[Samba] Developed an issue with Samba File Server integrated with Samba-AD

Anantha Raghava raghav at exzatechconsulting.com
Sat Jun 30 16:39:12 UTC 2018

>>> Hello Rowland,
>>>> On Sat, 30 Jun 2018 14:51:48 +0530
>>>> Anantha Raghava via samba <samba at lists.samba.org> wrote:
>>>>> Hi,
>>>>> We have been using Samba File Server (Version 4.3.11 Ubuntu 14.04
>>>>> LTS) for quite sometime now. We recently installed Samba-AD (Samba
>>>>> AD Version 4.7.6) and made the file server a member of the Domain.
>>>>> Everything was fine till around 11:15 am yesterday. We just added
>>>>> one more share folder and gave access to three users and restarted
>>>>> Samba File Server services
>>>>> - smbd, nmbd and winbindd - services and we lost the file server.
>>>>> None of the domain user is able to login to file server and access
>>>>> their shares. If we access the shares from a non-domain member PC,
>>>>> shares are accessible.
>>>>> File server when accessed asks for user name & password. Once the
>>>>> user feeds his credentials, the login fails and again the file
>>>>> server will ask for user credentials. This is really surprising.
>>>>> We enabled log level 3 on both samba servers (File & AD Server) and
>>>>> we see nothing with respect to this error.
>>>>> Our smb.conf (samba file server) and Samba-AD (AD-smb.conf) are
>>>>> attached.
>>>>> I am aware that Samba file server is very old and it's time to
>>>>> upgrade. However, getting it back live is now critical for us.
>>>>> Look forward for any guidance.
>>>>> Thanks & Regards,
>>>>> Anantha Raghava
>>>>> Do not print this e-mail unless required. Save Paper & trees.
>>>> There doesn't seen to be anything really wrong with the Unix domain
>>>> member smb.conf, apart from it having a netlogon share (this in my
>>>> opinion should only be on a PDC or DC). I would leave the domain,
>>>> remove the netlogon share, remove all Samba .ldb and .tdb files
>>>> (usually in /var/lib/samba), then rejoin the domain and restart the
>>>> samba deamons (nmbd, smbd and winbindd), this will recreate all the
>>>> Samba databases.
>>>> If this doesn't work, add 'log level = 10' to smb.conf on the Unix
>>>> domain member and see if anything pops out.
>>>> I have however noticed this:
>>>> DC smb.conf:
>>>>        realm = XXXX.COM
>>>>     workgroup = XXXX
>>>> [netlogon]
>>>>     path = /usr/local/samba/var/locks/sysvol/exza.com/scripts
>>>> Unix domain member smb.conf:
>>>>       workgroup = CSAEROTHERM
>>>>       realm = CSAEROTHERM.COM
>>>> On the DC, the realm appears to actually be 'exza.com' but on the
>>>> Unix domain member it is set to 'CSAEROTHERM.COM', these must
>>>> match, yours don't.
>>> This is matching. I was just comparing the smb.conf of AD DC on
>>> exza.com server with that of CSAEROTHERM.COM. Since it was same, I
>>> just copied smb.conf from exza.com server and attached to the mail.
>>> I tried the your suggestion. I attempted to leave domain. it resulted
>>> in:
>>> root at samba-64:/var/lib/samba# net ads leave -U administrator
>>> No realm set, are we joined ?
>>> & If I try to join the domain, it results in :
>>> root at samba-64:/var/lib/samba# net ads join -U administrator
>>> Host is not configured as a member server.
>>> Invalid configuration.  Exiting....
>>> Failed to join domain: This operation is only allowed for the PDC of
>>> the domain.
>>>> Rowland
>>> Regards,
>>> Anantha Raghava
>> I ran your smb.conf through testparm and it found something I missed,
>> you do not have a [global] section ;-)
>> You have a [gdlobal] section !
> MY GOD!!!

Thanks a TON Rowland...It's back to normal. Just can't imagine how this 
small spelling mistake all of our eyes!!! We were all set to install a 
new server and move terabytes of data from this failed server to new one.

We can now peacefully setup a new server with with new samba version and 
move data with minimum disruption to regular work.

Again Thanks a TON..
>> Rowland
Anantha Raghava

More information about the samba mailing list