[Samba] Kerberos ticket renew causes a brief network interruption

Rowland Penny rpenny at samba.org
Mon Oct 28 14:03:47 UTC 2024


On Mon, 28 Oct 2024 13:41:11 +0000
Hans van Leeuwen <HansvanLeeuwen at mailstreet.nl> wrote:

> Hi Roland Penny,

Who's he ?

> 
> Indeed the "idmap.config" parameter line is not added to the smb.conf
> file. But the command below shows that the default values are used.

There are no default values, but there is the default '*' domain. This
is meant for the Well Known SIDs (of which there are less than 200) and
anything outside the 'MAIL-STREET' domain (so usually 0), I expected
two extra lines like these:

	idmap config MAIL-STREET : backend = rid
	idmap config MAIL-STREET : range = ?????-???????

> testparm -vs | grep idmap.config 
>         idmap config * : range = 100000-200000
>         idmap config * : backend = tdb

With having just those two lines in smb.conf , everything has gone into
the default domain, I do hope that you do not have much stored on your
Unix domain member, because if/when you fix it, you will change your
domain users IDs.

Try reading these:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://wiki.samba.org/index.php/Idmap_config_rid

> 
> I did not set sssd, so if sssd is used it happened automatically.
> 
> Can idmap.config and sssd affect the Kerberos usage?

Yes, they can both try to reset the machine password and which ever
does it first, turns the other off. In my opinion, you cannot use sssd
with Samba (well, theoretically you can, but it just doesn't make
sense, you end up with two things doing the same thing and will lead to
problems), so if sssd is installed,I would run 'apt purge sssd'.
If you just want authentication then sssd is great, but I would never
use it with Samba.

Rowland



More information about the samba mailing list