[Samba] domain join becomes invalid every 24h

Rowland Penny rpenny at samba.org
Wed Apr 24 08:46:03 UTC 2024


On Wed, 24 Apr 2024 10:58:50 +0300
Alexis Pellicier <alexis.pellicier at nds.k12.tr> wrote:

> Hi Rowland,
> 
> > Your smb.conf seems to be insufficient, there are no 'idmap config'
> > lines, are you using sssd ?
> Yes I'm using sssd and I didn't posted idmap config lines to keep it
> brief, here it is:

Why are you using sssd and Samba ?
Presumably winbind is also running ?

You do not need both and as you need winbind and smbd for file sharing
on a Unix domain member, I suggest you turn off and remove sssd.

> [global]
>        netbios name = FILESEVER
>        workgroup = WORKGROUP
>        security = ads
>        realm = MY.DOMAIN
>        preferred master = no
>        domain master = no
>        local master = no
>        disable netbios = Yes
>        server signing = auto
>        kerberos method = secrets and keytab
> 
>         min domain uid = 500
>         idmap config * : backend = tdb
>         idmap config * : range = 1000100-3000000
>         idmap config WORKGROUP : backend  = ad
>         idmap config WORKGROUP : range = 500-1000000
>         idmap config WORKGROUP : unix_nss_info = yes
>         idmap config WORKGROUP : unix_primary_group = yes
>         idmap config WORKGROUP : schema_mode = rfc2307

Not the ranges I would have chosen, but this is where you are, I just
hope your 'WORKGROUP' range never gets to 1000100

> 
>         reset on zero vc = yes
>         socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=30
> TCP_KEEPCNT=3 TCP_KEEPINTVL=3
> 
>         disable spoolss = yes

Based on my working smb.conf and yours, I suggest you try this:

[global]
       workgroup = WORKGROUP
       security = ads
       realm = MY.DOMAIN
       kerberos method = secrets and keytab

       winbind use default domain = yes
       winbind expand groups = 2
       winbind refresh tickets = Yes
       disable netbios = yes
       dns proxy = no

       min domain uid = 500
       idmap config * : backend = tdb
       idmap config * : range = 1000100-3000000
       idmap config WORKGROUP : backend  = ad
       idmap config WORKGROUP : range = 500-1000000
       idmap config WORKGROUP : unix_nss_info = yes
       idmap config WORKGROUP : unix_primary_group = yes
       idmap config WORKGROUP : schema_mode = rfc2307

       vfs objects = acl_xattr
       map acl inherit = Yes

       # Comment the following 4 lines to act as a print server
       printcap name = /dev/null
       load printers = no
       disable spoolss = yes
       printing = bsd

> Here a more complete version of DC's smb.conf
> [global]
>        workgroup = WORKGROUP
>        realm = my.domain
>        netbios name = DOM
>        server role = active directory domain controller
>        server services = -nbt
>        smb ports = 445
>        idmap_ldb:use rfc2307 = yes
>        kerberos method = default
>        kdc enable fast = yes
>        allow dns updates = signed
>        ntp signd socket directory = /var/lib/ntp/ntp_signd

Is there a reason for moving the ntp_signd directory from its default
/var/lib/samba/ntp_signd ?

>         ldap server require strong auth = no

Rowland



More information about the samba mailing list