samba - Dec 2022 - File server joined to a samba domain accessed by windows 10-11 clients, works via ip no via dns name

Hi all,
First, thank you for such an amazing project!

Second an apology for an extremely long post, I tried to add all the info I
could think of so this is a quick fix!

I support multiple client sites that we built samba dc?s from source.

I wrote a quick script to update our client dc?s. As it has no sanity
checks or safety?s to not destroy data I will not post a functional copy of
it here. If anyone would like it I would be glad to email it to anyone who
wants it.

Here is the issue, we started updating 5 sites and once those were done we
started getting reports of network drives failing.

If a user is in a group and that group defines the permissions to access a
share they cannot access it. If the ip address is used it works fine.

So if a user is a member of a group this is the behavior,

\\file-server.domain\share
Fails
\\file-server\share
Fails also, but
\\ip-of-file-server\share
works fine


If I take the same server and copy the share, but give the user direct
access to the share it works
Eg if Bob is a member of ?office-files-rw? and that group has rw
permissions on the file server, fails.
If I add bob directly to the share with rw permissions he is fine.

Adding the user to the domain admin group makes it work in all situations.

I don?t think it?s what?s happening but it?s almost as if the file server
cannot enumerate the users from a group
I saw a few notes about Kerberos changing from 4.16 to 4.17 could that be
related?

Environment notes

All sites have two dc?s onsite and a third offsite.

All customers domains are named net.a-domain-they-own.com
In the below config files we have net.rosecitysolutions.com for our lab.

I will refer to all dc?s as
dc-first <? fsmo leader
Dc-second
Dc-third <? offsite dc

All dc?s are Ubuntu 18.04 or 22.04 lts vm?s
They run
Samba
Rsync for sysvol
NTP for time


Most are in dedicated /30 vlans while a few 3/15 are in a /24 with all
servers and the workstations that are trying to access them are in a
separate vlan.

These five customers have domains provisioned without ever having a windows
dc joined.

The file servers affected are all domain members that are 4/5 Synology file
servers and 1/5 is a Ubuntu server running packages on 18.04.

We began to test this in our lab after 17.1 came out and did not detect the
issue, I have changed our testing routine to catch it in the future. We
started updating right before 17.3 came out so 2/5 sites are running 17.2
and 3/5 are running 17.3.

Below is the gist of my update process, I have intentionally left out some
of the potentially destructive commands leaving only the comment describing
it as this is a public forum and I don?t want anyone to grab this and run
it without understanding what it does.
To summarize the below:
Backup everything
Grab new version of Samba
Make and build
Demote dc
Stop samba service
install
Rejoin domain
Copy config files back
Start samba service
Db check

# echo ?Shutdown all dc?s snapshot before doing anything?
#  get idmap file from fismo leader
 sudo tdbbackup -s .bak /usr/local/samba/private/idmap.ldb

    sudo samba-tool fsmo show
    sudo samba-tool drs showrepl
# backups online backup line
    sudo samba-tool domain backup online
--targetdir=/home/$cusername/Backup/ --server=$chostname -U

# get newest version of Samba
    wget https://download.samba.org/pub/samba/samba-latest.tar.gz
# extract newest version of Samba
    tar -xzvf samba-latest.tar.gz --one-top-level --strip-components 1
    cd samba-latest
# Configure, make and dont install yet
    ./configure
    make -j 8
# leave domain
    sudo samba-tool domain demote -U
# stop Samba Service
    sudo systemctl stop samba-ad-dc.service
# change dns to another dc
    echo "change to another dc"
    sudo vim /etc/resolv.conf
#mv krb5.conf
    sudo mv /etc/krb5.conf /etc/krb5.conf.working
# move samba files from old version
    sudo mv /usr/local/samba /usr/local/old.samba
# install samba
    sudo make install
# move config file
    sudo cp /usr/local/old.samba/etc/lmhosts /usr/local/samba/etc/lmhosts
# get domain name
    read -p "Enter domain name in i.e. NET.ROSECITYSOLUTIONS.COM: "
cdomname
# rejoin domain
    sudo samba-tool domain join $cdomname dc -U
# rename smb.conf file
    sudo cp /usr/local/old.samba/etc/*.* /usr/local/samba/etc/

    #  change dns to this dc
    echo "change to this dc"
    ip a
    sudo vim /etc/resolv.conf
# mv krb5.conf back
    #mv krb5.conf
    sudo mv /etc/krb5.conf.working /etc/krb5.conf
# copy id map from old server

# copy sysvol back
    sudo cp -r /usr/local/old.samba/var/locks/sysvol
/usr/local/samba/var/locks/
# NTACL Reset
    sudo samba-tool ntacl sysvolreset
# start Samba Service
    sudo systemctl start samba-ad-dc.service
# run db check
    sudo samba-tool dbcheck --cross-ncs --fix --yes


Disclaimer:
Again If you stumble on this thread, please don?t just copy this and run it
in your environment. It is set for how I do things.
Also a week after this runs I go in and do a manual sanity check before
running a cleanup scrip to remove any garbage from the upgrades.
These are fully working environments with only a few users so the fix we
elected for was to just change the group policies to use ip vs dns.
We reconnected drives and things are working but we are at an upgrade
freeze for our other clients.

I have tested a windows 10 box that I made a file share on and added share
and security permissions for domain users rw in this environment and it
works fine.

I noticed Rowland helped another user where wbinfo -u did not work
It does work for us.
sudo wbinfo -u
NET\administrator
NET\guest
NET\krbtgt
NET\test-file-share-user


Config files we use
############


##lmhosts##
10.0.0.42       DC-first
10.0.0.46       DC-second
10.0.0.50       DC-third

##Krb5.conf##
[libdefaults]
        default_realm = NET.ROSECITYSOLUTIONS.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true
[realms]
        NET.ROSECITYSOLUTIONS.COM = {
                kdc = DC-first
                kdc = DC-second
                kdc = DC-third
        }
[domain_realm]
        .net.rosecitysolutions.com = NET.ROSECITYSOLUTIONS.COM

##Hosts##
127.0.0.1       localhost
10.0.0.42       DC-first.NET.ROSECITYSOLUTIONS.COM        DC-first
10.0.0.46       DC-second.NET.ROSECITYSOLUTIONS.COM        DC-second
10.0.0.50       DC-third.NET.ROSECITYSOLUTIONS.COM   DC-third

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


Hostname
Dc-first

##Smb.conf##
# Global parameters
[global]
        log file = /var/log/samba/%S.log
        dns forwarder = 208.67.220.220 208.67.222.222
        netbios name = RCS-FIRST
        realm = NET.ROSECITYSOLUTIONS.COM
        server role = active directory domain controller
        workgroup = NET
        idmap_ldb:use rfc2307 = yes

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/
net.rosecitysolutions.com/scripts
        read only = No


##Netplan  from dc-first##
network:
    ethernets:
        eth0:
            dhcp4: false
            addresses:
            - 10.0.0.42/30
            nameservers:
                addresses:
                - 10.0.0.42
                search:
                - net.rosecitysolutions.com
            routes:
            - to: default
              via: 10.0.0.41
    version: 2

##resolv.conf##
nameserver 10.0.0.42
options edns0 trust-ad
search net.rosecitysolutions.com


NTP.conf is being used and tested that time is still syncing

We also use rsync from the fsmo leader for sysvol

Kinit and klist work from DC's and the Synology as domain admin and as a
test user

Dns works
Dig @dc file-server is correct
Dig @dc file-server.samdom is correct

I have opened a ticket with Synology
They had me disable account caching via
sudo systemctl disable accountdb-cache; sudo systemctl stop accountdb-cache
We left the domain, changed to second dc, flushed cache, and all the other
basic troubleshooting steps.

This did nothing.

I initially thought I broke it via this script or a change happened but I
cannot find it
I have been seeing several emails come in the samba lists that seem to be a
similar situation.
I have not seen a solution yet. So I thought I would document everything I
could here.

I have turned logging up and cannot find anything rational let me know if
that should be added to this.

On 06/12/2022 20:58, Travis Wenks via samba wrote:
> Hi all,
> First, thank you for such an amazing project!
> 
> Second an apology for an extremely long post, I tried to add all the info I
> could think of so this is a quick fix!
> 
> I support multiple client sites that we built samba dc?s from source.
> 
> I wrote a quick script to update our client dc?s. As it has no sanity
> checks or safety?s to not destroy data I will not post a functional copy of
> it here. If anyone would like it I would be glad to email it to anyone who
> wants it.
> 
> Here is the issue, we started updating 5 sites and once those were done we
> started getting reports of network drives failing.
> 
> If a user is in a group and that group defines the permissions to access a
> share they cannot access it. If the ip address is used it works fine.
> 
> So if a user is a member of a group this is the behavior,
> 
> \\file-server.domain\share
> Fails
> \\file-server\share
> Fails also, but
> \\ip-of-file-server\share
> works fine
> 
Sounds like kerberos is failing, but NTLM is working. Try getting the 
windows machine to leave the domain and rejoin, this will rewrite the 
machines kerberos ticket.

Have you considered using Debian ? Bullseye now comes with Samba 4.17.3 
from backports, this will save you having to build it yourself.

Rowland