[Samba] Linux workstations lose relationship with domain
rpenny at samba.org
Mon Mar 22 22:03:24 UTC 2021
On 22/03/2021 20:46, Denis Morejon via samba wrote:
> We have 4.7.4 because we installed It about 4 years ago. Then, a year
> later, i tried to update to 4.8 compiling over the 4.7.4 version and
> using samba-tool dbcheck --fix. But as result I lost some objects and
> a lot of workstations lost their relationship with the domain. So I
> had to go back (Using a previous Snapshot) because there were many
> computers. So we postponed this action and It took us a LONG time.
I think that would have been because you are either using sssd on the
clients or your clients smb.conf files are borked.
You should have also joined a new DC to the domain using the new version
> But we want to know if It happens because we need a stronger db
> backend like mysql or postgresql to store all this objects, instead of
> having the db in a file (Like It is as default).
You cannot use anything but the builtin ldap, it is as strong (if not
stronger) as mysql etc.
> We do not know if we just need one dc and not two, in order to avoid
> data synchronization, or simply update to the last samba using the way
> you advised.
Multiple DC's are always better than one.
> 500 pc members and their users are too much for a simple samba domain?
That is a small domain, there are much bigger ones.
> Here a file server smb.conf:
> netbios name = filespace
> workgroup = DTCF
> security = ADS
> realm = DTCF.ETECSA.CU
> encrypt passwords = yes
> #idmap config *:backend = rid
> idmap config *:range = 100000-200000
If you are not using sssd (and you cannot if using a version of Samba >=
4.8.0) then you need more 'idmap config' lines.
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> log level = 1
> log file = /var/log/samba/samba.log
> comment = Recursos Compartidos de Usuarios
> path = /home/samba/shares/rcompartidos
> browseable = Yes
> read only = No
> force create mode = 0660
> force directory mode = 0660
> vfs objects = acl_xattr full_audit
> full_audit:prefix = %u|%I|%S
> full_audit:facility = local7
> #full_audit:success = mkdir rename unlink rmdir pwrite open
> full_audit:success = mkdir rename unlink rmdir pwrite
> full_audit:failure = none
> full_audit:priority = NOTICE
You would be better setting the share permissions from Windows rather
than using the 'force' lines.
Your version of Samba is extremely old, I would you suggest you upgrade
as soon as possible.
More information about the samba