[Samba] SAMBA4 - Trusted relationship lost every Weeks

Julien TEHERY julien.tehery at openevents.fr
Thu Aug 17 08:05:36 UTC 2017

Le 16/08/2017 à 18:18, Rowland Penny via samba a écrit :
> Very hard to understand this post, but see inline comments:
> On Wed, 16 Aug 2017 17:47:25 +0200
> Julien TEHERY via samba <samba at lists.samba.org> wrote:
>>> You did say that this machine is joined to the AD domain (DOMAIN
>>> A), didn't you ?
>>   >> Yes
>>> If so, why, if 'security = ADS' is in smb.conf, are you trying to
>>> use ldap to connect to the AD DC ?????
>>   >> Not at all. If it was the case the machine would have never be
>> joined to DOMAIN_A
>> Joining this machine to the 2008 domain (via net ads join..) succeed
>> whitout any problem.
>> About ldap connector we just thought winbind would use it towards
>> ldap server for DOMAIN_B (Samba 3.5 domain) uid/gid  resolution.
>> We actually use nss to resolve those uid/gid
> It doesn't and idmap_nss is used to ensure that a local Unix is mapped
> to an AD user, the only problem with your setup is, you cannot have a
> user with the same name in AD and /etc/passwd.
>>> Can I suggest you read 'man smb.conf', 'man idmap_rid' 'man
>>> idmap_ad', 'man idmap_nss' and finally this:
>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> Please read the manpages and the wikipage
>>> Sorry to be the bearer of bad news, but your smb.conf is a mess, you
>>> should be using the winbind 'ad' or 'rid' backend for DOMAIN_A
>>   >> Yes I know it's ugly, but this configuration is a transitionnal
>>   >> one
>> to migrate users and their homes from an old samba NT4 domain to an
>> AD domain.
>> Main goal was to make resources available to users from both domains
>> (actually it works through bidirectional trust).
>> The fact is this is not the prettiest config, as we didn't have
>> prerequisites for idmap_ad, we tried idmap_ldap backend and it works.
> You don't have to use the 'ad' backend, in fact in your case I would
> use the 'rid' backend
>> Using several fileservers, they resolve the same uid/gid for a
>> specific user.
>> IMO I don't think this setup can cause such  a cylic problem (exactly
>> every week..), but I'm probably wrong.
> I don't think it is either, what I think is going wrong is the kerberos
> ticket is expiring and I don't think you can fix it with your smb.conf.
> I would have expected an idmap block something like this:
>      idmap config * : backend = tdb
>      idmap config * : range = 3000-7999
>      idmap config DOMAIN_A : backend = rid
>      idmap config DOMAIN_A : range = 10000-99999
>      idmap config DOMAIN_B : backend = rid
>      idmap config DOMAIN_B : range = 10000000-19999999
> I would also have expected to see this line:
>      winbind refresh tickets = Yes
>>> (as an
>>> aside, I do hope that workgroup DOMAIN_A != realm DOMAIN_A).
>>   >> For sure, in production they are different (this is the result of
>> anonymising config)
>>> You should
>>> also probably be using the winbind 'rid' backend for DOMAIN_B
>>   >> We actually use nss. what advantage offers using rid backend
>>   >> instead
>> of nss ?
>>>    and ALL
>>> ranges should not overlap.
>>   >> A mistake in copy/paste configuration, it's not the case actually.
>>> Can I also ask, why are you still using Samba 3.5.x ?
>>> It went EOL 5 years ago.
>>   >> :) you're right. Upgrading the main production PDC from this old
>> version has to be studied carrefully. Head chiefs decided to migrate
>> to another windows domain instead of maintaining this one as I
>> explained above.
> Good choice to migrate, you just seem to have gone about it the wrong
> way, but they are your domains and you can do it your way.
> Rowland

Ticket lifetime is 24 hours by default and renewal lifetime is 7 days in 
an Active Directory.

I will add those configurations:


  ticket_lifetime = 24h
  renew_lifetime = 7d

winbind refresh tickets = Yes

My guess is that I didn't have proper setup in krb5.conf.
I'll let you know in a week.

Thanks for your help.

More information about the samba mailing list