samba - Mar 2017 - problem with sessions

Hi i got a pdc with samba 4.5.1 with ldap backend for autentication

The users can login into domain and everythings fine, after some days, the
resources of the networks in this case the shares directory, can't be
access by anyone, even them directory in common to everyone.

i found this message with the same problem

https://lists.samba.org/archive/samba/2014-March/179632.html

and i applied on the samba.conf and krb5.conf but still lossing sessions
with samba-pdc, i applied the configs on sunday, but today after 2 days the
problem persist.

i restart again the services and logout & login again and i can access to
the shares on server.

exist some parameters to avoid this issue?

exist some comunication with kerberos to windows 7 can't renegotiate that
session and expire?

I can notice, windows users are standard users they aren't administrator on
the local machine if help.

it's shoking this problem and have to restart the pc and service to access
again into directories shared by the dc.

thanks so much.


Tony

-- 
perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'

Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
<https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on>
Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001

On Wed, 1 Mar 2017 13:25:56 +0100
Tony Peña via samba <samba at lists.samba.org> wrote:
> Hi i got a pdc with samba 4.5.1 with ldap backend for autentication 
Is it a PDC or an AD DC ?
> 
> The users can login into domain and everythings fine, after some
> days, the resources of the networks in this case the shares
> directory, can't be access by anyone, even them directory in common
> to everyone.
> 
> i found this message with the same problem
> 
> https://lists.samba.org/archive/samba/2014-March/179632.html
That refers to an AD DC, a PDC is something entirely different.
> 
> and i applied on the samba.conf and krb5.conf but still lossing
> sessions with samba-pdc, i applied the configs on sunday, but today
> after 2 days the problem persist.
> 
I think you need to show us your smb.conf and /etc/krb5.conf (if the
later exists, which it wont do if it is a PDC)

Rowland

On Wed, 1 Mar 2017 16:24:36 +0100
Tony Peña <emperor.cu at gmail.com> wrote:
> Hi thanks by answer quickly
> 
> yes is a ad pdc, i refers to PDC i think will be the same, now i saw
> isn't. anyway, this is the smb.conf and krb5.conf
I suggest you change your smb.conf to:

[global]
    workgroup = sambadc
    realm = SAMBADC.LCL
    netbios name = samba-dc
    server string = SAMBA DC
    server role = active directory domain controller
    server services = -dns
    ldap server require strong auth = no
    idmap_ldb:use rfc2307 = yes

    interfaces = lo,ens160
    bind interfaces only = yes

    log level = 3
    log file = /var/log/samba/samba.log
    max log size = 100000

    include = /etc/samba/shares.conf

[netlogon]
    path = /var/lib/samba/sysvol/sambadc.lcl/scripts
    read only = no

[sysvol]
    path = /var/lib/samba/sysvol
    read only = no

and change /etc/krb5.conf to:

[libdefaults]
    default_realm = SERVERDC.LCL
    dns_lookup_kdc = true
    dns_lookup_realm = false


I noticed you have this in smb.conf:

    include = /etc/samba/shares.conf

What is in there ?

You also seem to be using Bind9 instead of the internal DNS server, how
have you set this up ?

what is in /etc/hosts and /etc/resolv.conf ?

Rowland

On Wed, 1 Mar 2017 17:48:47 +0100
Tony Peña <emperor.cu at gmail.com> wrote:
>     server role = dc
>     server role = active directory domain controller
> i'm correct ?
Nearly, but you should only have one 'server role' line and the second
line is the correct one.
 
> 
> ----
> 
> on include shares.conf is all share directorys...i got 47 shares...
> so .. i just paste here 1 as example,, the rest are equals just
> changing the path
> 
> [library]
>     comment = Library in common
>     path = /home/samba/shares/Library
>     browseable = Yes
>     read only = No
>     force create mode = 0660
>     force directory mode = 0660
>     vfs objects = acl_xattr full_audit
>     full_audit:failure = connect opendir disconnect unlink mkdir
> rmdir open rename
I take it you haven't read this wiki page:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server

You cannot use POSIX ACLs on a Samba AD DC, so your share should be
something like this:

[library]
    comment = Library in common
    path = /home/samba/shares/Library
    read only = No
    vfs objects = full_audit
    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open
rename

You also had 'browseable = yes', this the default setting, but it has
no affect on a DC, there is no browsing on a Samba AD DC.

Once you have changed the share, you will need to read this wiki page:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> 
> 
> the filesystem is with acl,
> 
> the filesystem on thouse are:    user : group : others
> 
> drwxrwx---+   9 SERVERDC\administrator adm
> 4,0K mar 1 14:26 Library
You will probably need to change this to root:domain admins

Talking of which, I hope you haven't given Administrator a uidNumber.
> 
> on resolv.conf
> 
> root at server-dc:~# cat /etc/resolv.conf
> 
> nameserver 127.0.0.1
> nameserver 8.8.8.8
> nameserver 8.8.4.4
> search serverdc.lcl
You should remove the google nameservers, they should be set as
forwarders in your bind9 conf files.
> 
> the bind is ok, 
I didn't ask if it was 'ok', I asked how you have set it up, I think
you need to post your bind9 conf files.
> i register PC into domain and it's added into ldap
> so i can ping NAME_OF_PC and pinging normally and see it using
> pdbedit. this is somethings i can't understand in some how...
> normally i use openldap, but int this case is samba (simulate ldap) ?
> because i see samba run process to can see from my ldap client the
> whole directory
Yes, Samba 4 running as an AD DC does use its own ldap and the DNS info
is stored in AD, but you need to use 'samba_dlz' to connect to it. You
also need to setup bind9 correctly.

Rowland

Am 01.03.2017 um 18:26 schrieb Rowland Penny via samba:
> You also had 'browseable = yes', this the default setting, but it
has
> no affect on a DC, there is no browsing on a Samba AD DC.
You accidentally mixed network browsing with browsing the list of shares 
on a host.

The "browseable" parameter controls if a share is visible or not when 
you e. g. enter \\hostname\ and it also works on Samba AD DCs. See: 
http://picpaste.de/pics/screenshot-ryQ0HeLa.1488395577.png

Network browsing (network neighbourhood) is currently not implemented in 
Samba AD DCs. The nmbd service is responsible for this job.


Regards,
Marc

Hi again.

the users work usually in this way, browsing the network to find a serverdc
using \\serverdc on explorer file. and after that them choose the correct
share and working on inside with their files need it.

someone set that share as mapped unit with letter Z or Y. but they normally
work in this way daily.

so, i can't set browseable = No because the users need to be see the shares
on the server, else them turn crazy

Ok i restart samba-ad-dc with this settings

root at server-dc:/etc/samba# cat smb.conf
[global]
    workgroup = serverdc
    realm = SERVERDC.LCL
    netbios name = server-dc
    server string = Server DC
    server role = active directory domain controller
    server services = -dns
    server signing = auto
    ldap server require strong auth = no
    idmap_ldb:use rfc2307 = yes

    winbind enum users = yes
    winbind enum groups = yes

    interfaces = lo,ens160
    bind interfaces only = yes

    map to guest = Bad User

    log level = 3
    log file = /var/log/samba/samba.log
    max log size = 100000


    include = /etc/samba/shares.conf

[netlogon]
    path = /var/lib/samba/sysvol/serverdc.lcl/scripts
    browseable = no
    read only = yes

[sysvol]
    path = /var/lib/samba/sysvol
    read only = no

--------

shares.conf

47 shares like

[FooBar]
    comment = FooBar
    path = /home/samba/shares/foobar
    browseable = Yes    # users need to browse the network because them
working in this way for many years.
    read only = No
    force create mode = 0660
    force directory mode = 0660
    vfs objects = acl_xattr full_audit
    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open
rename

-----

resolv.conf

nameserver 127.0.0.1
search serverdc.lcl

-----

krb5.conf

[libdefaults]
    default_realm = SERVERDC.LCL
    dns_lookup_kdc = true
    dns_lookup_realm = false


-------

all bind files

root at server-dc:/etc/samba# cat /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/keys";

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

include "/etc/bind/named.conf.local";

--------
named.conf.default-zones

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

-------------------------------
named.conf.local

// Generated by Zentyal

acl "trusted" {
    localhost;
    localnets;
};

acl "internal-local-nets" {
    192.168.100.0/22;
};

dlz "AD DNS Zone" {
    database "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";

};



zone "100.168.192.in-addr.arpa" {
    type master;
    file "/var/lib/bind/db.100.168.192";
    update-policy {
        // The only allowed dynamic updates are PTR records
        grant serverdc.lcl. subdomain 100.168.192.in-addr.arpa. PTR TXT;
        // Grant from localhost
        grant local-ddns zonesub any;
    };
};

zone "0.168.192.in-addr.arpa" {
    type master;
    file "/var/lib/bind/db.0.168.192";
    update-policy {
        // The only allowed dynamic updates are PTR records
        grant serverdc.lcl. subdomain 0.168.192.in-addr.arpa. PTR TXT;
        // Grant from localhost
        grant local-ddns zonesub any;
    };
};

zone "10.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "16.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "17.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "18.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "19.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "20.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "21.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "22.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "23.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "24.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "25.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "26.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "27.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "28.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "29.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "30.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "31.172.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};
zone "168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/db.empty";
};


----------
named.conf.options

options {
     sortlist {
            { 192.168.100.0/22 ;{ 192.168.100.0/22 ; };};
    };
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you might need to uncomment the query-source
    // directive below.  Previous versions of BIND always asked
    // questions using port 53, but BIND 8.1 and later use an unprivileged
    // port by default.

    //query-source address * port 53;
    //transfer-source * port 53;
    //notify-source * port 53;


    tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

    auth-nxdomain no;    # conform to RFC1035

    allow-query { any; };
    allow-recursion { trusted; };
    allow-query-cache { trusted; };
    allow-transfer { internal-local-nets; };
};

logging { category lame-servers { null; }; };

------------
after change on smb.conf and krb5.conf with suggestions.
I can on the pc client logout and login into the domain,
can browse the \\server-dc and user Library Ok, but FooBar no (is fine in
this way for this users logged) because the ACL working with filesystem and
is ok....

but my problem from the beginning.... how can i know if i don't lose the
access into (e.g Library share) after 2/3 days ?

exist some tools/command to show if the time expire to the share access? or
with this settings is ok and not happend again?

because my big problem is that! the acl of the share are working ok. it's
just i don't know why after days lose the access and need to restart
services and logout & login again :(

2017-03-01 18:26 GMT+01:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Wed, 1 Mar 2017 17:48:47 +0100
> Tony Peña <emperor.cu at gmail.com> wrote:
>
> >     server role = dc
> >     server role = active directory domain controller
> > i'm correct ?
>
> Nearly, but you should only have one 'server role' line and the
second
> line is the correct one.
>
> >
> > ----
> >
> > on include shares.conf is all share directorys...i got 47 shares...
> > so .. i just paste here 1 as example,, the rest are equals just
> > changing the path
> >
> > [library]
> >     comment = Library in common
> >     path = /home/samba/shares/Library
> >     browseable = Yes
> >     read only = No
> >     force create mode = 0660
> >     force directory mode = 0660
> >     vfs objects = acl_xattr full_audit
> >     full_audit:failure = connect opendir disconnect unlink mkdir
> > rmdir open rename
>
> I take it you haven't read this wiki page:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_
> Active_Directory_Domain_Controller#Using_the_Domain_
> Controller_as_a_File_Server
>
> You cannot use POSIX ACLs on a Samba AD DC, so your share should be
> something like this:
>
> [library]
>     comment = Library in common
>     path = /home/samba/shares/Library
>     read only = No
>     vfs objects = full_audit
>     full_audit:failure = connect opendir disconnect unlink mkdir rmdir
> open rename
>
> You also had 'browseable = yes', this the default setting, but it
has
> no affect on a DC, there is no browsing on a Samba AD DC.
>
> Once you have changed the share, you will need to read this wiki page:
>
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
> >
> >
> > the filesystem is with acl,
> >
> > the filesystem on thouse are:    user : group : others
> >
> > drwxrwx---+   9 SERVERDC\administrator adm
> > 4,0K mar 1 14:26 Library
>
> You will probably need to change this to root:domain admins
>
> Talking of which, I hope you haven't given Administrator a uidNumber.
>
> >
> > on resolv.conf
> >
> > root at server-dc:~# cat /etc/resolv.conf
> >
> > nameserver 127.0.0.1
> > nameserver 8.8.8.8
> > nameserver 8.8.4.4
> > search serverdc.lcl
>
> You should remove the google nameservers, they should be set as
> forwarders in your bind9 conf files.
>
> >
> > the bind is ok,
>
> I didn't ask if it was 'ok', I asked how you have set it up, I
think
> you need to post your bind9 conf files.
>
> > i register PC into domain and it's added into ldap
> > so i can ping NAME_OF_PC and pinging normally and see it using
> > pdbedit. this is somethings i can't understand in some how...
> > normally i use openldap, but int this case is samba (simulate ldap) ?
> > because i see samba run process to can see from my ldap client the
> > whole directory
>
> Yes, Samba 4 running as an AD DC does use its own ldap and the DNS info
> is stored in AD, but you need to use 'samba_dlz' to connect to it.
You
> also need to setup bind9 correctly.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
perl -le 's ffSfs.s fSf\x54\x6F\x6E\x79 \x50\x65\x6e\x61f.print'

Secure email with PGP 0x8B021001 available at https://pgp.mit.edu
<https://pgp.mit.edu/pks/lookup?search=0x8B021001&op=index&fingerprint=on&exact=on>
Fingerprint: 74E6 2974 B090 366D CE71  7BB2 6476 FA09 8B02 1001