[Samba] SAMBA4 - Trusted relationship lost every Weeks

Rowland Penny rpenny at samba.org
Wed Aug 16 16:18:37 UTC 2017

Very hard to understand this post, but see inline comments:

On Wed, 16 Aug 2017 17:47:25 +0200
Julien TEHERY via samba <samba at lists.samba.org> wrote:

> > You did say that this machine is joined to the AD domain (DOMAIN
> > A), didn't you ?
>  >> Yes
> >
> > If so, why, if 'security = ADS' is in smb.conf, are you trying to
> > use ldap to connect to the AD DC ?????
>  >> Not at all. If it was the case the machine would have never be 
> joined to DOMAIN_A
> Joining this machine to the 2008 domain (via net ads join..) succeed 
> whitout any problem.
> About ldap connector we just thought winbind would use it towards
> ldap server for DOMAIN_B (Samba 3.5 domain) uid/gid  resolution.
> We actually use nss to resolve those uid/gid

It doesn't and idmap_nss is used to ensure that a local Unix is mapped
to an AD user, the only problem with your setup is, you cannot have a
user with the same name in AD and /etc/passwd.

> >
> > Can I suggest you read 'man smb.conf', 'man idmap_rid' 'man
> > idmap_ad', 'man idmap_nss' and finally this:
> >
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Please read the manpages and the wikipage

> >
> > Sorry to be the bearer of bad news, but your smb.conf is a mess, you
> > should be using the winbind 'ad' or 'rid' backend for DOMAIN_A
>  >> Yes I know it's ugly, but this configuration is a transitionnal
>  >> one 
> to migrate users and their homes from an old samba NT4 domain to an
> AD domain.
> Main goal was to make resources available to users from both domains 
> (actually it works through bidirectional trust).
> The fact is this is not the prettiest config, as we didn't have 
> prerequisites for idmap_ad, we tried idmap_ldap backend and it works. 

You don't have to use the 'ad' backend, in fact in your case I would
use the 'rid' backend

> Using several fileservers, they resolve the same uid/gid for a
> specific user.
> IMO I don't think this setup can cause such  a cylic problem (exactly 
> every week..), but I'm probably wrong.

I don't think it is either, what I think is going wrong is the kerberos
ticket is expiring and I don't think you can fix it with your smb.conf.
I would have expected an idmap block something like this:

    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    idmap config DOMAIN_A : backend = rid
    idmap config DOMAIN_A : range = 10000-99999
    idmap config DOMAIN_B : backend = rid
    idmap config DOMAIN_B : range = 10000000-19999999

I would also have expected to see this line:

    winbind refresh tickets = Yes

> > (as an
> > aside, I do hope that workgroup DOMAIN_A != realm DOMAIN_A).
>  >> For sure, in production they are different (this is the result of 
> anonymising config)
> > You should
> > also probably be using the winbind 'rid' backend for DOMAIN_B
>  >> We actually use nss. what advantage offers using rid backend
>  >> instead 
> of nss ?
> >   and ALL
> > ranges should not overlap.
>  >> A mistake in copy/paste configuration, it's not the case actually.
> >
> > Can I also ask, why are you still using Samba 3.5.x ?
> > It went EOL 5 years ago.
>  >> :) you're right. Upgrading the main production PDC from this old 
> version has to be studied carrefully. Head chiefs decided to migrate
> to another windows domain instead of maintaining this one as I
> explained above.

Good choice to migrate, you just seem to have gone about it the wrong
way, but they are your domains and you can do it your way.


More information about the samba mailing list