Mario Pio Russo
2015-Sep-01 11:04 UTC
[Samba] on linux samba file shares, groups and user are randomlly lost. Using samba4 as Domain controller
Good day All
I am re proposing this topic as it keeps happening in our enviroment and is
creating some trouble now.
I have 1 samba file share server, and a different samba4 AD server.
the file server has been recently updated to Ubuntu 14 and its native samba
4.1.6. The samba4 AD is on Ubuntu 14 and on sernet-samba 4.2.2.
what happens is that every 4~5 days the file share server loses randomly
the groups/users associations. when doing ls on the shares, I do not see
the domain users / groups but I just see their uid. when I try to access
those shares, it gives permission denied. The only option is to reboot the
file server. after reboot all comes back to normal. I can see the
user/groups when "ls" and I can access mount the shares. but after a
while
all comes back again. Note that when the system is not working, getent
group does not show anything, but wbinfo -g shows the groups correctlly. On
the AD, I have disabled the winbindd and I am using the original winbind.
Here is the 2 smb.conf files (Note, i have cut off most of the shares )
Samba file share:
[global]
workgroup = CCDC
realm = CCDC.LAN
server string = CSI Samba Server
server role = member server
security = ADS
map untrusted to domain = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 2000
#smb ports = 139
name resolve order = wins, host, bcast
server signing = required
socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE
IPTOS_LOWDELAY TCP_NODELAY
load printers = No
disable spoolss = Yes
local master = No
domain master = No
dns proxy = No
wins server = 9.161.96.220
template homedir = /home/winbind
winbind cache time = 15
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config * : range = 10000-20000
full_audit:priority = NOTICE
full_audit:facility = local7
full_audit:failure = mkdir rename unlink rmdir open chown chmod
connect readlink
full_audit:prefix = %u,%I,%m,%S
idmap config * : backend = tdb
invalid users = root, daemon, bin, sys, sync, games, man, lp, mail,
news, uucp, proxy, www-data, backup, list, irc, g
nats, Debian-exim, sshd, ntpd
acl group control = Yes
aio read size = 1
aio write size = 1
map acl inherit = Yes
hide files = /lost+found/
follow symlinks = No
dos filemode = Yes
vfs objects = full_audit
[workplace]
comment = ICS - CSI mantis build and daily kits folder
path = /export/ICS/CSI/workplace
valid users = @"domainusers"
force create mode = 750
force directory mode = 740
writeable = Yes
browseable = Yes
[labadmins]
comment = ICS - CSI Admins Share
path = /export/ICS/CSI/labadmins
valid users = @smbLabAdmins
force create mode = 750
force directory mode = 740
writeable = Yes
browseable = Yes
samba AD :
# Global parameters
[global]
workgroup = CCDC
realm = CCDC.LAN
netbios name = CCDC-SAMBA4-DC1
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
server services = -winbindd +winbind
dns forwarder = 9.0.138.50
#server services = -winbindd +winbind
idmap config CCDC:backend = ad
idmap config CCDC:schema_mode = rfc2307
idmap config CCDC:range = 10000-40000
# Store UIDs/GIDs for all other domains (including local
# accounts/groups of this server) in a tdb file
idmap config *:backend = tdb
idmap config *:range = 2000-9999
# Use home directory and shell information from AD
winbind nss info = rfc2307
tls enabled = yes
tls keyfile = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile
[netlogon]
path = /var/lib/samba/sysvol/ccdc.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Funny thing is that I can't find anything relevant in the logs of the file
share server.
Any help is really appreciated.
Thank you
___________________________________________________________________________________________
Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
(Embedded image moved to file: pic39243.gif)
Rowland Penny
2015-Sep-01 12:49 UTC
[Samba] on linux samba file shares, groups and user are randomlly lost. Using samba4 as Domain controller
On 01/09/15 12:04, Mario Pio Russo wrote:> > Good day All > > I am re proposing this topic as it keeps happening in our enviroment and is > creating some trouble now. > > I have 1 samba file share server, and a different samba4 AD server. > > the file server has been recently updated to Ubuntu 14 and its native samba > 4.1.6. The samba4 AD is on Ubuntu 14 and on sernet-samba 4.2.2. > > what happens is that every 4~5 days the file share server loses randomly > the groups/users associations. when doing ls on the shares, I do not see > the domain users / groups but I just see their uid. when I try to access > those shares, it gives permission denied. The only option is to reboot the > file server. after reboot all comes back to normal. I can see the > user/groups when "ls" and I can access mount the shares. but after a while > all comes back again. Note that when the system is not working, getent > group does not show anything, but wbinfo -g shows the groups correctlly. On > the AD, I have disabled the winbindd and I am using the original winbind. > > Here is the 2 smb.conf files (Note, i have cut off most of the shares ) > > Samba file share: > > [global] > workgroup = CCDC > realm = CCDC.LAN > server string = CSI Samba Server > server role = member server > security = ADS > map untrusted to domain = Yes > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 2000 > #smb ports = 139 > name resolve order = wins, host, bcast > server signing = required > socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE > IPTOS_LOWDELAY TCP_NODELAY > load printers = No > disable spoolss = Yes > local master = No > domain master = No > dns proxy = No > wins server = 9.161.96.220 > template homedir = /home/winbind > winbind cache time = 15 > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > idmap config * : range = 10000-20000 > full_audit:priority = NOTICE > full_audit:facility = local7 > full_audit:failure = mkdir rename unlink rmdir open chown chmod > connect readlink > full_audit:prefix = %u,%I,%m,%S > idmap config * : backend = tdb > invalid users = root, daemon, bin, sys, sync, games, man, lp, mail, > news, uucp, proxy, www-data, backup, list, irc, g > nats, Debian-exim, sshd, ntpd > acl group control = Yes > aio read size = 1 > aio write size = 1 > map acl inherit = Yes > hide files = /lost+found/ > follow symlinks = No > dos filemode = Yes > vfs objects = full_audit > > [workplace] > comment = ICS - CSI mantis build and daily kits folder > path = /export/ICS/CSI/workplace > valid users = @"domainusers" > force create mode = 750 > force directory mode = 740 > writeable = Yes > browseable = Yes > > [labadmins] > comment = ICS - CSI Admins Share > path = /export/ICS/CSI/labadmins > valid users = @smbLabAdmins > force create mode = 750 > force directory mode = 740 > writeable = Yes > browseable = Yes > > > > > samba AD : > > # Global parameters > [global] > workgroup = CCDC > realm = CCDC.LAN > netbios name = CCDC-SAMBA4-DC1 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > server services = -winbindd +winbind > dns forwarder = 9.0.138.50 > #server services = -winbindd +winbind > idmap config CCDC:backend = ad > idmap config CCDC:schema_mode = rfc2307 > idmap config CCDC:range = 10000-40000 > > > # Store UIDs/GIDs for all other domains (including local > # accounts/groups of this server) in a tdb file > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # Use home directory and shell information from AD > winbind nss info = rfc2307 > > tls enabled = yes > tls keyfile = tls/myKey.pem > tls certfile = tls/myCert.pem > tls cafile > > [netlogon] > path = /var/lib/samba/sysvol/ccdc.lan/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > > Funny thing is that I can't find anything relevant in the logs of the file > share server. > > Any help is really appreciated. > > Thank you > > ___________________________________________________________________________________________ > > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland with number > 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 > > (Embedded image moved to file: pic39243.gif)OK, I recommend you change your smb.conf files to these: [global] workgroup = CCDC realm = CCDC.LAN security = ADS dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = CSI Samba Server winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind cache time = 15 winbind refresh tickets = Yes idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config CCDC : backend = rid idmap config CCDC : range = 10000-20000 map untrusted to domain = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 2000 #smb ports = 139 name resolve order = wins, host, bcast server signing = required load printers = No disable spoolss = Yes local master = No domain master = No dns proxy = No wins server = 9.161.96.220 template homedir = /home/winbind full_audit:priority = NOTICE full_audit:facility = local7 full_audit:failure = mkdir rename unlink rmdir open chown chmod connect readlink full_audit:prefix = %u,%I,%m,%S invalid users = root, daemon, bin, sys, sync, games, man, lp, mail,news, uucp, proxy, www-data, backup, list, irc, gnats, Debian-exim, sshd, ntpd acl group control = Yes aio read size = 1 aio write size = 1 map acl inherit = Yes hide files = /lost+found/ follow symlinks = No dos filemode = Yes vfs objects = acl_xattr full_audit store dos attributes = Yes [workplace] comment = ICS - CSI mantis build and daily kits folder path = /export/ICS/CSI/workplace valid users = @"domainusers" force create mode = 750 force directory mode = 740 writeable = Yes browseable = Yes [labadmins] comment = ICS - CSI Admins Share path = /export/ICS/CSI/labadmins valid users = @smbLabAdmins force create mode = 750 force directory mode = 740 writeable = Yes browseable = Yes # Global parameters [global] workgroup = CCDC realm = CCDC.LAN netbios name = CCDC-SAMBA4-DC1 server role = active directory domain controller idmap_ldb:use rfc2307 = yes server services = -winbindd +winbind dns forwarder = 9.0.138.50 tls enabled = yes tls keyfile = tls/myKey.pem tls certfile = tls/myCert.pem tls cafile [netlogon] path = /var/lib/samba/sysvol/ccdc.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No I would also recommend Installing the 'acl' & 'attr' packages (if not already installed), read up on using POSIX ACLs and lose the 'force' lines in the member server conf and use POSIX ACLs instead. Rowland
Mario Pio Russo
2015-Sep-01 13:24 UTC
[Samba] on linux samba file shares, groups and user are randomlly lost. Using samba4 as Domain controller
Great thanks, I'll test your config files now! some questions before:> I would also recommend Installing the 'acl' & 'attr' packages (if notalready installed), those are installed and at the latest version on the file share server, are they needed on the AD too (I would think no)?> read up on using POSIX ACLs and lose the 'force' lines in the memberserver conf and use POSIX ACLs instead. Sorry but I don't get this, what do you mean? some parameters in the smb.conf to seutp? thanks! ___________________________________________________________________________________________ Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 815 2236, eMail: mariopiorusso at ie.ibm.com IBM Ireland Product Distribution Limited registered in Ireland with number 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 (Embedded image moved to file: pic32058.gif) From: Rowland Penny <rowlandpenny241155 at gmail.com> To: samba at lists.samba.org Date: 01/09/2015 13:54 Subject: Re: [Samba] on linux samba file shares, groups and user are randomlly lost. Using samba4 as Domain controller Sent by: "samba" <samba-bounces at lists.samba.org> On 01/09/15 12:04, Mario Pio Russo wrote:> > Good day All > > I am re proposing this topic as it keeps happening in our enviroment andis> creating some trouble now. > > I have 1 samba file share server, and a different samba4 AD server. > > the file server has been recently updated to Ubuntu 14 and its nativesamba> 4.1.6. The samba4 AD is on Ubuntu 14 and on sernet-samba 4.2.2. > > what happens is that every 4~5 days the file share server loses randomly > the groups/users associations. when doing ls on the shares, I do not see > the domain users / groups but I just see their uid. when I try to access > those shares, it gives permission denied. The only option is to rebootthe> file server. after reboot all comes back to normal. I can see the > user/groups when "ls" and I can access mount the shares. but after awhile> all comes back again. Note that when the system is not working, getent > group does not show anything, but wbinfo -g shows the groups correctlly.On> the AD, I have disabled the winbindd and I am using the original winbind. > > Here is the 2 smb.conf files (Note, i have cut off most of the shares ) > > Samba file share: > > [global] > workgroup = CCDC > realm = CCDC.LAN > server string = CSI Samba Server > server role = member server > security = ADS > map untrusted to domain = Yes > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 2000 > #smb ports = 139 > name resolve order = wins, host, bcast > server signing = required > socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE > IPTOS_LOWDELAY TCP_NODELAY > load printers = No > disable spoolss = Yes > local master = No > domain master = No > dns proxy = No > wins server = 9.161.96.220 > template homedir = /home/winbind > winbind cache time = 15 > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > idmap config * : range = 10000-20000 > full_audit:priority = NOTICE > full_audit:facility = local7 > full_audit:failure = mkdir rename unlink rmdir open chown chmod > connect readlink > full_audit:prefix = %u,%I,%m,%S > idmap config * : backend = tdb > invalid users = root, daemon, bin, sys, sync, games, man, lp,mail,> news, uucp, proxy, www-data, backup, list, irc, g > nats, Debian-exim, sshd, ntpd > acl group control = Yes > aio read size = 1 > aio write size = 1 > map acl inherit = Yes > hide files = /lost+found/ > follow symlinks = No > dos filemode = Yes > vfs objects = full_audit > > [workplace] > comment = ICS - CSI mantis build and daily kitsfolder> path = /export/ICS/CSI/workplace > valid users = @"domainusers" > force create mode = 750 > force directory mode = 740 > writeable = Yes > browseable = Yes > > [labadmins] > comment = ICS - CSI Admins Share > path = /export/ICS/CSI/labadmins > valid users = @smbLabAdmins > force create mode = 750 > force directory mode = 740 > writeable = Yes > browseable = Yes > > > > > samba AD : > > # Global parameters > [global] > workgroup = CCDC > realm = CCDC.LAN > netbios name = CCDC-SAMBA4-DC1 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > server services = -winbindd +winbind > dns forwarder = 9.0.138.50 > #server services = -winbindd +winbind > idmap config CCDC:backend = ad > idmap config CCDC:schema_mode = rfc2307 > idmap config CCDC:range = 10000-40000 > > > # Store UIDs/GIDs for all other domains (including local > # accounts/groups of this server) in a tdb file > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # Use home directory and shell information from AD > winbind nss info = rfc2307 > > tls enabled = yes > tls keyfile = tls/myKey.pem > tls certfile = tls/myCert.pem > tls cafile > > [netlogon] > path = /var/lib/samba/sysvol/ccdc.lan/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > > Funny thing is that I can't find anything relevant in the logs of thefile> share server. > > Any help is really appreciated. > > Thank you > >___________________________________________________________________________________________> > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland withnumber> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin4> > (Embedded image moved to file: pic39243.gif)OK, I recommend you change your smb.conf files to these: [global] workgroup = CCDC realm = CCDC.LAN security = ADS dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = CSI Samba Server winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind cache time = 15 winbind refresh tickets = Yes idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config CCDC : backend = rid idmap config CCDC : range = 10000-20000 map untrusted to domain = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 2000 #smb ports = 139 name resolve order = wins, host, bcast server signing = required load printers = No disable spoolss = Yes local master = No domain master = No dns proxy = No wins server = 9.161.96.220 template homedir = /home/winbind full_audit:priority = NOTICE full_audit:facility = local7 full_audit:failure = mkdir rename unlink rmdir open chown chmod connect readlink full_audit:prefix = %u,%I,%m,%S invalid users = root, daemon, bin, sys, sync, games, man, lp, mail,news, uucp, proxy, www-data, backup, list, irc, gnats, Debian-exim, sshd, ntpd acl group control = Yes aio read size = 1 aio write size = 1 map acl inherit = Yes hide files = /lost+found/ follow symlinks = No dos filemode = Yes vfs objects = acl_xattr full_audit store dos attributes = Yes [workplace] comment = ICS - CSI mantis build and daily kits folder path = /export/ICS/CSI/workplace valid users = @"domainusers" force create mode = 750 force directory mode = 740 writeable = Yes browseable = Yes [labadmins] comment = ICS - CSI Admins Share path = /export/ICS/CSI/labadmins valid users = @smbLabAdmins force create mode = 750 force directory mode = 740 writeable = Yes browseable = Yes # Global parameters [global] workgroup = CCDC realm = CCDC.LAN netbios name = CCDC-SAMBA4-DC1 server role = active directory domain controller idmap_ldb:use rfc2307 = yes server services = -winbindd +winbind dns forwarder = 9.0.138.50 tls enabled = yes tls keyfile = tls/myKey.pem tls certfile = tls/myCert.pem tls cafile [netlogon] path = /var/lib/samba/sysvol/ccdc.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No I would also recommend Installing the 'acl' & 'attr' packages (if not already installed), read up on using POSIX ACLs and lose the 'force' lines in the member server conf and use POSIX ACLs instead. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Apparently Analagous Threads
- on linux samba file shares, groups and user are randomlly lost. Using samba4 as Domain controller
- on linux samba file shares, groups and user are randomlly lost. Using samba4 as Domain controller
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"