The DC's are running Windows Server 2012R2. The directory itself has RFC2307 attributes. The file servers are running FreeBSD with Samba 4.1. These are just member servers not joined as domain controllers. I have tried to upgrade to samba 4.2, and samba 4.3 as a test with no difference. Here is a peak at the smb4.conf via pastebin. http://pastebin.com/Ai14LREW Joe Maloney On Tue, Jan 26, 2016 at 1:35 PM, Rowland penny <rpenny at samba.org> wrote:> On 26/01/16 18:48, Joe Maloney wrote: > >> Hello all, >> Samba Version 4.1.21 on 8 servers as member servers configured with >> idmap_ad. I have all the RFC2307 attributes configured for every user, >> and >> group. I wrote a script to ensure that. I have scripts in place to make >> sure I don't have duplicates, show users without attributes, etc. I also >> filter out the users I don't want to see by placing them outside of the >> range set aside for idmap_ad, and outside of the range used by samba. >> >> In the last few weeks users belong to domain users group quit working. >> Only users who have been previously added to domain admins show up with >> getent passwd. All groups show up. I know this had to be a change at the >> active directory level because it was working. Suddenly each server just >> stopped working like a domino effect at different days all within the same >> week. >> >> If I temporarily add a user to domain admins, and then remove that access >> it fixes the problem. Even if I reboot the server the user remains fixed >> so it's not just a temporary issue. Has anyone ever seen anything like >> this? I am willing to upgrade to a newer samba version. I am just trying >> for my own sanity to figure out what may have caused the issue when things >> have been working for months without issue. >> >> Joe Maloney >> > > I think you need to give us some more info, what are the DCs running ? can > we see a smb.conf from the member servers, this type of thing. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 26/01/16 20:44, Joe Maloney wrote:> The DC's are running Windows Server 2012R2. The directory itself has > RFC2307 attributes. The file servers are running FreeBSD with Samba > 4.1. These are just member servers not joined as domain controllers. > I have tried to upgrade to samba 4.2, and samba 4.3 as a test with no > difference. Here is a peak at the smb4.conf via pastebin. > > http://pastebin.com/Ai14LREW > > Joe Maloney >OK, try adding these two lines: dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab It may be that you are having kerberos problems and your tickets are expiring, check if /etc/krb5.keytab exists, you may have to re-join the domain member to the server. I would also suggest you add these two lines: vfs objects = acl_xattr map acl inherit = yes Rowland
I have tried to add all of the above to smb4.conf with no luck. I also did a net ads leave, and net ads join. In addition I cleared the contents of /var/db/samba4. Only users who have once been granted access to domain admins will show up. I am becoming more convinced it is something at the Active Directory level. Joe Maloney On Tue, Jan 26, 2016 at 3:17 PM, Rowland penny <rpenny at samba.org> wrote:> On 26/01/16 20:44, Joe Maloney wrote: > >> The DC's are running Windows Server 2012R2. The directory itself has >> RFC2307 attributes. The file servers are running FreeBSD with Samba 4.1. >> These are just member servers not joined as domain controllers. I have >> tried to upgrade to samba 4.2, and samba 4.3 as a test with no difference. >> Here is a peak at the smb4.conf via pastebin. >> >> http://pastebin.com/Ai14LREW >> >> Joe Maloney >> >> > OK, try adding these two lines: > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > It may be that you are having kerberos problems and your tickets are > expiring, check if /etc/krb5.keytab exists, you may have to re-join the > domain member to the server. > > I would also suggest you add these two lines: > > vfs objects = acl_xattr > map acl inherit = yes > > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >