Mario Pio Russo
2015-Aug-04 10:19 UTC
[Samba] Samba share server loses groups information every week, it is authenticated to a Samba4 AD DC
Hi allVersion 3.5.6 I have a samba file share server , running on ubuntu 10. Samba version is 3.5.6. Originally this server was using a PDC server based on samba 3, and all was ok. now the PDC server has been upgraded via samba-tool to version 4.2.2 . The system itself works generally fine (afer a good amount of tuning and configuration), however I am now incurring in a peculiar issue: every week, at the weekend, the file share server Lose ALL the information regarding the domain groups! basically all the shares that are assigned for sharing, reports in the group field the numeric version of the group, and not the name. Furthermore, when I run getent group , it does NOT show any domain group. NOTE that this does not happen for the users. specific domain users are still associated with their corresponding directorys permissions, furthermore getent passwd returns correctlly all the domain users. this causes big problems as the users cannot access their directories as the groups are not recognised. the only way I am able to resolve this issue is to reboot the server every week. I need some help in this way: 1) avoid that the groups are lost in the file share 2) find a way to re-associate the groups via command line without rebooting the machine Any help is well accepted, also let me know if you need any log or configuration files. thank you! ___________________________________________________________________________________________ Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 815 2236, eMail: mariopiorusso at ie.ibm.com IBM Ireland Product Distribution Limited registered in Ireland with number 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 (Embedded image moved to file: pic45265.gif)
Rowland Penny
2015-Aug-04 10:50 UTC
[Samba] Samba share server loses groups information every week, it is authenticated to a Samba4 AD DC
On 04/08/15 11:19, Mario Pio Russo wrote:> Hi allVersion 3.5.6 > > I have a samba file share server , running on ubuntu 10. Samba version is > 3.5.6.Both of these have reached EOL.> > Originally this server was using a PDC server based on samba 3, and all was > ok. now the PDC server has been upgraded via samba-tool to version 4.2.2 .So you are now running an AD domain instead of an NT4-style domain.> The system itself works generally fine (afer a good amount of tuning and > configuration), however I am now incurring in a peculiar issue:Could we please see your fileserver and AD DC smb.confs (suitably sanitized) to see what you have 'tuned'> every week, at the weekend, the file share server Lose ALL the information > regarding the domain groups! > > basically all the shares that are assigned for sharing, reports in the > group field the numeric version of the group, and not the name. > Furthermore, when I run getent group , it does NOT show any domain group.Know 'feature' , whilst 'getent passwd' will show the users (if samba is set up correctly) 'getent group' will not, you need to use 'getent group groupname'> NOTE that this does not happen for the users. specific domain users are > still associated with their corresponding directorys permissions, > furthermore getent passwd returns correctlly all the domain users. > > this causes big problems as the users cannot access their directories as > the groups are not recognised. > > the only way I am able to resolve this issue is to reboot the server every > week.This sounds like a keytab problem. Rowland> > I need some help in this way: > > 1) avoid that the groups are lost in the file share > 2) find a way to re-associate the groups via command line without rebooting > the machine > > Any help is well accepted, also let me know if you need any log or > configuration files. > > thank you! > ___________________________________________________________________________________________ > > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland with number > 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 > > (Embedded image moved to file: pic45265.gif)
Mario Pio Russo
2015-Aug-13 14:32 UTC
[Samba] Samba share server loses groups information every week, it is authenticated to a Samba4 AD DC
Hi Rowland, just back from Hols here :)
so the smb.conf of the DC is the following:
# Global parameters
[global]
workgroup = CCDC
realm = CCDC.LAN
netbios name = CCDC-SAMBA4-DC1
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
server services = -winbindd +winbind
dns forwarder = 9.0.138.50
#server services = -winbindd +winbind
idmap config CCDC:backend = ad
idmap config CCDC:schema_mode = rfc2307
idmap config CCDC:range = 10000-40000
# Store UIDs/GIDs for all other domains (including local
# accounts/groups of this server) in a tdb file
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# Use home directory and shell information from AD
winbind nss info = rfc2307
tls enabled = yes
tls keyfile = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile
[netlogon]
path = /var/lib/samba/sysvol/ccdc.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
the smb.conf file of the file server is the following:
[global]
write cache size = 131072
vfs objects = full_audit
full_audit:prefix = %u,%I,%m,%S
# removed this, so we only log failures.
# however will keep it here commented it out for future reference
#full_audit:success = mkdir rename unlink rmdir open chown chmod
connect readlink
full_audit:failure = mkdir rename unlink rmdir open chown chmod
connect readlink
full_audit:facility = local7
full_audit:priority = NOTICE
server string = CSI Samba Server
workgroup = CCDC
netbios name = SEADOG
realm = CCDC.LAN
security = ads
#security = domain
wins server = 9.161.96.220
server signing = mandatory
#password server = 9.161.96.220
map untrusted to domain = yes
wins support = no
wins proxy = no
dns proxy = no
name resolve order = wins host bcast
winbind use default domain = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind cache time = 15
winbind enum users = yes
winbind enum groups = yes
# This is needed, a fake home folder so that users are able to ftp
# this folder is empty but exists, do a getent passwd to see what I
mean
template homedir = /home/winbind
local master = no
domain master = no
# To o with ACL mapping to windows
#
dos filemode = Yes
acl group control = Yes
acl map full control = Yes
map acl inherit = Yes
guest account = nobody
invalid users = root daemon bin sys sync games man lp mail news uucp
proxy www-data backup list irc gnats Debian-exim sshd ntpd
log file = /var/log/samba/log.%m
log level = 3
max log size = 2000
syslog = 0
# using these options copied from clearcase.
# back in the day we did research these to death
#
# socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
IPTOS_LOWDELAY TCP_NODELAY
socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE
IPTOS_LOWDELAY TCP_NODELAY
# This disables print options
# we are not a print server
#
load printers = No
disable spoolss = Yes
smb ports = 139
# every mount from the SAN has a lost+found folder
# to avoid user confusion, have set this to hidden
#
hide files = /lost+found/
aio read size = 1
aio write size = 1
follow symlinks = no
........................... (here goes the share definition, cutting it as
don't think it's important)
these parameters come to my attention:
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind cache time = 15
winbind enum users = yes
winbind enum groups = yes
I wonder if they cause the groups not be recognized anymore.
___________________________________________________________________________________________
Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
(Embedded image moved to file: pic33433.gif)
From: Rowland Penny <rowlandpenny241155 at gmail.com>
To: samba at lists.samba.org
Date: 04/08/2015 11:54
Subject: Re: [Samba] Samba share server loses groups information every
week, it is authenticated to a Samba4 AD DC
Sent by: "samba" <samba-bounces at lists.samba.org>
On 04/08/15 11:19, Mario Pio Russo wrote:> Hi allVersion 3.5.6
>
> I have a samba file share server , running on ubuntu 10. Samba version is
> 3.5.6.
Both of these have reached EOL.
>
> Originally this server was using a PDC server based on samba 3, and all
was> ok. now the PDC server has been upgraded via samba-tool to version
4.2.2 .
So you are now running an AD domain instead of an NT4-style domain.
> The system itself works generally fine (afer a good amount of tuning and
> configuration), however I am now incurring in a peculiar issue:
Could we please see your fileserver and AD DC smb.confs (suitably
sanitized) to see what you have 'tuned'
> every week, at the weekend, the file share server Lose ALL the
information> regarding the domain groups!
>
> basically all the shares that are assigned for sharing, reports in the
> group field the numeric version of the group, and not the name.
> Furthermore, when I run getent group , it does NOT show any domain group.
Know 'feature' , whilst 'getent passwd' will show the users (if
samba is
set up correctly) 'getent group' will not, you need to use 'getent
group
groupname'
> NOTE that this does not happen for the users. specific domain users are
> still associated with their corresponding directorys permissions,
> furthermore getent passwd returns correctlly all the domain users.
>
> this causes big problems as the users cannot access their directories as
> the groups are not recognised.
>
> the only way I am able to resolve this issue is to reboot the server
every> week.
This sounds like a keytab problem.
Rowland
>
> I need some help in this way:
>
> 1) avoid that the groups are lost in the file share
> 2) find a way to re-associate the groups via command line without
rebooting> the machine
>
> Any help is well accepted, also let me know if you need any log or
> configuration files.
>
> thank you!
>
___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with
number> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin
4>
> (Embedded image moved to file: pic45265.gif)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Possibly Parallel Threads
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"