[Samba] SAMBA4 - Trusted relationship lost every Weeks

Julien TEHERY julien.tehery at openevents.fr
Wed Aug 16 15:47:25 UTC 2017

> You did say that this machine is joined to the AD domain (DOMAIN
> A), didn't you ?
 >> Yes
> If so, why, if 'security = ADS' is in smb.conf, are you trying to use
> ldap to connect to the AD DC ?????

 >> Not at all. If it was the case the machine would have never be 
joined to DOMAIN_A
Joining this machine to the 2008 domain (via net ads join..) succeed 
whitout any problem.
About ldap connector we just thought winbind would use it towards ldap 
server for DOMAIN_B (Samba 3.5 domain) uid/gid  resolution.
We actually use nss to resolve those uid/gid
> Can I suggest you read 'man smb.conf', 'man idmap_rid' 'man idmap_ad',
> 'man idmap_nss' and finally this:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> Sorry to be the bearer of bad news, but your smb.conf is a mess, you
> should be using the winbind 'ad' or 'rid' backend for DOMAIN_A
 >> Yes I know it's ugly, but this configuration is a transitionnal one 
to migrate users and their homes from an old samba NT4 domain to an AD 
Main goal was to make resources available to users from both domains 
(actually it works through bidirectional trust).
The fact is this is not the prettiest config, as we didn't have 
prerequisites for idmap_ad, we tried idmap_ldap backend and it works. 
Using several fileservers, they resolve the same uid/gid for a specific 
IMO I don't think this setup can cause such  a cylic problem (exactly 
every week..), but I'm probably wrong.

> (as an
> aside, I do hope that workgroup DOMAIN_A != realm DOMAIN_A).
 >> For sure, in production they are different (this is the result of 
anonymising config)
> You should
> also probably be using the winbind 'rid' backend for DOMAIN_B
 >> We actually use nss. what advantage offers using rid backend instead 
of nss ?
>   and ALL
> ranges should not overlap.
 >> A mistake in copy/paste configuration, it's not the case actually.

> Can I also ask, why are you still using Samba 3.5.x ?
> It went EOL 5 years ago.
 >> :) you're right. Upgrading the main production PDC from this old 
version has to be studied carrefully. Head chiefs decided to migrate to 
another windows domain instead of maintaining this one as I explained above.
> Rowland


More information about the samba mailing list