[Samba] samba domain member strange behavior lost users and shares

L.P.H. van Belle belle at bazuin.nl
Fri Jan 10 09:11:02 UTC 2020


Hai, 

Few things to look at. 

>    idmap config * : range = 1000-1005
>    idmap config SAMDOM:range = 1006-999999
>    # alf has uid 1007 

First or all, you should not use UID, that are within the server (localusers) range. 
If you install debian, and you created 1 user, if you did that, i dont know, but if.. 
Then you have an overlap of UID 1000 
If user "Alf" has UID 1007 its overlapping withing the DOMAIN range

The ID * range is to small. 

This is/should not needed in smb.conf admin users = .....  
Note, im not saying this is wrong, i dont know you manage your servers.. 


And last, im missing 

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/samba_usermapping
*(content: !root = SAMDOM\Administrator SAMDOM\administrator) 


Besides above, you config looks ok. 
If users can long again, i suggest verify the time on AD-DC and the member also. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> basti via samba
> Verzonden: vrijdag 10 januari 2020 10:02
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] samba domain member strange behavior lost 
> users and shares
> 
> Hello,
> my samba domain member file server do some strange thinks.
> 
> First of all Version 4.9.5-Debian and smb.conf is this:
> 
> [global]
>    workgroup = SAMDOM
>    security = ADS
>    realm = SAMDOM.EXAMPLE.COM
> 
>    log file = /var/log/samba/%m.log
>    log level = 1
> 
>    winbind refresh tickets = Yes
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
> 
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
> 
>    winbind use default domain = yes
> 
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = yes
> 
>    idmap config * : backend = tdb
>    idmap config * : range = 1000-1005
>    # idmap config for the SAMDOM domain
>    # alf has uid 1007
>    # yes i know its not the best
>    idmap config SAMDOM:backend = ad
>    idmap config SAMDOM:schema_mode = rfc2307
>    idmap config SAMDOM:range = 1006-999999
>    idmap config SAMDOM:unix_nss_info = yes
> 
>     # fix dfs error's in log ?
>     host msdfs = no
> 
>    dns proxy = no
>    log file = /var/log/samba/log.%m
>    max log size = 10000
>    panic action = /usr/share/samba/panic-action %d
> 
>    vfs object = recycle
>    recycle:repository = /home/samba/Papierkorb/%U
>    recycle:keeptree = yes
>    recycle:exclude = *.tmp *.temp *.swp
>    recycle:exclude_dir = /tmp /temp
>    recycle:touch = yes
> 
>    admin users = root, Administrator, @Domain Admins, admin
> 
> [... shares]
> 
> 
> Sometimes (multiple times a week) users can't login.
> wbinfo -u does not show any user. restart winbind sometimes solve this
> but not in all cases. then a "net ads join" is needed.
> 
> today there is an other problem.
> user cant connect to share via login script (system error 1240). look
> around on google and / or mailing list it indicates some "encrypted
> passwords = no" problem. But man page say: Default: encrypt 
> passwords = yes
> 
> the samba log show errors like:
> reject request to share [Transfer] as 'SAMDOM\user' without encryption
> or signing. Disconnecting.
> 
> I also look at the man page and the settings in my smb.conf 
> seem to be ok.
> 
> That is not the only user / client pc that has problems with 
> this samba
> server. other samba server with the same global config does not have
> this problems. I have also try to reinstall samba (delete all tdb and
> ldb files) an rejoin without suggests.
> 
> At the moment i have no idea how to fix it or find the problem.
> 
> Best regards,
> 
> p.s. klist show only expired tickets, on all member server? 
> should that
> be updated if winbind refresh tickets = Yes is set?
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list