[Samba] Samba 4 AD member loose membership after DC reboot

Patrick Goetz pgoetz at math.utexas.edu
Thu Mar 31 13:54:30 UTC 2022 


On 3/31/22 07:29, Frank via samba wrote:
> Hi Rowland,
> 
> thanks for your quick response.
> 
> Here it is a member smb.conf:
> 
> # Global parameters
> [global]
>          workgroup = UPC-CT
>          realm = UPC-CT.UPC.EDU
>          netbios name = RADI
>          netbios aliases = RADI.UPC.ES RADI.UPC.EDU
>          security = ADS
> 
>          log level = 5
>          username map = /var/lib/samba/user.map
> 
>          winbind enum users = yes
>          winbind enum groups = yes
>          winbind nss info = rfc2307
>          winbind use default domain = Yes
>          winbind refresh tickets = yes
>          winbind offline logon = yes
>          winbind cache time = 60
> 
> idmap config * : backend = tdb
> idmap config * : range = 100-499
> idmap config UPC-CT:backend = ad
> idmap config UPC-CT:schema_mode = rfc2307
> idmap config UPC-CT:range = 500-999999


This is a red flag.  You need to reserve UIDs 0-999 for system service 
accounts, and you should probably reserve a few UIDs for local accounts 
as well,  so something like

   idmap config * : range = 3000-9999

   idmap config UPC-CT:range = 10000-999999

If you have users with UIDs less than 1000, bite the bullet and reset 
their UID's to something larger to avoid endless headaches down the road.


> idmap config UPC-CT:unix_nss_info = yes
> 
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> 
>          interfaces = lo eth0
>          bind interfaces only = yes
> 
> [users]
>           path = /home/users/
>           read only = no
>           force create mode = 0600
>           force directory mode = 0700
> ..........<here come shares>..............
> 
> Francesc Bassas Serramià
> Serveis Informàtics Campus Terrassa
> C/ Colom 2
> 08222 Terrassa (Barcelona)
> Telèfon : 93.73.98630
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fserveis.terrassa.upc.edu%2Fsict&data=04%7C01%7C%7Cf461ca3b9b99478bc73508da13122fef%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637843266085249100%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9jt6lTTjfYO0n8i2I1QePP1D5Pc1%2F%2FGJmYT5009x6Kc%3D&reserved=0 
> 
> 
> El 31/3/2022 a les 14:00, samba-request at lists.samba.org ha escrit:
>> On Thu, 2022-03-31 at 11:56 +0200, Frank via samba wrote:
>>> Hi there,
>>>
>>> we have a Samba 4 AD installation with one DC and two members.
>>>
>>> All of them are ubuntu 20.04 with samba 4.13
>>>
>>> The thing is when DC is rebooted, it seems members loose its
>>> membership,
>>> and the only way to recover it is to reboot the member.
>>>
>>> In the wrong state, we get the following in members:
>>>
>>> # net ads testjoin
>>> ads_connect: No logon servers are currently available to service the
>>> logon request.
>>> Join to doman is not valid: No logon servers are currently available
>>> to
>>> service the logon request.
>>>
>>> After member reboot, "testjoin" shows membership recovered:
>>>
>>> # net ads testjoin
>>> Join is OK.
>>>
>>> We suspect it has to do with some winbind parameter.
>> It may be, but has you haven't provided the smb.conf files you are
>> using, saying which parameter, if any, would be a guess.
>> Please post the smb.conf from the DC and a Unix domain member.
>>
>> Rowland
>>
>>
>>
>>

More information about the samba mailing list