samba - Aug 2017 - SAMBA4 - Trusted relationship lost every Weeks

Hi,


Here is our smb.conf.

Please note that this server uses nss resolution for DOMAIN_B users and 
idmap_ldap backend to resolve DOMAIN_A users.

Trusted relationship between works well for other services between those 
two domains. Only samba4 fileserver needs to rejoin DOMAIN_A domain (AD 
2008 server) every week.

#======================= Global Settings 
====================================[global]
         server string = FILESERVER
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         realm = DOMAIN_A
         workgroup = DOMAIN_A
         os level = 80
         bind interfaces only = yes
         interfaces = eth0

         ## Encoding ##
         dos charset = 850
         #display charset = UTF8

         ## Name resolution ##
         dns proxy = no
         wins support = no
         name resolve order =  host wins bcast lmhosts

         ## Logs ##
         max log size = 50
         log level = 10
         log file = /var/log/samba/%m.log
         syslog only = no
         syslog = 0
         panic action = /usr/share/samba/panic-action %d

         ## Passwords ##
         security = ADS
         encrypt passwords = true
         unix password sync = no
         passwd program = /usr/bin/passwd %u
         passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .
         invalid users = root

         ## Restrictions ##
         hide special files = no
         hide unreadable = no
         hide dot files = no

         ## Resolve office save problems ##
         oplocks = no

         ## ACL SUPPORT ##
         nt acl support = yes
         acl check permissions = yes
         acl group control = yes

     # WINBIND
     ldap ssl =off
     ldap admin dn = cn=SuperUser,dc=domain_a,dc=com
     ldap suffix = dc=domain_a,dc=xm
         ldap timeout = 90
         ldap connection timeout = 20
         winbind nested groups = yes
         winbind expand groups = yes
         winbind cache time = 5
         winbind enum users = yes
         winbind enum groups = yes
         winbind separator = +
         winbind use default domain = no
         allow trusted domains = yes

     # IDMAP MDMAD XM
     #GLOBAL
         idmap config *: backend = tdb
         idmap config *: range = 19000-19999
     #DOMAIN_A
     idmap config DOMAIN_A : backend      = ldap
     idmap config DOMAIN_A : range        = 20000-9999999999
     idmap config DOMAIN_A : ldap_url     = ldap://myldap.domain_a.com
     idmap config DOMAIN_A : ldap_base_dn = ou=Idmap,dc=domain_a,dc=com
     idmap config DOMAIN_A : ldap_user_dn = cn=SuperUser,dc=domain_a,dc=com
     #DOMAIN_B
         idmap config DOMAIN_B backend      = nss
         idmap config DOMAIN_B: range = 500-19000

         guest account = nobody
         map to guest = Bad User


Le 13/08/2017 à 10:58, Rowland Penny via samba a écrit :
> On Sun, 13 Aug 2017 10:42:44 +0200
> Julien TEHERY via samba <samba at lists.samba.org> wrote:
>
>> Hi All,
>>
>> Answering to myself, this problem still occurs again and again, every
>> week as I mentioned before.
>> Rejoining the domain each time for samba4 file server is the only
>> workaround.
>>
>> What could be the origin of this kind of problem?
>>
> Can you post your smb.conf.
>
> Rowland
>

On Wed, 16 Aug 2017 09:05:32 +0200
Julien TEHERY via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> 
> Here is our smb.conf.
> 
> Please note that this server uses nss resolution for DOMAIN_B users
> and idmap_ldap backend to resolve DOMAIN_A users.
> 
> Trusted relationship between works well for other services between
> those two domains. Only samba4 fileserver needs to rejoin DOMAIN_A
> domain (AD 2008 server) every week.
> 
> #======================= Global Settings 
> ====================================> [global]
>          server string = FILESERVER
>          socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>          realm = DOMAIN_A
>          workgroup = DOMAIN_A
>          os level = 80
>          bind interfaces only = yes
>          interfaces = eth0
> 
>          ## Encoding ##
>          dos charset = 850
>          #display charset = UTF8
> 
>          ## Name resolution ##
>          dns proxy = no
>          wins support = no
>          name resolve order =  host wins bcast lmhosts
> 
>          ## Logs ##
>          max log size = 50
>          log level = 10
>          log file = /var/log/samba/%m.log
>          syslog only = no
>          syslog = 0
>          panic action = /usr/share/samba/panic-action %d
> 
>          ## Passwords ##
>          security = ADS
>          encrypt passwords = true
>          unix password sync = no
>          passwd program = /usr/bin/passwd %u
>          passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
> *Retype\snew\sUNIX\spassword:* %n\n .
>          invalid users = root
> 
>          ## Restrictions ##
>          hide special files = no
>          hide unreadable = no
>          hide dot files = no
> 
>          ## Resolve office save problems ##
>          oplocks = no
> 
>          ## ACL SUPPORT ##
>          nt acl support = yes
>          acl check permissions = yes
>          acl group control = yes
> 
>      # WINBIND
>      ldap ssl =off
>      ldap admin dn = cn=SuperUser,dc=domain_a,dc=com
>      ldap suffix = dc=domain_a,dc=xm
>          ldap timeout = 90
>          ldap connection timeout = 20
>          winbind nested groups = yes
>          winbind expand groups = yes
>          winbind cache time = 5
>          winbind enum users = yes
>          winbind enum groups = yes
>          winbind separator = +
>          winbind use default domain = no
>          allow trusted domains = yes
> 
>      # IDMAP MDMAD XM
>      #GLOBAL
>          idmap config *: backend = tdb
>          idmap config *: range = 19000-19999
>      #DOMAIN_A
>      idmap config DOMAIN_A : backend      = ldap
>      idmap config DOMAIN_A : range        = 20000-9999999999
>      idmap config DOMAIN_A : ldap_url     = ldap://myldap.domain_a.com
>      idmap config DOMAIN_A : ldap_base_dn > ou=Idmap,dc=domain_a,dc=com
idmap config DOMAIN_A : ldap_user_dn > cn=SuperUser,dc=domain_a,dc=com
#DOMAIN_B
>          idmap config DOMAIN_B backend      = nss
>          idmap config DOMAIN_B: range = 500-19000
> 
>          guest account = nobody
>          map to guest = Bad User
> 
> 
> Le 13/08/2017 à 10:58, Rowland Penny via samba a écrit :
> > On Sun, 13 Aug 2017 10:42:44 +0200
> > Julien TEHERY via samba <samba at lists.samba.org> wrote:
> >
> >> Hi All,
> >>
> >> Answering to myself, this problem still occurs again and again,
> >> every week as I mentioned before.
> >> Rejoining the domain each time for samba4 file server is the only
> >> workaround.
> >>
> >> What could be the origin of this kind of problem?
> >>
> > Can you post your smb.conf.
> >
> > Rowland
> >
> 
> 
You did say that this machine is joined to the AD domain (DOMAIN
A), didn't you ?

If so, why, if 'security = ADS' is in smb.conf, are you trying to use
ldap to connect to the AD DC ?????

Can I suggest you read 'man smb.conf', 'man idmap_rid' 'man
idmap_ad',
'man idmap_nss' and finally this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Sorry to be the bearer of bad news, but your smb.conf is a mess, you
should be using the winbind 'ad' or 'rid' backend for DOMAIN_A
(as an
aside, I do hope that workgroup DOMAIN_A != realm DOMAIN_A). You should
also probably be using the winbind 'rid' backend for DOMAIN_B and ALL
ranges should not overlap.

Can I also ask, why are you still using Samba 3.5.x ?
It went EOL 5 years ago.

Rowland

> You did say that this machine is joined to the AD domain (DOMAIN
> A), didn't you ?
 >> Yes
>
> If so, why, if 'security = ADS' is in smb.conf, are you trying to
use
> ldap to connect to the AD DC ?????
 >> Not at all. If it was the case the machine would have never be 
joined to DOMAIN_A
Joining this machine to the 2008 domain (via net ads join..) succeed 
whitout any problem.
About ldap connector we just thought winbind would use it towards ldap 
server for DOMAIN_B (Samba 3.5 domain) uid/gid  resolution.
We actually use nss to resolve those uid/gid
>
> Can I suggest you read 'man smb.conf', 'man idmap_rid'
'man idmap_ad',
> 'man idmap_nss' and finally this:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> Sorry to be the bearer of bad news, but your smb.conf is a mess, you
> should be using the winbind 'ad' or 'rid' backend for
DOMAIN_A
 >> Yes I know it's ugly, but this configuration is a transitionnal
one
to migrate users and their homes from an old samba NT4 domain to an AD 
domain.
Main goal was to make resources available to users from both domains 
(actually it works through bidirectional trust).
The fact is this is not the prettiest config, as we didn't have 
prerequisites for idmap_ad, we tried idmap_ldap backend and it works. 
Using several fileservers, they resolve the same uid/gid for a specific 
user.
IMO I don't think this setup can cause such  a cylic problem (exactly 
every week..), but I'm probably wrong.
> (as an
> aside, I do hope that workgroup DOMAIN_A != realm DOMAIN_A).
 >> For sure, in production they are different (this is the result of 
anonymising config)
> You should
> also probably be using the winbind 'rid' backend for DOMAIN_B
 >> We actually use nss. what advantage offers using rid backend instead 
of nss ?
>   and ALL
> ranges should not overlap.
 >> A mistake in copy/paste configuration, it's not the case actually.
>
> Can I also ask, why are you still using Samba 3.5.x ?
> It went EOL 5 years ago.
 >> :) you're right. Upgrading the main production PDC from this old 
version has to be studied carrefully. Head chiefs decided to migrate to 
another windows domain instead of maintaining this one as I explained
above.
>
> Rowland
>
Julien