[Samba] Client station file permission behavior changes after a week or so

Rowland penny rpenny at samba.org
Mon Feb 24 14:27:49 UTC 2020


On 24/02/2020 14:03, Eric via samba wrote:
> Sorry, but I didn't really know how to word this.
>
> I have Univention Corporate server running as AD DC, with a UCS running
> as a member fileserver.
>
> One win10 client has file permission issues after lack of reboot or
> logout/login
> in roughly a weeks time. Symptom = can't write to shares even though
> permissions
> are correct. Sometimes files are created without honoring default ACL.
> Could this
> be due to Kerberos tickets expiring? I don't want to change the below
> without knowing
> the impact.
>
> winbind refresh tickets = No
>
>
> I'm not sure if this is limited to one client as the other five clients
> shutdown
> more regularly.
>
> What diagnostic steps can I take when the symptom occurs?
>
> DC1 smb.conf, samba = Version 4.10.1-Univention
>
> [global]
> bind interfaces only = Yes
> deadtime = 15
> debug pid = Yes
> domain master = Yes
> interfaces = lo ens3
> ldap server require strong auth = allow_sasl_over_tls
> logging = file
> logon drive = I:
> logon home = \\DC01\%U
> logon path = \\DC01\%U\windows-profiles\%a
> machine password timeout = 0
> map to guest = Bad User
> max log size = 0
> max open files = 32808
> max xmit = 65535
> name resolve order = wins host bcast
> obey pam restrictions = Yes
> passdb backend = samba_dsdb
> passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n
> *password*changed*
> preferred master = Yes
> realm = KIDDLAW.LAN
> server role = active directory domain controller
> server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd,
> ntp_signd, kcc, dnsupdate
> server string = Univention Corporate Server
> template homedir = /home/%D-%U
> template shell = /bin/bash
> tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
> tls certfile = /etc/univention/ssl/DC01.kiddlaw.lan/cert.pem
> tls keyfile = /etc/univention/ssl/DC01.kiddlaw.lan/private.key
> tls verify peer = ca_and_name
> usershare max shares = 0
> winbind separator = +
> wins support = Yes
> workgroup = KIDDLAW
> rpc_server:tcpip = no
> rpc_daemon:spoolssd = embedded
> rpc_server:spoolss = embedded
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:svcctl = embedded
> rpc_server:default = external
> winbindd:use external pipes = true
> acl:search = no
> spoolss: architecture = Windows x64
> idmap config * : range = 300000-400000
> kccsrv:samba_kcc = False
> dsdb:schema update allowed = no
> nmbd_proxy_logon:cldap_server = 127.0.0.1
> server role check:inhibit = yes
> idmap config * : backend = tdb
> acl allow execute always = Yes
> admin users = administrator join-backup
> include = /etc/samba/base.conf
> kernel oplocks = Yes
> map archive = No
> vfs objects = dfs_samba4 acl_xattr
>
>
> [netlogon]
> case sensitive = No
> comment = Domain logon service
> path = /var/lib/samba/sysvol/kiddlaw.lan/scripts
> read only = No
>
>
> [sysvol]
> acl xattr update mtime = Yes
> case sensitive = No
> path = /var/lib/samba/sysvol
> read only = No
>
>
> [homes]
> browseable = No
> comment = Heimatverzeichnisse
> create mask = 0700
> directory mask = 0700
> hide files = /windows-profiles/
> read only = No
> vfs objects = acl_xattr
>
>
> [printers]
> browseable = No
> comment = Drucker
> create mask = 0700
> path = /tmp
> printable = Yes
>
>
> [print$]
> comment = Printer Drivers
> include = /etc/samba/shares.conf
> path = /var/lib/samba/drivers
> read only = No
> write list = root Administrator @Printer-Admins
>
> Fileserver smb.conf, samba = Version 4.10.1-Univention
>
> [global]
> bind interfaces only = Yes
> deadtime = 15
> debug pid = Yes
> interfaces = lo ens3
> ldap server require strong auth = allow_sasl_over_tls
> logging = file
> logon drive = I:
> logon home = \\FS01\%U
> logon path = \\FS01\%U\windows-profiles\%a
> machine password timeout = 0
> map to guest = Bad User
> max log size = 0
> max open files = 32808
> max xmit = 65535
> name resolve order = wins host bcast
> obey pam restrictions = Yes
> passdb backend = samba_dsdb
> passwd chat = *New*password* %n\n *Re-enter*new*password* %n\n
> *password*changed*
> preferred master = Yes
> printcap name = cups
> realm = KIDDLAW.LAN
> server role = active directory domain controller
> server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl, winbindd,
> ntp_signd, kcc, dnsupdate
> server string = Univention Corporate Server
> template homedir = /home/%D-%U
> template shell = /bin/bash
> tls cafile = /etc/univention/ssl/ucsCA/CAcert.pem
> tls certfile = /etc/univention/ssl/FS01.kiddlaw.lan/cert.pem
> tls keyfile = /etc/univention/ssl/FS01.kiddlaw.lan/private.key
> tls verify peer = ca_and_name
> usershare max shares = 0
> winbind separator = +
> workgroup = KIDDLAW
> rpc_server:tcpip = no
> rpc_daemon:spoolssd = embedded
> rpc_server:spoolss = embedded
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:svcctl = embedded
> rpc_server:default = external
> winbindd:use external pipes = true
> acl:search = no
> spoolss: architecture = Windows x64
> idmap config * : range = 300000-400000
> kccsrv:samba_kcc = False
> dsdb:schema update allowed = no
> nmbd_proxy_logon:cldap_server = 127.0.0.1
> server role check:inhibit = yes
> idmap config * : backend = tdb
> acl allow execute always = Yes
> admin users = administrator join-backup
> include = /etc/samba/base.conf
> kernel oplocks = Yes
> map archive = No
> vfs objects = dfs_samba4 acl_xattr
>
>
> [netlogon]
> case sensitive = No
> comment = Domain logon service
> path = /var/lib/samba/sysvol/kiddlaw.lan/scripts
> read only = No
>
>
> [sysvol]
> acl xattr update mtime = Yes
> case sensitive = No
> path = /var/lib/samba/sysvol
> read only = No
>
>
> [homes]
> browseable = No
> comment = Heimatverzeichnisse
> create mask = 0700
> directory mask = 0700
> hide files = /windows-profiles/
> read only = No
> vfs objects = acl_xattr
>
>
> [printers]
> browseable = No
> comment = Drucker
> create mask = 0700
> path = /tmp
> printable = Yes
>
>
> [print$]
> comment = Printer Drivers
> include = /etc/samba/shares.conf.d/sharedData
> path = /var/lib/samba/drivers
> read only = No
> write list = root Administrator @Printer-Admins
>
>
> [sharedData]
> access based share enum = Yes
> hide unreadable = Yes
> path = /srv/shares/sharedData
> read only = No
> veto files = /.Trashes/._*/.DS_Store/
> vfs objects = acl_xattr full_audit
>
> Thanks in advance!
>
> Eric

Before I get deeply involved here, are the smb.conf files posted above 
the actual ones on disk, or are they the output of 'testparm' ?

One fact I have gleaned is that you do not a DC and a fileserver, you 
have two DCs

Rowland





More information about the samba mailing list