Giuseppe Barichello
2022-Apr-06  21:11 UTC
[Samba] samba-ad linux clients random access denied to network share
Hi all, I have configured an AD domain (samba 4.9.5 on debian buster). Clients are both windows and linux. Linux clients authenticate users using winbind + kerberos. All clients access a network share from a server other than the domain server. Linux clients mount this share using nfs4. Everything works ok from windows clients. Linux clients login ok and can access the share according to the user's profile. Most of the time. Sometimes though they receive an access denied error. When this appens the user is successfully logged in and his kerberos token is valid. Trying to renew the token (kinit -R) or to get a new one (kinit) doesn't fix the problem. The only workaround I found so far is to login with the user account to a windows client, and then login to the linux client after a while (5-15 minutes). Another strange thing is that this seems to happen for all linux clients at the same time. This happens every 5-8 days (as long I could observe). Any clue? TIA, Giuseppe smb.conf [on the domain controller]: ==================================# Global parameters [global] dns forwarder = 10.0.0.254 netbios name = MYSERVER-AD realm = AD.MYDOMAIN.IT server role = active directory domain controller workgroup = AD idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/ad.mydomain.it/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No smb.conf [on the machine sharing the disk] =========================================[global] workgroup = AD security = ADS realm = AD.MYDOMAIN.IT hosts allow = xx.xx.xx.0/24 xx.xx.xx.0/24 xx.xx.xx.0/24 winbind refresh tickets = Yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes obey pam restrictions = yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind use default domain = yes winbind enum users = yes winbind enum groups = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes log file = /var/log/samba/%m.log log level = 1 idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config AD : backend = rid idmap config AD : range = 10000-999999 template shell = /bin/bash template homedir = /home/sambausers/%U [myshare] path = /home/myshare read only = no krb5.conf: ========[libdefaults] default_realm = AD.MYDOMAIN.IT dns_lookup_realm = false dns_lookup_kdc = true
Rowland Penny
2022-Apr-07  07:51 UTC
[Samba] samba-ad linux clients random access denied to network share
On Wed, 2022-04-06 at 23:11 +0200, Giuseppe Barichello via samba wrote:> Hi all, > > I have configured an AD domain (samba 4.9.5 on debian buster).4.9.5 is ancient in Samba terms, I suggest you upgrade to bullseye and then use Samba from here: https://apt.van-belle.nl/> Clients are both windows and linux. > Linux clients authenticate users using winbind + kerberos. > All clients access a network share from a server other than the > domain > server. > Linux clients mount this share using nfs4.Why ? You can use cifs and mount it directly. Upgrading may or may not fix your problem, but if you have found a bug, you have no chance of getting it fixed in 4.9.5 Rowland