[Samba] Windows clients require reboot once a day in order to access mapped drives

Mason Schmitt mason at ftlcomputing.com
Thu May 2 04:08:47 UTC 2019 

>
> >     I didn't go through all the conversations and I'm not sure if this
> will
> >     be of any help, I just wanted to inform that I've been using mapped
> >     drives with Windows 10 for ages and never had the problems you
> >     described. I also never added or changed the "smb encrypt" option. My
> >     Samba file server (AD member) was set up pretty much the way as is
> >     described in the official Wiki and it just works. I can confirm this
> >     for
> >     several versions from Samba 4.2.x to 4.9.x. And I never changed
> >     anything
> >     in the Windows 10 registry either.
> >
> >
> > Would you be willing to share your config files?  I'd be curious to see
> > what's different between yours and mine.
>



> Sure, here you go:
>

Thanks for sharing Viktor!  While I do make some comments below, they're
not intended as a criticism of your setup.  I'm just trying to relate what
you're doing to my setup.



> For the DC:
>
> /etc/krb5.conf
> --------------
>
> default_realm = SAMDOM.EXAMPLE.COM
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
>

The last line above is different than mine.  However, I think I remember
reading that it's not considered good security practice to use DNS to
lookup the location of the KDC.  As this entry is on the KDC itself, my
guess is that it's not a concern.



> For the domain member (krb5.conf same as on DC)
>

Same comment as above, but given it's on a member serve, the security issue
is perhaps more serious?



> /etc/samba/smb.conf
> -------------------
> [global]
>
>    netbios name = FILESERVER
>    workgroup = SAMDOM
>    security = ADS
>    realm = SAMDOM.EXAMPLE.COM
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>
>    username map = /etc/samba/samba_usermap
>
>    idmap config *:backend = tdb
>    idmap config *:range = 2000-9999
>    idmap config SAMDOM:backend = ad
>    idmap config SAMDOM:schema_mode = rfc2307
>    idmap config SAMDOM:range = 10000-99999
>    idmap config SAMDOM:unix_nss_info = yes
>

I'm using the RID backend instead of AD.  I doubt this would make a
difference, but who knows at this point.



>    winbind use default domain = yes
>

My config says 'no' here.  Apparently 'no' is the recommended setting.
Again, no idea if this would result in the problems I've been seeing.



> These particular files are on Samba 4.9.4, clients are Win10.
>

When you run 'smbstatus' on your file server, do you show Win10 clients
connecting at SMB3_11 with encryption enabled?

I'm also curious about how your clients use the shares.  Do you use mapped
drives?  If you do use mapped drives, do you create them using group
policy?  Do your clients stay powered on and logged in for days on end?
Does your security policy lock workstations after a period of inactivity?

I can't say whether any of the questions above would change the behaviour
I'm seeing, but they all relate to the idea of long running persistent
sessions, which is where the problem seems to lie.  Since you're not
experiencing the issue I'm seeing, I'm wondering whether we can identify
anything else in our respective environments that might provide a clue.

Thanks again for chiming in and sharing your configs and your experience.

--
Mason

More information about the samba mailing list