[Samba] samba-ad linux clients random access denied to network share

Giuseppe Barichello swlibero at verlata.it
Wed Apr 6 21:11:35 UTC 2022

Hi all,

I have configured an AD domain (samba 4.9.5 on debian buster).
Clients are both windows and linux.
Linux clients authenticate users using winbind + kerberos.
All clients access a network share from a server other than the domain
Linux clients mount this share using nfs4.

Everything works ok from windows clients.
Linux clients login ok and can access the share according to the user's
profile. Most of the time. Sometimes though they receive an access
denied error.
When this appens the user is successfully logged in and his kerberos
token is valid.
Trying to renew the token (kinit -R) or to get a new one (kinit)
doesn't fix the problem.
The only workaround I found so far is to login with the user account to
a windows client, and then login to the linux client after a while
(5-15 minutes).
Another strange thing is that this seems to happen for all linux
clients at the same time.
This happens every 5-8 days (as long I could observe).

Any clue?


smb.conf [on the domain controller]:
# Global parameters
	dns forwarder =
	netbios name = MYSERVER-AD
	server role = active directory domain controller
	workgroup = AD
	idmap_ldb:use rfc2307 = yes

	path = /var/lib/samba/sysvol/ad.mydomain.it/scripts
	read only = No

	path = /var/lib/samba/sysvol
	read only = No

smb.conf [on the machine sharing the disk]
   workgroup = AD
   security = ADS
   realm = AD.MYDOMAIN.IT
   hosts allow = xx.xx.xx.0/24 xx.xx.xx.0/24 xx.xx.xx.0/24

   winbind refresh tickets = Yes
   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes
   obey pam restrictions = yes

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   winbind use default domain = yes

   winbind enum users = yes
   winbind enum groups = yes

   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes

   log file = /var/log/samba/%m.log
   log level = 1

   idmap config * : backend = tdb
   idmap config * : range = 3000-7999

   idmap config AD : backend = rid
   idmap config AD : range = 10000-999999

   template shell = /bin/bash
   template homedir = /home/sambausers/%U

   path = /home/myshare
   read only = no

	default_realm = AD.MYDOMAIN.IT
	dns_lookup_realm = false
	dns_lookup_kdc = true

More information about the samba mailing list