dot files = no
>
> ## Resolve office save problems ##
> oplocks = no
>
> ## ACL SUPPORT ##
> nt acl support = yes
> acl check permissions = yes
> acl group control = yes
>
> # WINBIND
> ldap ssl =off
> ldap admin dn = cn=SuperUser,dc=domain_a,dc=com
> ldap suffix = dc=domain_a,dc=xm
> ldap timeout = 90
> ldap connection timeout = 20
> winbind nested groups = yes
> winbind expand groups = yes
> winbind cache time = 5
> winbind enum users = yes
> winbind enum groups = yes
> winbind separator = +
> winbind use default domain = no
> allow trusted domains = yes
>
> # IDMAP MDMAD XM
> #GLOBAL
> idmap config *: backend = tdb
> idmap config *: range = 19000-19999
> #DOMAIN_A
> idmap config DOMAIN_A : backend = ldap
> idmap config DOMAIN_A : range = 20000-9999999999
> idmap config DOMAIN_A : ldap_url = ldap://myldap.domain_a.com
> idmap config DOMAIN_A : ldap_base_dn =
> ou=Idmap,dc=domain_a,dc=com idmap config DOMAIN_A : ldap_user_dn =
> cn=SuperUser,dc=domain_a,dc=com #DOMAIN_B
> idmap config DOMAIN_B backend = nss
> idmap config DOMAIN_B: range = 500-19000
>
> guest account = nobody
> map to guest = Bad User
>
>
> Le 13/08/2017 à 10:58, Rowland Penny via samba a écrit :
> > On Sun, 13 Aug 2017 10:42:44 +0200
> > Julien TEHERY via samba <samba at lists.samba.org> wrote:
> >
> >> Hi All,
> >>
> >> Answering to myself, this problem still occurs again and again,
> >> every week as I mentioned before.
> >> Rejoining the domain each time for samba4 file server is the only
> >> workaround.
> >>
> >> What could be the origin of this kind of problem?
> >>
> > Can you post your smb.conf.
> >
> > Rowland
> >
>
>
You did say that this machine is joined to the AD domain (DOMAIN
A), didn't you ?
If so, why, if 'security = ADS' is in smb.conf, are you trying to use
ldap to connect to the AD DC ?????
Can I suggest you read 'man smb.conf', 'man idmap_rid' 'man idmap_ad',
'man idmap_nss' and finally this:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Sorry to be the bearer of bad news, but your smb.conf is a mess, you
should be using the winbind 'ad' or 'rid' backend for DOMAIN_A (as an
aside, I do hope that workgroup DOMAIN_A != realm DOMAIN_A). You should
also probably be using the winbind 'rid' backend for DOMAIN_B and ALL
ranges should not overlap.
Can I also ask, why are you still using Samba 3.5.x ?
It went EOL 5 years ago.
Rowland
More information about the samba
mailing list