[Samba] SAMBA4 - Trusted relationship lost every Weeks
Julien TEHERY
julien.tehery at openevents.fr
Wed Aug 16 15:47:25 UTC 2017
> You did say that this machine is joined to the AD domain (DOMAIN
> A), didn't you ?
>> Yes
>
> If so, why, if 'security = ADS' is in smb.conf, are you trying to use
> ldap to connect to the AD DC ?????
>> Not at all. If it was the case the machine would have never be
joined to DOMAIN_A
Joining this machine to the 2008 domain (via net ads join..) succeed
whitout any problem.
About ldap connector we just thought winbind would use it towards ldap
server for DOMAIN_B (Samba 3.5 domain) uid/gid resolution.
We actually use nss to resolve those uid/gid
>
> Can I suggest you read 'man smb.conf', 'man idmap_rid' 'man idmap_ad',
> 'man idmap_nss' and finally this:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> Sorry to be the bearer of bad news, but your smb.conf is a mess, you
> should be using the winbind 'ad' or 'rid' backend for DOMAIN_A
>> Yes I know it's ugly, but this configuration is a transitionnal one
to migrate users and their homes from an old samba NT4 domain to an AD
domain.
Main goal was to make resources available to users from both domains
(actually it works through bidirectional trust).
The fact is this is not the prettiest config, as we didn't have
prerequisites for idmap_ad, we tried idmap_ldap backend and it works.
Using several fileservers, they resolve the same uid/gid for a specific
user.
IMO I don't think this setup can cause such a cylic problem (exactly
every week..), but I'm probably wrong.
> (as an
> aside, I do hope that workgroup DOMAIN_A != realm DOMAIN_A).
>> For sure, in production they are different (this is the result of
anonymising config)
> You should
> also probably be using the winbind 'rid' backend for DOMAIN_B
>> We actually use nss. what advantage offers using rid backend instead
of nss ?
> and ALL
> ranges should not overlap.
>> A mistake in copy/paste configuration, it's not the case actually.
>
> Can I also ask, why are you still using Samba 3.5.x ?
> It went EOL 5 years ago.
>> :) you're right. Upgrading the main production PDC from this old
version has to be studied carrefully. Head chiefs decided to migrate to
another windows domain instead of maintaining this one as I explained above.
>
> Rowland
>
Julien
More information about the samba
mailing list