[Samba] problem with sessions

Thu Mar 2 13:07:10 UTC 2017

On Thu, 2 Mar 2017 12:40:46 +0100
Tony Peña <emperor.cu at gmail.com> wrote:

> 
> so, i can't set browseable = No because the users need to be see the
> shares on the server, else them turn crazy

I never said to set it to 'no', I pointed out that what you had is the
default and as such, it doesn't need to be set.

> 
> Ok i restart samba-ad-dc with this settings
> 
> 
> shares.conf
> 
> 47 shares like
> 
> [FooBar]
>     comment = FooBar
>     path = /home/samba/shares/foobar
>     browseable = Yes    # users need to browse the network because
> them working in this way for many years.

'YES' is the default so you don't need it

>     read only = No
>     force create mode = 0660
>     force directory mode = 0660

This doesn't work on a DC, read the wiki pages I pointed you to!

>     vfs objects = acl_xattr full_audit

'acl_xattr' is built into Samba when running as a DC, so it shouldn't be
set here.

> all bind files
> 

OK, these are my bind conf files and I have been using them for the
last 5 years without problems ;-)

/etc/bind/named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

/etc/bind/named.conf.options

options {
        directory "/var/cache/bind";
        version "0.0.7";
        notify no;
        empty-zones-enable no;
        allow-query { 127.0.0.1; 192.168.0.0/24; };
        allow-recursion { 192.168.0.0/24;  127.0.0.1/32; };
        forwarders { 8.8.8.8; };
        allow-transfer { none; };
        dnssec-validation no;
        dnssec-enable no;

        listen-on-v6 { none; };
        listen-on port 53 { 192.168.0.2; 127.0.0.1; };
        tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};

/etc/bind/named.conf.local

include "/usr/local/samba/private/named.conf";

/etc/bind/name.conf.default-zones

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

> ------------
> after change on smb.conf and krb5.conf with suggestions.
> I can on the pc client logout and login into the domain,
> can browse the \\server-dc and user Library Ok, but FooBar no (is
> fine in this way for this users logged) because the ACL working with
> filesystem and is ok....

You are trying to use the OS permissions on a Samba AD DC, this NOT
supported.

> 
> but my problem from the beginning.... how can i know if i don't lose
> the access into (e.g Library share) after 2/3 days ?

I think your problem is down to your DNS setup, it seems to be using
flatfiles and this is NOT supported by Samba.

Rowland