[Samba] samba 4.18 to 4.20 issue

Wed Apr 9 06:36:03 UTC 2025

I would call a DC “DC” and not “AD member” for clarity.

Maybe syncing every 15m is too much as Sysvol does not change unless you change gpos. Maybe a couple of syncs a day may be enough.

Also see that once the sysvol has been initially synced on to the new DC, then all DCs must sync from the FSMO owner DC (gpos are created / updated by default there)

Also don’t forget to sync idmap. Any idmap from any DC is ok, just make sure all DCs use the same.

On 9 Apr 2025 at 01:38 +0100, Douglas G. Oechsler via samba <samba at lists.samba.org>, wrote:

> Helllo!
>
> I would like to share some information please!
> Forget saying that we have a second AD member and doing a sysvol transfer
> between AD-DC and AD-member on crontab each 15 min.
> Can clients AD machines connect on AD-Member first on logon and this 15 min
> affects changes until sysvol transfer be right (or the same) at the
> AD-Member side?
>
> Or, Am I asking a stupid question?
>
> Thank you for your attention!
>
>
>
> Em ter., 8 de abr. de 2025 às 15:16, Rowland Penny via samba <
> samba at lists.samba.org> escreveu:
>
>
> > On Tue, 8 Apr 2025 14:41:27 -0300
> > "Douglas G. Oechsler via samba" <samba at lists.samba.org> wrote:
> >
> >
> > > > Em ter., 8 de abr. de 2025 às 12:22, Rowland Penny via samba <
> > > > samba at lists.samba.org> escreveu:
> > > >
> > >
> > > > > > On Tue, 8 Apr 2025 11:36:19 -0300
> > > > > > "Douglas G. Oechsler via samba" <samba at lists.samba.org> wrote:
> > > > > >
> > > >
> > > > > > > > Hello!
> > > > > > > > How are you?
> > > > > > > >
> > > > > > > > I updated samba 4.18 to 4.20 and made a new samba ad member with
> > > > > > > > samba 4.20. So transfer FSMO from 4.18 to 4.20. Follow commands
> > > > > > > > to fix something and finish disable 4.18.
> > > > > > > > All appears to work well for about 20 days
> > > > >
> > > > > >
> > > > > > Could it actually have been 30 days ?
> > > > > >
> > > > > > Yes, or + or -
> > > >
> >
> > If it was 30 days, it could be a kerberos problem, the kerberos ticket
> > isn't being renewed correctly, which is why I asked about sssd, if both
> > are running, then it is possible that the wrong package updates the
> > ticket (and hence becomes the owner).
> >
> > Right!
> >
>
>
>
> > > >
> > > >
> > > >
> > >
> > > > > > > > and yesterday while
> > > > > > > > trying to configure special permissions on RSAT windows (read,
> > > > > > > > write and no erase) at the finish command it made total control
> > > > > > > > and no respect to the special permissions command. What can be
> > > > > > > > wrong? When was 4.18 its working.
> > > > > > > >
> > > > > > > > *The samba version on samba server files is 4.20.2* package
> > > > > > > > distro
> > > > >

> > The problem with Samba 4.20.x is that it is, from the Samba point of
> > view, in security fixes only mode, so if you are hitting a bug, then it
> > is unlikely to get fixed (unless redhat decides to backport any such
> > fix) and indeed it might have already have been fixed in a later
> > version.
> > I suggest you use the TranquiIT Samba packages (you can get 4.21.5)
> > everywhere and see if the problem persists.
> >
> >
>
>
> Strange! At the end of afternoon the system was working well (special
> permissions - write-read and no erase files). Because this I commented
> about ad-member
>
>
>
>

> > > > > >
> > > > > > How have you setup the file server ?
> > > > > > Can we please see your smb.conf file ?
> > > > > > Is sssd running as well ?
> > > > > >
> > > > > >
> > > >
> > > > no, sssd not running
> > > > We have winbind.
> > >

> > Good, but did you follow any of the redhat instructions ?
> >
> >
>
> I am sorry! About?
>
>
>
>
> > > >
> > > >
> > > > The samba file server config:
> > > >
> > > > cat /etc/samba/smb.conf
> > > > [global]
> > > >
> > > > bind interfaces only = Yes
> > > > interfaces = lo ens18
> > > > dedicated keytab file = /etc/krb5.keytab
> > > > kerberos method = secrets and keytab
> > > > log file = /var/log/samba/%m.log
> > > > min domain uid = 0
> > > > realm = MYDOMAIN.DOM
> > > > username map = /etc/samba/user.map
> > > > security = ADS
> > > > template homedir = /home/%U
> > > > template shell = /bin/bash
> > > > winbind refresh tickets = Yes
> > > > winbind use default domain = Yes
> > > > workgroup = MYDOMAIN
> > > > idmap config mydomain : range = 10000-999999
> > > > idmap config mydomain : backend = rid
> > > > idmap config * : range = 3000-7999
> > > > idmap config * : backend = tdb
> > > > map acl inherit = Yes
> > > > vfs objects = acl_xattr
> > > > store dos attributes = yes
> > > >
> > > >
> > > > [Disco-Arquivos]
> > > >
> > > > path = /mnt/diskrede/
> > > > read only = no
> > > > browseable = yes
> > >

> > Nothing really wrong there, you could almost be looking at my smb.conf
> > ;-)
> >
> >
> >
> Great!
> Thank you
>
>
>
>
> > Rowland
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> *Douglas Giovani Oechsler*
> e-mail: doguibnu at gmail.com <douglasgiovani at oechsler.com.br>
> *Prudentópolis - PR*
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>