[Samba] samba domain member strange behavior lost users and shares
L.P.H. van Belle
belle at bazuin.nl
Fri Jan 10 09:11:02 UTC 2020
Hai,
Few things to look at.
> idmap config * : range = 1000-1005
> idmap config SAMDOM:range = 1006-999999
> # alf has uid 1007
First or all, you should not use UID, that are within the server (localusers) range.
If you install debian, and you created 1 user, if you did that, i dont know, but if..
Then you have an overlap of UID 1000
If user "Alf" has UID 1007 its overlapping withing the DOMAIN range
The ID * range is to small.
This is/should not needed in smb.conf admin users = .....
Note, im not saying this is wrong, i dont know you manage your servers..
And last, im missing
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping
*(content: !root = SAMDOM\Administrator SAMDOM\administrator)
Besides above, you config looks ok.
If users can long again, i suggest verify the time on AD-DC and the member also.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> basti via samba
> Verzonden: vrijdag 10 januari 2020 10:02
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] samba domain member strange behavior lost
> users and shares
>
> Hello,
> my samba domain member file server do some strange thinks.
>
> First of all Version 4.9.5-Debian and smb.conf is this:
>
> [global]
> workgroup = SAMDOM
> security = ADS
> realm = SAMDOM.EXAMPLE.COM
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> winbind refresh tickets = Yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> winbind use default domain = yes
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> idmap config * : backend = tdb
> idmap config * : range = 1000-1005
> # idmap config for the SAMDOM domain
> # alf has uid 1007
> # yes i know its not the best
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 1006-999999
> idmap config SAMDOM:unix_nss_info = yes
>
> # fix dfs error's in log ?
> host msdfs = no
>
> dns proxy = no
> log file = /var/log/samba/log.%m
> max log size = 10000
> panic action = /usr/share/samba/panic-action %d
>
> vfs object = recycle
> recycle:repository = /home/samba/Papierkorb/%U
> recycle:keeptree = yes
> recycle:exclude = *.tmp *.temp *.swp
> recycle:exclude_dir = /tmp /temp
> recycle:touch = yes
>
> admin users = root, Administrator, @Domain Admins, admin
>
> [... shares]
>
>
> Sometimes (multiple times a week) users can't login.
> wbinfo -u does not show any user. restart winbind sometimes solve this
> but not in all cases. then a "net ads join" is needed.
>
> today there is an other problem.
> user cant connect to share via login script (system error 1240). look
> around on google and / or mailing list it indicates some "encrypted
> passwords = no" problem. But man page say: Default: encrypt
> passwords = yes
>
> the samba log show errors like:
> reject request to share [Transfer] as 'SAMDOM\user' without encryption
> or signing. Disconnecting.
>
> I also look at the man page and the settings in my smb.conf
> seem to be ok.
>
> That is not the only user / client pc that has problems with
> this samba
> server. other samba server with the same global config does not have
> this problems. I have also try to reinstall samba (delete all tdb and
> ldb files) an rejoin without suggests.
>
> At the moment i have no idea how to fix it or find the problem.
>
> Best regards,
>
> p.s. klist show only expired tickets, on all member server?
> should that
> be updated if winbind refresh tickets = Yes is set?
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list