Mario Pio Russo
2015-Sep-01 11:04 UTC
[Samba] on linux samba file shares, groups and user are randomlly lost. Using samba4 as Domain controller
Good day All I am re proposing this topic as it keeps happening in our enviroment and is creating some trouble now. I have 1 samba file share server, and a different samba4 AD server. the file server has been recently updated to Ubuntu 14 and its native samba 4.1.6. The samba4 AD is on Ubuntu 14 and on sernet-samba 4.2.2. what happens is that every 4~5 days the file share server loses randomly the groups/users associations. when doing ls on the shares, I do not see the domain users / groups but I just see their uid. when I try to access those shares, it gives permission denied. The only option is to reboot the file server. after reboot all comes back to normal. I can see the user/groups when "ls" and I can access mount the shares. but after a while all comes back again. Note that when the system is not working, getent group does not show anything, but wbinfo -g shows the groups correctlly. On the AD, I have disabled the winbindd and I am using the original winbind. Here is the 2 smb.conf files (Note, i have cut off most of the shares ) Samba file share: [global] workgroup = CCDC realm = CCDC.LAN server string = CSI Samba Server server role = member server security = ADS map untrusted to domain = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 2000 #smb ports = 139 name resolve order = wins, host, bcast server signing = required socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY load printers = No disable spoolss = Yes local master = No domain master = No dns proxy = No wins server = 9.161.96.220 template homedir = /home/winbind winbind cache time = 15 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config * : range = 10000-20000 full_audit:priority = NOTICE full_audit:facility = local7 full_audit:failure = mkdir rename unlink rmdir open chown chmod connect readlink full_audit:prefix = %u,%I,%m,%S idmap config * : backend = tdb invalid users = root, daemon, bin, sys, sync, games, man, lp, mail, news, uucp, proxy, www-data, backup, list, irc, g nats, Debian-exim, sshd, ntpd acl group control = Yes aio read size = 1 aio write size = 1 map acl inherit = Yes hide files = /lost+found/ follow symlinks = No dos filemode = Yes vfs objects = full_audit [workplace] comment = ICS - CSI mantis build and daily kits folder path = /export/ICS/CSI/workplace valid users = @"domainusers" force create mode = 750 force directory mode = 740 writeable = Yes browseable = Yes [labadmins] comment = ICS - CSI Admins Share path = /export/ICS/CSI/labadmins valid users = @smbLabAdmins force create mode = 750 force directory mode = 740 writeable = Yes browseable = Yes samba AD : # Global parameters [global] workgroup = CCDC realm = CCDC.LAN netbios name = CCDC-SAMBA4-DC1 server role = active directory domain controller idmap_ldb:use rfc2307 = yes server services = -winbindd +winbind dns forwarder = 9.0.138.50 #server services = -winbindd +winbind idmap config CCDC:backend = ad idmap config CCDC:schema_mode = rfc2307 idmap config CCDC:range = 10000-40000 # Store UIDs/GIDs for all other domains (including local # accounts/groups of this server) in a tdb file idmap config *:backend = tdb idmap config *:range = 2000-9999 # Use home directory and shell information from AD winbind nss info = rfc2307 tls enabled = yes tls keyfile = tls/myKey.pem tls certfile = tls/myCert.pem tls cafile [netlogon] path = /var/lib/samba/sysvol/ccdc.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Funny thing is that I can't find anything relevant in the logs of the file share server. Any help is really appreciated. Thank you ___________________________________________________________________________________________ Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 815 2236, eMail: mariopiorusso at ie.ibm.com IBM Ireland Product Distribution Limited registered in Ireland with number 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 (Embedded image moved to file: pic39243.gif)
Rowland Penny
2015-Sep-01 12:49 UTC
[Samba] on linux samba file shares, groups and user are randomlly lost. Using samba4 as Domain controller
On 01/09/15 12:04, Mario Pio Russo wrote:> > Good day All > > I am re proposing this topic as it keeps happening in our enviroment and is > creating some trouble now. > > I have 1 samba file share server, and a different samba4 AD server. > > the file server has been recently updated to Ubuntu 14 and its native samba > 4.1.6. The samba4 AD is on Ubuntu 14 and on sernet-samba 4.2.2. > > what happens is that every 4~5 days the file share server loses randomly > the groups/users associations. when doing ls on the shares, I do not see > the domain users / groups but I just see their uid. when I try to access > those shares, it gives permission denied. The only option is to reboot the > file server. after reboot all comes back to normal. I can see the > user/groups when "ls" and I can access mount the shares. but after a while > all comes back again. Note that when the system is not working, getent > group does not show anything, but wbinfo -g shows the groups correctlly. On > the AD, I have disabled the winbindd and I am using the original winbind. > > Here is the 2 smb.conf files (Note, i have cut off most of the shares ) > > Samba file share: > > [global] > workgroup = CCDC > realm = CCDC.LAN > server string = CSI Samba Server > server role = member server > security = ADS > map untrusted to domain = Yes > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 2000 > #smb ports = 139 > name resolve order = wins, host, bcast > server signing = required > socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE > IPTOS_LOWDELAY TCP_NODELAY > load printers = No > disable spoolss = Yes > local master = No > domain master = No > dns proxy = No > wins server = 9.161.96.220 > template homedir = /home/winbind > winbind cache time = 15 > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > idmap config * : range = 10000-20000 > full_audit:priority = NOTICE > full_audit:facility = local7 > full_audit:failure = mkdir rename unlink rmdir open chown chmod > connect readlink > full_audit:prefix = %u,%I,%m,%S > idmap config * : backend = tdb > invalid users = root, daemon, bin, sys, sync, games, man, lp, mail, > news, uucp, proxy, www-data, backup, list, irc, g > nats, Debian-exim, sshd, ntpd > acl group control = Yes > aio read size = 1 > aio write size = 1 > map acl inherit = Yes > hide files = /lost+found/ > follow symlinks = No > dos filemode = Yes > vfs objects = full_audit > > [workplace] > comment = ICS - CSI mantis build and daily kits folder > path = /export/ICS/CSI/workplace > valid users = @"domainusers" > force create mode = 750 > force directory mode = 740 > writeable = Yes > browseable = Yes > > [labadmins] > comment = ICS - CSI Admins Share > path = /export/ICS/CSI/labadmins > valid users = @smbLabAdmins > force create mode = 750 > force directory mode = 740 > writeable = Yes > browseable = Yes > > > > > samba AD : > > # Global parameters > [global] > workgroup = CCDC > realm = CCDC.LAN > netbios name = CCDC-SAMBA4-DC1 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > server services = -winbindd +winbind > dns forwarder = 9.0.138.50 > #server services = -winbindd +winbind > idmap config CCDC:backend = ad > idmap config CCDC:schema_mode = rfc2307 > idmap config CCDC:range = 10000-40000 > > > # Store UIDs/GIDs for all other domains (including local > # accounts/groups of this server) in a tdb file > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # Use home directory and shell information from AD > winbind nss info = rfc2307 > > tls enabled = yes > tls keyfile = tls/myKey.pem > tls certfile = tls/myCert.pem > tls cafile > > [netlogon] > path = /var/lib/samba/sysvol/ccdc.lan/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > > Funny thing is that I can't find anything relevant in the logs of the file > share server. > > Any help is really appreciated. > > Thank you > > ___________________________________________________________________________________________ > > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland with number > 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 > > (Embedded image moved to file: pic39243.gif)OK, I recommend you change your smb.conf files to these: [global] workgroup = CCDC realm = CCDC.LAN security = ADS dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = CSI Samba Server winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind cache time = 15 winbind refresh tickets = Yes idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config CCDC : backend = rid idmap config CCDC : range = 10000-20000 map untrusted to domain = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 2000 #smb ports = 139 name resolve order = wins, host, bcast server signing = required load printers = No disable spoolss = Yes local master = No domain master = No dns proxy = No wins server = 9.161.96.220 template homedir = /home/winbind full_audit:priority = NOTICE full_audit:facility = local7 full_audit:failure = mkdir rename unlink rmdir open chown chmod connect readlink full_audit:prefix = %u,%I,%m,%S invalid users = root, daemon, bin, sys, sync, games, man, lp, mail,news, uucp, proxy, www-data, backup, list, irc, gnats, Debian-exim, sshd, ntpd acl group control = Yes aio read size = 1 aio write size = 1 map acl inherit = Yes hide files = /lost+found/ follow symlinks = No dos filemode = Yes vfs objects = acl_xattr full_audit store dos attributes = Yes [workplace] comment = ICS - CSI mantis build and daily kits folder path = /export/ICS/CSI/workplace valid users = @"domainusers" force create mode = 750 force directory mode = 740 writeable = Yes browseable = Yes [labadmins] comment = ICS - CSI Admins Share path = /export/ICS/CSI/labadmins valid users = @smbLabAdmins force create mode = 750 force directory mode = 740 writeable = Yes browseable = Yes # Global parameters [global] workgroup = CCDC realm = CCDC.LAN netbios name = CCDC-SAMBA4-DC1 server role = active directory domain controller idmap_ldb:use rfc2307 = yes server services = -winbindd +winbind dns forwarder = 9.0.138.50 tls enabled = yes tls keyfile = tls/myKey.pem tls certfile = tls/myCert.pem tls cafile [netlogon] path = /var/lib/samba/sysvol/ccdc.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No I would also recommend Installing the 'acl' & 'attr' packages (if not already installed), read up on using POSIX ACLs and lose the 'force' lines in the member server conf and use POSIX ACLs instead. Rowland
Mario Pio Russo
2015-Sep-01 13:24 UTC
[Samba] on linux samba file shares, groups and user are randomlly lost. Using samba4 as Domain controller
Great thanks, I'll test your config files now! some questions before:> I would also recommend Installing the 'acl' & 'attr' packages (if notalready installed), those are installed and at the latest version on the file share server, are they needed on the AD too (I would think no)?> read up on using POSIX ACLs and lose the 'force' lines in the memberserver conf and use POSIX ACLs instead. Sorry but I don't get this, what do you mean? some parameters in the smb.conf to seutp? thanks! ___________________________________________________________________________________________ Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 815 2236, eMail: mariopiorusso at ie.ibm.com IBM Ireland Product Distribution Limited registered in Ireland with number 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 (Embedded image moved to file: pic32058.gif) From: Rowland Penny <rowlandpenny241155 at gmail.com> To: samba at lists.samba.org Date: 01/09/2015 13:54 Subject: Re: [Samba] on linux samba file shares, groups and user are randomlly lost. Using samba4 as Domain controller Sent by: "samba" <samba-bounces at lists.samba.org> On 01/09/15 12:04, Mario Pio Russo wrote:> > Good day All > > I am re proposing this topic as it keeps happening in our enviroment andis> creating some trouble now. > > I have 1 samba file share server, and a different samba4 AD server. > > the file server has been recently updated to Ubuntu 14 and its nativesamba> 4.1.6. The samba4 AD is on Ubuntu 14 and on sernet-samba 4.2.2. > > what happens is that every 4~5 days the file share server loses randomly > the groups/users associations. when doing ls on the shares, I do not see > the domain users / groups but I just see their uid. when I try to access > those shares, it gives permission denied. The only option is to rebootthe> file server. after reboot all comes back to normal. I can see the > user/groups when "ls" and I can access mount the shares. but after awhile> all comes back again. Note that when the system is not working, getent > group does not show anything, but wbinfo -g shows the groups correctlly.On> the AD, I have disabled the winbindd and I am using the original winbind. > > Here is the 2 smb.conf files (Note, i have cut off most of the shares ) > > Samba file share: > > [global] > workgroup = CCDC > realm = CCDC.LAN > server string = CSI Samba Server > server role = member server > security = ADS > map untrusted to domain = Yes > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 2000 > #smb ports = 139 > name resolve order = wins, host, bcast > server signing = required > socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE > IPTOS_LOWDELAY TCP_NODELAY > load printers = No > disable spoolss = Yes > local master = No > domain master = No > dns proxy = No > wins server = 9.161.96.220 > template homedir = /home/winbind > winbind cache time = 15 > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > idmap config * : range = 10000-20000 > full_audit:priority = NOTICE > full_audit:facility = local7 > full_audit:failure = mkdir rename unlink rmdir open chown chmod > connect readlink > full_audit:prefix = %u,%I,%m,%S > idmap config * : backend = tdb > invalid users = root, daemon, bin, sys, sync, games, man, lp,mail,> news, uucp, proxy, www-data, backup, list, irc, g > nats, Debian-exim, sshd, ntpd > acl group control = Yes > aio read size = 1 > aio write size = 1 > map acl inherit = Yes > hide files = /lost+found/ > follow symlinks = No > dos filemode = Yes > vfs objects = full_audit > > [workplace] > comment = ICS - CSI mantis build and daily kitsfolder> path = /export/ICS/CSI/workplace > valid users = @"domainusers" > force create mode = 750 > force directory mode = 740 > writeable = Yes > browseable = Yes > > [labadmins] > comment = ICS - CSI Admins Share > path = /export/ICS/CSI/labadmins > valid users = @smbLabAdmins > force create mode = 750 > force directory mode = 740 > writeable = Yes > browseable = Yes > > > > > samba AD : > > # Global parameters > [global] > workgroup = CCDC > realm = CCDC.LAN > netbios name = CCDC-SAMBA4-DC1 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > server services = -winbindd +winbind > dns forwarder = 9.0.138.50 > #server services = -winbindd +winbind > idmap config CCDC:backend = ad > idmap config CCDC:schema_mode = rfc2307 > idmap config CCDC:range = 10000-40000 > > > # Store UIDs/GIDs for all other domains (including local > # accounts/groups of this server) in a tdb file > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # Use home directory and shell information from AD > winbind nss info = rfc2307 > > tls enabled = yes > tls keyfile = tls/myKey.pem > tls certfile = tls/myCert.pem > tls cafile > > [netlogon] > path = /var/lib/samba/sysvol/ccdc.lan/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > > Funny thing is that I can't find anything relevant in the logs of thefile> share server. > > Any help is really appreciated. > > Thank you > >___________________________________________________________________________________________> > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland withnumber> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin4> > (Embedded image moved to file: pic39243.gif)OK, I recommend you change your smb.conf files to these: [global] workgroup = CCDC realm = CCDC.LAN security = ADS dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = CSI Samba Server winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind cache time = 15 winbind refresh tickets = Yes idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config CCDC : backend = rid idmap config CCDC : range = 10000-20000 map untrusted to domain = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 2000 #smb ports = 139 name resolve order = wins, host, bcast server signing = required load printers = No disable spoolss = Yes local master = No domain master = No dns proxy = No wins server = 9.161.96.220 template homedir = /home/winbind full_audit:priority = NOTICE full_audit:facility = local7 full_audit:failure = mkdir rename unlink rmdir open chown chmod connect readlink full_audit:prefix = %u,%I,%m,%S invalid users = root, daemon, bin, sys, sync, games, man, lp, mail,news, uucp, proxy, www-data, backup, list, irc, gnats, Debian-exim, sshd, ntpd acl group control = Yes aio read size = 1 aio write size = 1 map acl inherit = Yes hide files = /lost+found/ follow symlinks = No dos filemode = Yes vfs objects = acl_xattr full_audit store dos attributes = Yes [workplace] comment = ICS - CSI mantis build and daily kits folder path = /export/ICS/CSI/workplace valid users = @"domainusers" force create mode = 750 force directory mode = 740 writeable = Yes browseable = Yes [labadmins] comment = ICS - CSI Admins Share path = /export/ICS/CSI/labadmins valid users = @smbLabAdmins force create mode = 750 force directory mode = 740 writeable = Yes browseable = Yes # Global parameters [global] workgroup = CCDC realm = CCDC.LAN netbios name = CCDC-SAMBA4-DC1 server role = active directory domain controller idmap_ldb:use rfc2307 = yes server services = -winbindd +winbind dns forwarder = 9.0.138.50 tls enabled = yes tls keyfile = tls/myKey.pem tls certfile = tls/myCert.pem tls cafile [netlogon] path = /var/lib/samba/sysvol/ccdc.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No I would also recommend Installing the 'acl' & 'attr' packages (if not already installed), read up on using POSIX ACLs and lose the 'force' lines in the member server conf and use POSIX ACLs instead. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Apparently Analagous Threads
- on linux samba file shares, groups and user are randomlly lost. Using samba4 as Domain controller
- on linux samba file shares, groups and user are randomlly lost. Using samba4 as Domain controller
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"