[Samba] Recently joined RODC looses machine accounts
Rowland Penny
rpenny at samba.org
Fri Dec 6 09:45:05 UTC 2024
On Fri, 6 Dec 2024 10:19:31 +0100
Mitja Tavčar via samba <samba at lists.samba.org> wrote:
> >
> > When you say '30 servers' is this 30 servers plus clients, or 30
> > servers including clients ? if the former, then I suggest you
> > upgrade to an RWDC.
>
> Only the servers some of them are application servers therefore they
> will become clients of the samba servers. But most of the clients will
> remain in the main site.
I was actually referring to the number of servers and clients in your
'NEW' site, if they are only small, then an RODC is practicable, but if
they are numerous, then you will probably better off with an RWDC. It
is also probably a good idea to use an RWDC if the site link is
dubious, but yours doesn't appear to be, so, from that perspective, an
RODC should be OK.
> > Is there a reason to use SMBv1, do you still have clients that
> > require it ? these are usually a very large expensive piece of
> > equipment with a builtin computer that cannot be updated.
>
> Sadly, yes we have some very old clients that and we can not actually
> change or update.
You might want to consider upgrading them, somehow. Microsoft has, by
default, turned off SMBv1 on Enterprise versions, Samba has done the
same. Samba is working hard to get to the point that SMBv1 can be
removed, at which point it is very likely Microsoft will do the same.
>
> But the machine accoounts are not completely lost, they seem lost if
> i query the Read Only DC, when i query some of the other DC the
> machine accounts result ok.
>
> I'have found that restarting winbind seems to solve the problem but
> only for some short time. So i set up a testing script that checks
> join every 5 minutes and eventually restarts winbind.
>
> The output is this:
> [Thu 05 Dec 2024 03:40:02 PM CET] - Join is OK
> [Thu 05 Dec 2024 03:45:01 PM CET] - Join is OK
> [Thu 05 Dec 2024 03:50:03 PM CET] - Join is OK
> [Thu 05 Dec 2024 03:55:01 PM CET] - Not joined - restart winbind
> [Thu 05 Dec 2024 04:00:02 PM CET] - Join is OK
> [Thu 05 Dec 2024 04:05:03 PM CET] - Join is OK
> [Thu 05 Dec 2024 04:10:01 PM CET] - Join is OK
> [Thu 05 Dec 2024 04:15:02 PM CET] - Not joined - restart winbind
> [Thu 05 Dec 2024 04:20:02 PM CET] - Join is OK
> [Thu 05 Dec 2024 04:25:02 PM CET] - Join is OK
> [Thu 05 Dec 2024 04:30:02 PM CET] - Join is OK
> [Thu 05 Dec 2024 04:35:01 PM CET] - Not joined - restart winbind
> [Thu 05 Dec 2024 04:40:01 PM CET] - Join is OK
> [Thu 05 Dec 2024 04:45:05 PM CET] - Join is OK
> [Thu 05 Dec 2024 04:50:02 PM CET] - Join is OK
> [Thu 05 Dec 2024 04:55:01 PM CET] - Not joined - restart winbind
> [Thu 05 Dec 2024 05:00:02 PM CET] - Join is OK
> [Thu 05 Dec 2024 05:05:02 PM CET] - Join is OK
> [Thu 05 Dec 2024 05:10:02 PM CET] - Not joined - restart winbind
> [Thu 05 Dec 2024 05:15:02 PM CET] - Join is OK
> [Thu 05 Dec 2024 05:20:02 PM CET] - Join is OK
> [Thu 05 Dec 2024 05:25:02 PM CET] - Join is OK
> [Thu 05 Dec 2024 05:30:02 PM CET] - Join is OK
> [Thu 05 Dec 2024 05:35:02 PM CET] - Join is OK
> [Thu 05 Dec 2024 05:40:02 PM CET] - Join is OK
> [Thu 05 Dec 2024 05:45:01 PM CET] - Not joined - restart winbind
> [Thu 05 Dec 2024 05:50:02 PM CET] - Join is OK
> [Thu 05 Dec 2024 05:55:02 PM CET] - Join is OK
> [Thu 05 Dec 2024 06:00:02 PM CET] - Not joined - restart winbind
>
So, AD doesn't loose the clients, it is the clients that loose AD.
Try adding 'winbind refresh tickets = yes' to the clients smb.conf file
and restarting Samba.
Rowland
More information about the samba
mailing list