[Samba] Home folder permissions disappear sometimes

Oleg Blyahher oleg.blyahher at bluetest.se
Thu Oct 15 11:27:19 UTC 2020

Hi everyone, I'm running a domain-joined fileserver with Samba 4.9.5 and 
SSSD on Debian 10.

My DC is also running Samba 4.9.5 on Debian 10. I have recently joined 
it to an older domain with a DC that wasn't feeling well (Zentyal with 
much older Samba). Everything was working great for a while after I've 
moved the FSMO roles and demoted the old DC. I don't seem to have any 
issues whatsoever with the domain itself. However, my good old 
domain-joined file server has started feeling less well:

* Users sporadically lose access to their home folders. They can still 
access other shared folders with the correct permissions.

* Running `ls -la` on /home takes a VERY long time. Sometimes over 10 

* SSH-ing into the file server as a domain user is also very slow and 
can take up to a minute, but works 90% of the time.

* If samba-ad-dc (on the DC) or the DC itself are restarted, I will have 
to rejoin the domain on the file server. Otherwise the shared folders 
stop working for everyone after a while.

With that said, if I re-join the domain and restart smbd and sssd then 
after a while it works fine. I can't find anything of value in the logs, 
and I'm also not sure what I would be looking for as it mostly seems it 
is the the communication to the DC that is very slow.

This is my smb.conf on the file server:


workgroup = COMPANY
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
security = ADS
interfaces = enp0s25
bind interfaces only = yes

log file = /var/log/samba/smb.log
log level = 1

idmap config * : backend = tdb
idmap config * : range = 3000-7999
vfs objects = shadow_copy2
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = zfs-auto-snap_%S-%Y-%m-%d-%H%M
shadow:localtime = yes
template shell = /bin/bash
template homedir = /home/%U

     winbind use default domain = yes
     winbind expand groups = 4
     winbind nss info = rfc2307
     winbind refresh tickets = Yes
     winbind offline logon = yes
     winbind normalize names = Yes

     idmap config COMPANY: backend = ad
     idmap config COMPANY: range = 10000-999999999
     idmap config COMPANY: ldap_server = ad
     idmap config COMPANY: schema_mode = rfc2307
     idmap config COMPANY: unix_nss_info = yes

         path = /storage/shared
         browseable = Yes
         writeable = yes
         create mask = 0660
         directory mask = 0775
         veto files = /Thumbs.db/.DS_Store/
         delete veto files = yes
         inherit owner = yes

    path = /home/%U
    browseable = no
    read only = no
    inherit acls = Yes

And here's my smb.conf on the DC:

         netbios name = DC2
         realm = INTERNAL.COMPANY.COM
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         workgroup = BLUETEST
         idmap_ldb:use rfc2307  = yes
         template shell = /bin/bash
         template homedir = /home/%U
         ldap server require strong auth = no

     tls enabled  = yes
     tls keyfile  = /etc/ssl/private/dc2.pem
     tls certfile = /etc/ssl/certs/dc2.pem
         ldap debug level = 3

         ntlm auth = mschapv2-and-ntlmv2-only
         log level = 3 auth:5 winbind:5

         path = /var/lib/samba/sysvol/internal.company.com/scripts
         read only = No

         path = /var/lib/samba/sysvol
         read only = No

Is something wrongly configured here? What should I be looking for in 
the logs?

I hope I didn't forget any important config here. Please let me know 

And thank you in advance.


More information about the samba mailing list