[Samba] samba-ad linux clients random access denied to network share
Giuseppe Barichello
swlibero at verlata.it
Wed Apr 6 21:11:35 UTC 2022
Hi all,
I have configured an AD domain (samba 4.9.5 on debian buster).
Clients are both windows and linux.
Linux clients authenticate users using winbind + kerberos.
All clients access a network share from a server other than the domain
server.
Linux clients mount this share using nfs4.
Everything works ok from windows clients.
Linux clients login ok and can access the share according to the user's
profile. Most of the time. Sometimes though they receive an access
denied error.
When this appens the user is successfully logged in and his kerberos
token is valid.
Trying to renew the token (kinit -R) or to get a new one (kinit)
doesn't fix the problem.
The only workaround I found so far is to login with the user account to
a windows client, and then login to the linux client after a while
(5-15 minutes).
Another strange thing is that this seems to happen for all linux
clients at the same time.
This happens every 5-8 days (as long I could observe).
Any clue?
TIA,
Giuseppe
smb.conf [on the domain controller]:
===================================
# Global parameters
[global]
dns forwarder = 10.0.0.254
netbios name = MYSERVER-AD
realm = AD.MYDOMAIN.IT
server role = active directory domain controller
workgroup = AD
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/ad.mydomain.it/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
smb.conf [on the machine sharing the disk]
==========================================
[global]
workgroup = AD
security = ADS
realm = AD.MYDOMAIN.IT
hosts allow = xx.xx.xx.0/24 xx.xx.xx.0/24 xx.xx.xx.0/24
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
obey pam restrictions = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config AD : backend = rid
idmap config AD : range = 10000-999999
template shell = /bin/bash
template homedir = /home/sambausers/%U
[myshare]
path = /home/myshare
read only = no
krb5.conf:
=========
[libdefaults]
default_realm = AD.MYDOMAIN.IT
dns_lookup_realm = false
dns_lookup_kdc = true
More information about the samba
mailing list