samba - Sep 2015 - on linux samba file shares, groups and user are randomlly lost. Using samba4 as Domain controller

Great thanks, I'll test your config files now!

some questions before:
> I would also recommend Installing the 'acl' & 'attr'
packages (if not
already installed),

those are installed and at the latest version on the file share server, are
they needed on the AD too (I would think no)?

> read up on using POSIX ACLs and lose the 'force'  lines in the
member
server conf and use POSIX ACLs instead.

Sorry but I don't get this, what do you mean? some parameters in the
smb.conf to seutp? thanks!
___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic32058.gif)



From:	Rowland Penny <rowlandpenny241155 at gmail.com>
To:	samba at lists.samba.org
Date:	01/09/2015 13:54
Subject:	Re: [Samba] on linux samba file shares, groups and user are
            randomlly lost. Using samba4 as Domain controller
Sent by:	"samba" <samba-bounces at lists.samba.org>



On 01/09/15 12:04, Mario Pio Russo wrote:
>
> Good day All
>
> I am re proposing this topic as it keeps happening in our enviroment and
is
> creating some trouble now.
>
> I have 1 samba file share server, and a different samba4 AD server.
>
> the file server has been recently updated to Ubuntu 14 and its native
samba
> 4.1.6. The samba4 AD is on Ubuntu 14 and on sernet-samba 4.2.2.
>
> what happens is that every 4~5 days the file share server loses randomly
> the groups/users associations. when doing ls on the shares, I do not see
> the domain users / groups but I just see their uid. when I try to access
> those shares, it gives permission denied. The only option is to reboot
the
> file server. after reboot all comes back to normal. I can see the
> user/groups when "ls" and I can access mount the shares. but
after a
while
> all comes back again. Note that when the system is not working, getent
> group does not show anything, but wbinfo -g shows the groups correctlly.
On
> the AD, I have disabled the winbindd and I am using the original winbind.
>
> Here is the  2 smb.conf files (Note, i have cut off most of the shares )
>
> Samba file share:
>
> [global]
>          workgroup = CCDC
>          realm = CCDC.LAN
>          server string = CSI Samba Server
>          server role = member server
>          security = ADS
>          map untrusted to domain = Yes
>          syslog = 0
>          log file = /var/log/samba/log.%m
>          max log size = 2000
>          #smb ports = 139
>          name resolve order = wins, host, bcast
>          server signing = required
>          socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE
> IPTOS_LOWDELAY TCP_NODELAY
>          load printers = No
>          disable spoolss = Yes
>          local master = No
>          domain master = No
>          dns proxy = No
>          wins server = 9.161.96.220
>          template homedir = /home/winbind
>          winbind cache time = 15
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          idmap config * : range = 10000-20000
>          full_audit:priority = NOTICE
>          full_audit:facility = local7
>          full_audit:failure = mkdir rename unlink rmdir open chown chmod
> connect readlink
>          full_audit:prefix = %u,%I,%m,%S
>          idmap config * : backend = tdb
>          invalid users = root, daemon, bin, sys, sync, games, man, lp,
mail,
> news, uucp, proxy, www-data, backup, list, irc, g
> nats, Debian-exim, sshd, ntpd
>          acl group control = Yes
>          aio read size = 1
>          aio write size = 1
>          map acl inherit = Yes
>          hide files = /lost+found/
>          follow symlinks = No
>          dos filemode = Yes
>          vfs objects = full_audit
>
> [workplace]
>        comment              = ICS - CSI mantis build and daily kits
folder
>        path                 = /export/ICS/CSI/workplace
>        valid users          = @"domainusers"
>        force create mode    = 750
>        force directory mode = 740
>        writeable            = Yes
>        browseable           = Yes
>
> [labadmins]
>        comment              = ICS - CSI Admins Share
>        path                 = /export/ICS/CSI/labadmins
>        valid users          = @smbLabAdmins
>        force create mode    = 750
>        force directory mode = 740
>        writeable            = Yes
>        browseable           = Yes
>
>
>
>
> samba AD :
>
> # Global parameters
> [global]
>          workgroup = CCDC
>          realm = CCDC.LAN
>          netbios name = CCDC-SAMBA4-DC1
>          server role = active directory domain controller
>          idmap_ldb:use rfc2307 = yes
>
>          server services = -winbindd +winbind
>          dns forwarder = 9.0.138.50
>          #server services = -winbindd +winbind
>          idmap config CCDC:backend = ad
>          idmap config CCDC:schema_mode = rfc2307
>          idmap config CCDC:range = 10000-40000
>
>
>          # Store UIDs/GIDs for all other domains (including local
>          # accounts/groups of this server) in a tdb file
>          idmap config *:backend = tdb
>          idmap config *:range = 2000-9999
>
>          # Use home directory and shell information from AD
>          winbind nss info = rfc2307
>
>          tls enabled  = yes
>          tls keyfile  = tls/myKey.pem
>          tls certfile = tls/myCert.pem
>          tls cafile   >
> [netlogon]
>          path = /var/lib/samba/sysvol/ccdc.lan/scripts
>          read only = No
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
>
>
> Funny thing is that I can't find anything relevant in the logs of the
file
> share server.
>
> Any help is really appreciated.
>
> Thank you
>
>
___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with
number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin
4
>
> (Embedded image moved to file: pic39243.gif)
OK, I recommend you change your smb.conf files to these:

[global]
         workgroup = CCDC
         realm = CCDC.LAN
         security = ADS
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab
         server string = CSI Samba Server
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         winbind cache time = 15
         winbind refresh tickets = Yes
         idmap config * : backend = tdb
         idmap config * : range = 2000-9999
         idmap config CCDC : backend = rid
         idmap config CCDC : range = 10000-20000
         map untrusted to domain = Yes
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 2000
         #smb ports = 139
         name resolve order = wins, host, bcast
         server signing = required
         load printers = No
         disable spoolss = Yes
         local master = No
         domain master = No
         dns proxy = No
         wins server = 9.161.96.220
         template homedir = /home/winbind
         full_audit:priority = NOTICE
         full_audit:facility = local7
         full_audit:failure = mkdir rename unlink rmdir open chown chmod
connect readlink
         full_audit:prefix = %u,%I,%m,%S
         invalid users = root, daemon, bin, sys, sync, games, man, lp,
mail,news, uucp, proxy, www-data, backup, list, irc, gnats, Debian-exim,
sshd, ntpd
         acl group control = Yes
         aio read size = 1
         aio write size = 1
         map acl inherit = Yes
         hide files = /lost+found/
         follow symlinks = No
         dos filemode = Yes
         vfs objects = acl_xattr full_audit
         store dos attributes = Yes


[workplace]
       comment              = ICS - CSI mantis build and daily kits folder
       path                 = /export/ICS/CSI/workplace
       valid users          = @"domainusers"
       force create mode    = 750
       force directory mode = 740
       writeable            = Yes
       browseable           = Yes

[labadmins]
       comment              = ICS - CSI Admins Share
       path                 = /export/ICS/CSI/labadmins
       valid users          = @smbLabAdmins
       force create mode    = 750
       force directory mode = 740
       writeable            = Yes
       browseable           = Yes


# Global parameters
[global]
         workgroup = CCDC
         realm = CCDC.LAN
         netbios name = CCDC-SAMBA4-DC1
         server role = active directory domain controller
         idmap_ldb:use rfc2307 = yes

         server services = -winbindd +winbind
         dns forwarder = 9.0.138.50

         tls enabled  = yes
         tls keyfile  = tls/myKey.pem
         tls certfile = tls/myCert.pem
         tls cafile   
[netlogon]
         path = /var/lib/samba/sysvol/ccdc.lan/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

I would also recommend Installing the 'acl' & 'attr'
packages (if not
already installed), read up on using POSIX ACLs and lose the 'force'
lines in the member server conf and use POSIX ACLs instead.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 01/09/15 14:24, Mario Pio Russo wrote:
> Great thanks, I'll test your config files now!
>
> some questions before:
>
>> I would also recommend Installing the 'acl' &
'attr' packages (if not
> already installed),
>
> those are installed and at the latest version on the file share server, are
> they needed on the AD too (I would think no)?
Yes
>
>
>> read up on using POSIX ACLs and lose the 'force'  lines in the
member
> server conf and use POSIX ACLs instead.
>
> Sorry but I don't get this, what do you mean? some parameters in the
> smb.conf to seutp? thanks!
Have a look here: https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

Basically, you do not have the lines starting with 'force' in the 
shares, you set the share permissions from windows.

Rowland

thanks, i will let you know if the issue re-happens
___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic15335.gif)



From:	Rowland Penny <rowlandpenny241155 at gmail.com>
To:	samba at lists.samba.org
Date:	01/09/2015 17:34
Subject:	Re: [Samba] on linux samba file shares, groups and user are
            randomlly lost. Using samba4 as Domain controller
Sent by:	"samba" <samba-bounces at lists.samba.org>



On 01/09/15 14:24, Mario Pio Russo wrote:
> Great thanks, I'll test your config files now!
>
> some questions before:
>
>> I would also recommend Installing the 'acl' &
'attr' packages (if not
> already installed),
>
> those are installed and at the latest version on the file share server,
are
> they needed on the AD too (I would think no)?
Yes
>
>
>> read up on using POSIX ACLs and lose the 'force'  lines in the
member
> server conf and use POSIX ACLs instead.
>
> Sorry but I don't get this, what do you mean? some parameters in the
> smb.conf to seutp? thanks!
Have a look here: https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

Basically, you do not have the lines starting with 'force' in the
shares, you set the share permissions from windows.

Rowland




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba