[Samba] Samba 4 AD member loose membership after DC reboot
Patrick Goetz
pgoetz at math.utexas.edu
Thu Mar 31 13:54:30 UTC 2022
On 3/31/22 07:29, Frank via samba wrote:
> Hi Rowland,
>
> thanks for your quick response.
>
> Here it is a member smb.conf:
>
> # Global parameters
> [global]
> workgroup = UPC-CT
> realm = UPC-CT.UPC.EDU
> netbios name = RADI
> netbios aliases = RADI.UPC.ES RADI.UPC.EDU
> security = ADS
>
> log level = 5
> username map = /var/lib/samba/user.map
>
> winbind enum users = yes
> winbind enum groups = yes
> winbind nss info = rfc2307
> winbind use default domain = Yes
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind cache time = 60
>
> idmap config * : backend = tdb
> idmap config * : range = 100-499
> idmap config UPC-CT:backend = ad
> idmap config UPC-CT:schema_mode = rfc2307
> idmap config UPC-CT:range = 500-999999
This is a red flag. You need to reserve UIDs 0-999 for system service
accounts, and you should probably reserve a few UIDs for local accounts
as well, so something like
idmap config * : range = 3000-9999
idmap config UPC-CT:range = 10000-999999
If you have users with UIDs less than 1000, bite the bullet and reset
their UID's to something larger to avoid endless headaches down the road.
> idmap config UPC-CT:unix_nss_info = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> interfaces = lo eth0
> bind interfaces only = yes
>
> [users]
> path = /home/users/
> read only = no
> force create mode = 0600
> force directory mode = 0700
> ..........<here come shares>..............
>
> Francesc Bassas Serramià
> Serveis Informàtics Campus Terrassa
> C/ Colom 2
> 08222 Terrassa (Barcelona)
> Telèfon : 93.73.98630
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fserveis.terrassa.upc.edu%2Fsict&data=04%7C01%7C%7Cf461ca3b9b99478bc73508da13122fef%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637843266085249100%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9jt6lTTjfYO0n8i2I1QePP1D5Pc1%2F%2FGJmYT5009x6Kc%3D&reserved=0
>
>
> El 31/3/2022 a les 14:00, samba-request at lists.samba.org ha escrit:
>> On Thu, 2022-03-31 at 11:56 +0200, Frank via samba wrote:
>>> Hi there,
>>>
>>> we have a Samba 4 AD installation with one DC and two members.
>>>
>>> All of them are ubuntu 20.04 with samba 4.13
>>>
>>> The thing is when DC is rebooted, it seems members loose its
>>> membership,
>>> and the only way to recover it is to reboot the member.
>>>
>>> In the wrong state, we get the following in members:
>>>
>>> # net ads testjoin
>>> ads_connect: No logon servers are currently available to service the
>>> logon request.
>>> Join to doman is not valid: No logon servers are currently available
>>> to
>>> service the logon request.
>>>
>>> After member reboot, "testjoin" shows membership recovered:
>>>
>>> # net ads testjoin
>>> Join is OK.
>>>
>>> We suspect it has to do with some winbind parameter.
>> It may be, but has you haven't provided the smb.conf files you are
>> using, saying which parameter, if any, would be a guess.
>> Please post the smb.conf from the DC and a Unix domain member.
>>
>> Rowland
>>
>>
>>
>>
More information about the samba
mailing list