[Samba] SAMBA4 - Trusted relationship lost every Weeks

Rowland Penny rpenny at samba.org
Thu Aug 17 08:32:00 UTC 2017 

On Thu, 17 Aug 2017 10:05:36 +0200
Julien TEHERY via samba <samba at lists.samba.org> wrote:

> 
> Le 16/08/2017 à 18:18, Rowland Penny via samba a écrit :
> > Very hard to understand this post, but see inline comments:
> >
> > On Wed, 16 Aug 2017 17:47:25 +0200
> > Julien TEHERY via samba <samba at lists.samba.org> wrote:
> >
> >>> You did say that this machine is joined to the AD domain (DOMAIN
> >>> A), didn't you ?
> >>   >> Yes
> >>> If so, why, if 'security = ADS' is in smb.conf, are you trying to
> >>> use ldap to connect to the AD DC ?????
> >>   >> Not at all. If it was the case the machine would have never be
> >> joined to DOMAIN_A
> >> Joining this machine to the 2008 domain (via net ads join..)
> >> succeed whitout any problem.
> >> About ldap connector we just thought winbind would use it towards
> >> ldap server for DOMAIN_B (Samba 3.5 domain) uid/gid  resolution.
> >> We actually use nss to resolve those uid/gid
> > It doesn't and idmap_nss is used to ensure that a local Unix is
> > mapped to an AD user, the only problem with your setup is, you
> > cannot have a user with the same name in AD and /etc/passwd.
> >
> >>> Can I suggest you read 'man smb.conf', 'man idmap_rid' 'man
> >>> idmap_ad', 'man idmap_nss' and finally this:
> >>>
> >>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > Please read the manpages and the wikipage
> >
> >
> >>> Sorry to be the bearer of bad news, but your smb.conf is a mess,
> >>> you should be using the winbind 'ad' or 'rid' backend for DOMAIN_A
> >>   >> Yes I know it's ugly, but this configuration is a
> >>   >> transitionnal one
> >> to migrate users and their homes from an old samba NT4 domain to an
> >> AD domain.
> >> Main goal was to make resources available to users from both
> >> domains (actually it works through bidirectional trust).
> >> The fact is this is not the prettiest config, as we didn't have
> >> prerequisites for idmap_ad, we tried idmap_ldap backend and it
> >> works.
> > You don't have to use the 'ad' backend, in fact in your case I would
> > use the 'rid' backend
> >
> >> Using several fileservers, they resolve the same uid/gid for a
> >> specific user.
> >> IMO I don't think this setup can cause such  a cylic problem
> >> (exactly every week..), but I'm probably wrong.
> > I don't think it is either, what I think is going wrong is the
> > kerberos ticket is expiring and I don't think you can fix it with
> > your smb.conf. I would have expected an idmap block something like
> > this:
> >
> >      idmap config * : backend = tdb
> >      idmap config * : range = 3000-7999
> >      idmap config DOMAIN_A : backend = rid
> >      idmap config DOMAIN_A : range = 10000-99999
> >      idmap config DOMAIN_B : backend = rid
> >      idmap config DOMAIN_B : range = 10000000-19999999
> >
> > I would also have expected to see this line:
> >
> >      winbind refresh tickets = Yes
> >
> >>> (as an
> >>> aside, I do hope that workgroup DOMAIN_A != realm DOMAIN_A).
> >>   >> For sure, in production they are different (this is the
> >>   >> result of
> >> anonymising config)
> >>> You should
> >>> also probably be using the winbind 'rid' backend for DOMAIN_B
> >>   >> We actually use nss. what advantage offers using rid backend
> >>   >> instead
> >> of nss ?
> >>>    and ALL
> >>> ranges should not overlap.
> >>   >> A mistake in copy/paste configuration, it's not the case
> >>   >> actually.
> >>
> >>> Can I also ask, why are you still using Samba 3.5.x ?
> >>> It went EOL 5 years ago.
> >>   >> :) you're right. Upgrading the main production PDC from this
> >>   >> old
> >> version has to be studied carrefully. Head chiefs decided to
> >> migrate to another windows domain instead of maintaining this one
> >> as I explained above.
> > Good choice to migrate, you just seem to have gone about it the
> > wrong way, but they are your domains and you can do it your way.
> >
> > Rowland
> >
> >
> 
> Ticket lifetime is 24 hours by default and renewal lifetime is 7 days
> in an Active Directory.
> 
> I will add those configurations:
> 
> krb5.conf:
> 
>   ticket_lifetime = 24h
>   renew_lifetime = 7d
> 

You only need this in /etc/krb5.conf

[libdefaults]
	default_realm = SAMDOM.EXAMPLE.COM
	dns_lookup_realm = false
	dns_lookup_kdc = true

Rowland

More information about the samba mailing list