[Samba] Linux workstations lose relationship with domain

Rowland penny rpenny at samba.org
Mon Mar 22 22:03:24 UTC 2021

On 22/03/2021 20:46, Denis Morejon via samba wrote:
> We have 4.7.4 because we installed It about 4 years ago. Then, a year 
> later, i tried  to update to 4.8 compiling over the 4.7.4 version and 
> using samba-tool dbcheck --fix. But as result I lost some objects and 
> a lot of workstations lost their relationship with the domain. So I 
> had to go back (Using a previous Snapshot) because there were many 
> computers. So we postponed this action and It took us a LONG time.

I think that would have been because you are either using sssd on the 
clients or your clients smb.conf files are borked.

You should have also joined a new DC to the domain using the new version 
of Samba.

> But we want to know if It happens because we need a stronger db 
> backend like mysql or postgresql to store all this objects, instead of 
> having the db in a file (Like It is as default). 

You cannot use anything but the builtin ldap, it is as strong (if not 
stronger) as mysql etc.

> We do not know if we just need one dc and not two, in order to avoid 
> data synchronization, or simply update to the last samba using the way 
> you advised.

Multiple DC's are always better than one.

> 500 pc members and their users are too much for a simple samba domain?

That is a small domain, there are much bigger ones.

> Here a file server smb.conf:
> [global]
>    netbios name = filespace
>    workgroup = DTCF
>    security = ADS
>    realm = DTCF.ETECSA.CU
>    encrypt passwords = yes
>    #idmap config *:backend = rid
>    idmap config *:range = 100000-200000

If you are not using sssd (and you cannot if using a version of Samba >= 
4.8.0) then you need more 'idmap config' lines.

>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
>    log level = 1
>    log file = /var/log/samba/samba.log
> [rcompartidos]
>   comment = Recursos Compartidos de Usuarios
>   path = /home/samba/shares/rcompartidos
>   browseable = Yes
>   read only = No
>   force create mode = 0660
>   force directory mode = 0660
>   vfs objects = acl_xattr full_audit
>   full_audit:prefix = %u|%I|%S
>   full_audit:facility = local7
>   #full_audit:success = mkdir rename unlink rmdir pwrite open
>   full_audit:success = mkdir rename unlink rmdir pwrite
>   full_audit:failure = none
>   full_audit:priority = NOTICE

You would be better setting the share permissions from Windows rather 
than using the 'force' lines.

Your version of Samba is extremely old, I would you suggest you upgrade 
as soon as possible.


More information about the samba mailing list