[Samba] Connection dropping every 24 hours from Windows Client.
Rowland penny
rpenny at samba.org
Thu Jan 2 19:01:40 UTC 2020
On 02/01/2020 17:45, hans via samba wrote:
> I posted the following a month ago but have only managed to get to fixing on this over the holidays. Rowland mentions that I needed to add my domain info, it’s now included and I still have the same issue.
>
> Thanks and Happy New YearOld post begins below with edits
> Hello
>
> I have a problem with my Windows 10 drive connections dropping every 24
> hours, very briefly. It's enough to cause me to be unable to save my file,
> or access a geodatabase. I have followed much trouble shooting and I
> believe that its due to the KDC Service ticket lifetime expiring, I have it
> set for 24 hours in smb.conf.
>
> I have a Samba 4.9 DC and an Ubuntu 18.04 member file server where the
> shares are running 4.7.6 and connected to the DC by Winbindd. I notice
> that when my 24 hours is up, smbstatus will show that I have a new PID. The
> files are unfortunately still being held open by the old PID and are no
> longer accessible (I think.).
>
> Here is the global part of my DC smb.conf
> [global]
> workgroup = MYNET
> realm = mynet.mynet.com
> netbios name = MY_DC
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
> kdc:service ticket lifetime = 24
> kdc:user ticket lifetime = 360
> kdc:renewal lifetime = 1800
> dsdb:schema update allowed = true
> tls enabled = yes
> tls keyfile = tls/myKey.pem
> tls certfile = tls/myCert.pem
> tls cafile =
> wins support = yes
> ldap server require strong auth = no
>
> And here is the global part of my file server smb.conf
>
> workgroup = MYNET
> client signing = yes
> client use spnego = yes
> kerberos method = secrets and keytab
> realm = MYNET.MYNET.COM
> security = ads
> vfs object = acl_xattr
> map acl inherit = yes
> hide unreadable = yes
> winbind refresh tickets = Yes
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config MYNET : backend = rid çadded as per Rowland
> idmap config MYNET : range = 50000-1000000 ç added as per Rowland
>
>
> winbind use default domain = true
> winbind offline logon = false
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
> store dos attributes = yes
>
> When I used to host the shares on the same DC, I never had this trouble.
> When I had kdc:service ticket lifetime = 10, then the connections dropped
> every 10 hours. Do I just keep upping that number to something useful and
> hope I don't get hacked, or is there something else I am missing. To me, it
> sounds a lot like this problem,
> https://lists.samba.org/archive/samba/2014-March/179555.html
>
> Thanks
>
OK, you do not need these lines in your DC smb.conf:
kdc:service ticket lifetime = 24
kdc:user ticket lifetime = 360
kdc:renewal lifetime = 1800
dsdb:schema update allowed = true
wins support = yes
Try this as the [global] part of your smb.conf on the Unix domain member:
[global]
workgroup = MYNET
security = ADS
realm = MYNET.MYNET.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MYNET : backend = rid
idmap config MYNET : range = 50000-1000000
# If your users log into the Unix domain member
# uncomment the following two lines and alter to your requirements
#template shell = /bin/bash
#template homedir = /home/%U
username map = /etc/samba/user.map
vfs object = acl_xattr
map acl inherit = yes
store dos attributes = yes
client signing = yes
Create '/etc/samba/user.map' containing this:
!root = MYNET\Administrator
Run (as root):
net ads keytab create
Restart Samba and see how you go.
Rowland
More information about the samba
mailing list