[Samba] Home folder permissions disappear sometimes
Oleg Blyahher
oleg.blyahher at bluetest.se
Thu Oct 15 11:27:19 UTC 2020
Hi everyone, I'm running a domain-joined fileserver with Samba 4.9.5 and
SSSD on Debian 10.
My DC is also running Samba 4.9.5 on Debian 10. I have recently joined
it to an older domain with a DC that wasn't feeling well (Zentyal with
much older Samba). Everything was working great for a while after I've
moved the FSMO roles and demoted the old DC. I don't seem to have any
issues whatsoever with the domain itself. However, my good old
domain-joined file server has started feeling less well:
* Users sporadically lose access to their home folders. They can still
access other shared folders with the correct permissions.
* Running `ls -la` on /home takes a VERY long time. Sometimes over 10
minutes.
* SSH-ing into the file server as a domain user is also very slow and
can take up to a minute, but works 90% of the time.
* If samba-ad-dc (on the DC) or the DC itself are restarted, I will have
to rejoin the domain on the file server. Otherwise the shared folders
stop working for everyone after a while.
With that said, if I re-join the domain and restart smbd and sssd then
after a while it works fine. I can't find anything of value in the logs,
and I'm also not sure what I would be looking for as it mostly seems it
is the the communication to the DC that is very slow.
This is my smb.conf on the file server:
[global]
workgroup = COMPANY
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = INTERNAL.COMPANY.COM
security = ADS
interfaces = enp0s25
bind interfaces only = yes
log file = /var/log/samba/smb.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 3000-7999
vfs objects = shadow_copy2
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = zfs-auto-snap_%S-%Y-%m-%d-%H%M
shadow:localtime = yes
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes
idmap config COMPANY: backend = ad
idmap config COMPANY: range = 10000-999999999
idmap config COMPANY: ldap_server = ad
idmap config COMPANY: schema_mode = rfc2307
idmap config COMPANY: unix_nss_info = yes
[Shared]
path = /storage/shared
browseable = Yes
writeable = yes
create mask = 0660
directory mask = 0775
veto files = /Thumbs.db/.DS_Store/
delete veto files = yes
inherit owner = yes
[homes]
path = /home/%U
browseable = no
read only = no
inherit acls = Yes
And here's my smb.conf on the DC:
[global]
netbios name = DC2
realm = INTERNAL.COMPANY.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = BLUETEST
idmap_ldb:use rfc2307 = yes
template shell = /bin/bash
template homedir = /home/%U
ldap server require strong auth = no
tls enabled = yes
tls keyfile = /etc/ssl/private/dc2.pem
tls certfile = /etc/ssl/certs/dc2.pem
ldap debug level = 3
ntlm auth = mschapv2-and-ntlmv2-only
log level = 3 auth:5 winbind:5
[netlogon]
path = /var/lib/samba/sysvol/internal.company.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Is something wrongly configured here? What should I be looking for in
the logs?
I hope I didn't forget any important config here. Please let me know
otherwise!
And thank you in advance.
Oleg
More information about the samba
mailing list