[Samba] Samba 4 AD member loose membership after DC reboot
pgoetz at math.utexas.edu
Thu Mar 31 13:54:30 UTC 2022
On 3/31/22 07:29, Frank via samba wrote:
> Hi Rowland,
> thanks for your quick response.
> Here it is a member smb.conf:
> # Global parameters
> workgroup = UPC-CT
> realm = UPC-CT.UPC.EDU
> netbios name = RADI
> netbios aliases = RADI.UPC.ES RADI.UPC.EDU
> security = ADS
> log level = 5
> username map = /var/lib/samba/user.map
> winbind enum users = yes
> winbind enum groups = yes
> winbind nss info = rfc2307
> winbind use default domain = Yes
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind cache time = 60
> idmap config * : backend = tdb
> idmap config * : range = 100-499
> idmap config UPC-CT:backend = ad
> idmap config UPC-CT:schema_mode = rfc2307
> idmap config UPC-CT:range = 500-999999
This is a red flag. You need to reserve UIDs 0-999 for system service
accounts, and you should probably reserve a few UIDs for local accounts
as well, so something like
idmap config * : range = 3000-9999
idmap config UPC-CT:range = 10000-999999
If you have users with UIDs less than 1000, bite the bullet and reset
their UID's to something larger to avoid endless headaches down the road.
> idmap config UPC-CT:unix_nss_info = yes
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> interfaces = lo eth0
> bind interfaces only = yes
> path = /home/users/
> read only = no
> force create mode = 0600
> force directory mode = 0700
> ..........<here come shares>..............
> Francesc Bassas Serramià
> Serveis Informàtics Campus Terrassa
> C/ Colom 2
> 08222 Terrassa (Barcelona)
> Telèfon : 93.73.98630
> El 31/3/2022 a les 14:00, samba-request at lists.samba.org ha escrit:
>> On Thu, 2022-03-31 at 11:56 +0200, Frank via samba wrote:
>>> Hi there,
>>> we have a Samba 4 AD installation with one DC and two members.
>>> All of them are ubuntu 20.04 with samba 4.13
>>> The thing is when DC is rebooted, it seems members loose its
>>> and the only way to recover it is to reboot the member.
>>> In the wrong state, we get the following in members:
>>> # net ads testjoin
>>> ads_connect: No logon servers are currently available to service the
>>> logon request.
>>> Join to doman is not valid: No logon servers are currently available
>>> service the logon request.
>>> After member reboot, "testjoin" shows membership recovered:
>>> # net ads testjoin
>>> Join is OK.
>>> We suspect it has to do with some winbind parameter.
>> It may be, but has you haven't provided the smb.conf files you are
>> using, saying which parameter, if any, would be a guess.
>> Please post the smb.conf from the DC and a Unix domain member.
More information about the samba