[Samba] File server joined to a samba domain accessed by windows 10-11 clients, works via ip no via dns name
Travis Wenks
travis at rosecitysolutions.com
Tue Dec 6 20:58:50 UTC 2022
Hi all,
First, thank you for such an amazing project!
Second an apology for an extremely long post, I tried to add all the info I
could think of so this is a quick fix!
I support multiple client sites that we built samba dc’s from source.
I wrote a quick script to update our client dc’s. As it has no sanity
checks or safety’s to not destroy data I will not post a functional copy of
it here. If anyone would like it I would be glad to email it to anyone who
wants it.
Here is the issue, we started updating 5 sites and once those were done we
started getting reports of network drives failing.
If a user is in a group and that group defines the permissions to access a
share they cannot access it. If the ip address is used it works fine.
So if a user is a member of a group this is the behavior,
\\file-server.domain\share
Fails
\\file-server\share
Fails also, but
\\ip-of-file-server\share
works fine
If I take the same server and copy the share, but give the user direct
access to the share it works
Eg if Bob is a member of “office-files-rw” and that group has rw
permissions on the file server, fails.
If I add bob directly to the share with rw permissions he is fine.
Adding the user to the domain admin group makes it work in all situations.
I don’t think it’s what’s happening but it’s almost as if the file server
cannot enumerate the users from a group
I saw a few notes about Kerberos changing from 4.16 to 4.17 could that be
related?
Environment notes
All sites have two dc’s onsite and a third offsite.
All customers domains are named net.a-domain-they-own.com
In the below config files we have net.rosecitysolutions.com for our lab.
I will refer to all dc’s as
dc-first <— fsmo leader
Dc-second
Dc-third <— offsite dc
All dc’s are Ubuntu 18.04 or 22.04 lts vm’s
They run
Samba
Rsync for sysvol
NTP for time
Most are in dedicated /30 vlans while a few 3/15 are in a /24 with all
servers and the workstations that are trying to access them are in a
separate vlan.
These five customers have domains provisioned without ever having a windows
dc joined.
The file servers affected are all domain members that are 4/5 Synology file
servers and 1/5 is a Ubuntu server running packages on 18.04.
We began to test this in our lab after 17.1 came out and did not detect the
issue, I have changed our testing routine to catch it in the future. We
started updating right before 17.3 came out so 2/5 sites are running 17.2
and 3/5 are running 17.3.
Below is the gist of my update process, I have intentionally left out some
of the potentially destructive commands leaving only the comment describing
it as this is a public forum and I don’t want anyone to grab this and run
it without understanding what it does.
To summarize the below:
Backup everything
Grab new version of Samba
Make and build
Demote dc
Stop samba service
install
Rejoin domain
Copy config files back
Start samba service
Db check
# echo “Shutdown all dc’s snapshot before doing anything”
# get idmap file from fismo leader
sudo tdbbackup -s .bak /usr/local/samba/private/idmap.ldb
sudo samba-tool fsmo show
sudo samba-tool drs showrepl
# backups online backup line
sudo samba-tool domain backup online
--targetdir=/home/$cusername/Backup/ --server=$chostname -U
# get newest version of Samba
wget https://download.samba.org/pub/samba/samba-latest.tar.gz
# extract newest version of Samba
tar -xzvf samba-latest.tar.gz --one-top-level --strip-components 1
cd samba-latest
# Configure, make and dont install yet
./configure
make -j 8
# leave domain
sudo samba-tool domain demote -U
# stop Samba Service
sudo systemctl stop samba-ad-dc.service
# change dns to another dc
echo "change to another dc"
sudo vim /etc/resolv.conf
#mv krb5.conf
sudo mv /etc/krb5.conf /etc/krb5.conf.working
# move samba files from old version
sudo mv /usr/local/samba /usr/local/old.samba
# install samba
sudo make install
# move config file
sudo cp /usr/local/old.samba/etc/lmhosts /usr/local/samba/etc/lmhosts
# get domain name
read -p "Enter domain name in i.e. NET.ROSECITYSOLUTIONS.COM: " cdomname
# rejoin domain
sudo samba-tool domain join $cdomname dc -U
# rename smb.conf file
sudo cp /usr/local/old.samba/etc/*.* /usr/local/samba/etc/
# change dns to this dc
echo "change to this dc"
ip a
sudo vim /etc/resolv.conf
# mv krb5.conf back
#mv krb5.conf
sudo mv /etc/krb5.conf.working /etc/krb5.conf
# copy id map from old server
# copy sysvol back
sudo cp -r /usr/local/old.samba/var/locks/sysvol
/usr/local/samba/var/locks/
# NTACL Reset
sudo samba-tool ntacl sysvolreset
# start Samba Service
sudo systemctl start samba-ad-dc.service
# run db check
sudo samba-tool dbcheck --cross-ncs --fix --yes
Disclaimer:
Again If you stumble on this thread, please don’t just copy this and run it
in your environment. It is set for how I do things.
Also a week after this runs I go in and do a manual sanity check before
running a cleanup scrip to remove any garbage from the upgrades.
These are fully working environments with only a few users so the fix we
elected for was to just change the group policies to use ip vs dns.
We reconnected drives and things are working but we are at an upgrade
freeze for our other clients.
I have tested a windows 10 box that I made a file share on and added share
and security permissions for domain users rw in this environment and it
works fine.
I noticed Rowland helped another user where wbinfo -u did not work
It does work for us.
sudo wbinfo -u
NET\administrator
NET\guest
NET\krbtgt
NET\test-file-share-user
Config files we use
############
##lmhosts##
10.0.0.42 DC-first
10.0.0.46 DC-second
10.0.0.50 DC-third
##Krb5.conf##
[libdefaults]
default_realm = NET.ROSECITYSOLUTIONS.COM
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
NET.ROSECITYSOLUTIONS.COM = {
kdc = DC-first
kdc = DC-second
kdc = DC-third
}
[domain_realm]
.net.rosecitysolutions.com = NET.ROSECITYSOLUTIONS.COM
##Hosts##
127.0.0.1 localhost
10.0.0.42 DC-first.NET.ROSECITYSOLUTIONS.COM DC-first
10.0.0.46 DC-second.NET.ROSECITYSOLUTIONS.COM DC-second
10.0.0.50 DC-third.NET.ROSECITYSOLUTIONS.COM DC-third
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Hostname
Dc-first
##Smb.conf##
# Global parameters
[global]
log file = /var/log/samba/%S.log
dns forwarder = 208.67.220.220 208.67.222.222
netbios name = RCS-FIRST
realm = NET.ROSECITYSOLUTIONS.COM
server role = active directory domain controller
workgroup = NET
idmap_ldb:use rfc2307 = yes
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/
net.rosecitysolutions.com/scripts
read only = No
##Netplan from dc-first##
network:
ethernets:
eth0:
dhcp4: false
addresses:
- 10.0.0.42/30
nameservers:
addresses:
- 10.0.0.42
search:
- net.rosecitysolutions.com
routes:
- to: default
via: 10.0.0.41
version: 2
##resolv.conf##
nameserver 10.0.0.42
options edns0 trust-ad
search net.rosecitysolutions.com
NTP.conf is being used and tested that time is still syncing
We also use rsync from the fsmo leader for sysvol
Kinit and klist work from DC's and the Synology as domain admin and as a
test user
Dns works
Dig @dc file-server is correct
Dig @dc file-server.samdom is correct
I have opened a ticket with Synology
They had me disable account caching via
sudo systemctl disable accountdb-cache; sudo systemctl stop accountdb-cache
We left the domain, changed to second dc, flushed cache, and all the other
basic troubleshooting steps.
This did nothing.
I initially thought I broke it via this script or a change happened but I
cannot find it
I have been seeing several emails come in the samba lists that seem to be a
similar situation.
I have not seen a solution yet. So I thought I would document everything I
could here.
I have turned logging up and cannot find anything rational let me know if
that should be added to this.
More information about the samba
mailing list