[Samba] SAMBA4 - Trusted relationship lost every Weeks
Julien TEHERY
julien.tehery at openevents.fr
Thu Aug 17 08:05:36 UTC 2017
Le 16/08/2017 à 18:18, Rowland Penny via samba a écrit :
> Very hard to understand this post, but see inline comments:
>
> On Wed, 16 Aug 2017 17:47:25 +0200
> Julien TEHERY via samba <samba at lists.samba.org> wrote:
>
>>> You did say that this machine is joined to the AD domain (DOMAIN
>>> A), didn't you ?
>> >> Yes
>>> If so, why, if 'security = ADS' is in smb.conf, are you trying to
>>> use ldap to connect to the AD DC ?????
>> >> Not at all. If it was the case the machine would have never be
>> joined to DOMAIN_A
>> Joining this machine to the 2008 domain (via net ads join..) succeed
>> whitout any problem.
>> About ldap connector we just thought winbind would use it towards
>> ldap server for DOMAIN_B (Samba 3.5 domain) uid/gid resolution.
>> We actually use nss to resolve those uid/gid
> It doesn't and idmap_nss is used to ensure that a local Unix is mapped
> to an AD user, the only problem with your setup is, you cannot have a
> user with the same name in AD and /etc/passwd.
>
>>> Can I suggest you read 'man smb.conf', 'man idmap_rid' 'man
>>> idmap_ad', 'man idmap_nss' and finally this:
>>>
>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> Please read the manpages and the wikipage
>
>
>>> Sorry to be the bearer of bad news, but your smb.conf is a mess, you
>>> should be using the winbind 'ad' or 'rid' backend for DOMAIN_A
>> >> Yes I know it's ugly, but this configuration is a transitionnal
>> >> one
>> to migrate users and their homes from an old samba NT4 domain to an
>> AD domain.
>> Main goal was to make resources available to users from both domains
>> (actually it works through bidirectional trust).
>> The fact is this is not the prettiest config, as we didn't have
>> prerequisites for idmap_ad, we tried idmap_ldap backend and it works.
> You don't have to use the 'ad' backend, in fact in your case I would
> use the 'rid' backend
>
>> Using several fileservers, they resolve the same uid/gid for a
>> specific user.
>> IMO I don't think this setup can cause such a cylic problem (exactly
>> every week..), but I'm probably wrong.
> I don't think it is either, what I think is going wrong is the kerberos
> ticket is expiring and I don't think you can fix it with your smb.conf.
> I would have expected an idmap block something like this:
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config DOMAIN_A : backend = rid
> idmap config DOMAIN_A : range = 10000-99999
> idmap config DOMAIN_B : backend = rid
> idmap config DOMAIN_B : range = 10000000-19999999
>
> I would also have expected to see this line:
>
> winbind refresh tickets = Yes
>
>>> (as an
>>> aside, I do hope that workgroup DOMAIN_A != realm DOMAIN_A).
>> >> For sure, in production they are different (this is the result of
>> anonymising config)
>>> You should
>>> also probably be using the winbind 'rid' backend for DOMAIN_B
>> >> We actually use nss. what advantage offers using rid backend
>> >> instead
>> of nss ?
>>> and ALL
>>> ranges should not overlap.
>> >> A mistake in copy/paste configuration, it's not the case actually.
>>
>>> Can I also ask, why are you still using Samba 3.5.x ?
>>> It went EOL 5 years ago.
>> >> :) you're right. Upgrading the main production PDC from this old
>> version has to be studied carrefully. Head chiefs decided to migrate
>> to another windows domain instead of maintaining this one as I
>> explained above.
> Good choice to migrate, you just seem to have gone about it the wrong
> way, but they are your domains and you can do it your way.
>
> Rowland
>
>
Ticket lifetime is 24 hours by default and renewal lifetime is 7 days in
an Active Directory.
I will add those configurations:
krb5.conf:
ticket_lifetime = 24h
renew_lifetime = 7d
smb.conf:
winbind refresh tickets = Yes
My guess is that I didn't have proper setup in krb5.conf.
I'll let you know in a week.
Thanks for your help.
More information about the samba
mailing list