Julien TEHERY
2017-Aug-16 15:47 UTC
[Samba] SAMBA4 - Trusted relationship lost every Weeks
> You did say that this machine is joined to the AD domain (DOMAIN > A), didn't you ?>> Yes> > If so, why, if 'security = ADS' is in smb.conf, are you trying to use > ldap to connect to the AD DC ?????>> Not at all. If it was the case the machine would have never be joined to DOMAIN_A Joining this machine to the 2008 domain (via net ads join..) succeed whitout any problem. About ldap connector we just thought winbind would use it towards ldap server for DOMAIN_B (Samba 3.5 domain) uid/gid resolution. We actually use nss to resolve those uid/gid> > Can I suggest you read 'man smb.conf', 'man idmap_rid' 'man idmap_ad', > 'man idmap_nss' and finally this: > > wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > Sorry to be the bearer of bad news, but your smb.conf is a mess, you > should be using the winbind 'ad' or 'rid' backend for DOMAIN_A>> Yes I know it's ugly, but this configuration is a transitionnal one to migrate users and their homes from an old samba NT4 domain to an AD domain. Main goal was to make resources available to users from both domains (actually it works through bidirectional trust). The fact is this is not the prettiest config, as we didn't have prerequisites for idmap_ad, we tried idmap_ldap backend and it works. Using several fileservers, they resolve the same uid/gid for a specific user. IMO I don't think this setup can cause such a cylic problem (exactly every week..), but I'm probably wrong.> (as an > aside, I do hope that workgroup DOMAIN_A != realm DOMAIN_A).>> For sure, in production they are different (this is the result of anonymising config)> You should > also probably be using the winbind 'rid' backend for DOMAIN_B>> We actually use nss. what advantage offers using rid backend instead of nss ?> and ALL > ranges should not overlap.>> A mistake in copy/paste configuration, it's not the case actually.> > Can I also ask, why are you still using Samba 3.5.x ? > It went EOL 5 years ago.>> :) you're right. Upgrading the main production PDC from this old version has to be studied carrefully. Head chiefs decided to migrate to another windows domain instead of maintaining this one as I explained above.> > Rowland >Julien
Rowland Penny
2017-Aug-16 16:18 UTC
[Samba] SAMBA4 - Trusted relationship lost every Weeks
Very hard to understand this post, but see inline comments: On Wed, 16 Aug 2017 17:47:25 +0200 Julien TEHERY via samba <samba at lists.samba.org> wrote:> > You did say that this machine is joined to the AD domain (DOMAIN > > A), didn't you ? > >> Yes > > > > If so, why, if 'security = ADS' is in smb.conf, are you trying to > > use ldap to connect to the AD DC ????? > > >> Not at all. If it was the case the machine would have never be > joined to DOMAIN_A > Joining this machine to the 2008 domain (via net ads join..) succeed > whitout any problem. > About ldap connector we just thought winbind would use it towards > ldap server for DOMAIN_B (Samba 3.5 domain) uid/gid resolution. > We actually use nss to resolve those uid/gidIt doesn't and idmap_nss is used to ensure that a local Unix is mapped to an AD user, the only problem with your setup is, you cannot have a user with the same name in AD and /etc/passwd.> > > > Can I suggest you read 'man smb.conf', 'man idmap_rid' 'man > > idmap_ad', 'man idmap_nss' and finally this: > > > > wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_MemberPlease read the manpages and the wikipage> > > > Sorry to be the bearer of bad news, but your smb.conf is a mess, you > > should be using the winbind 'ad' or 'rid' backend for DOMAIN_A > >> Yes I know it's ugly, but this configuration is a transitionnal > >> one > to migrate users and their homes from an old samba NT4 domain to an > AD domain. > Main goal was to make resources available to users from both domains > (actually it works through bidirectional trust). > The fact is this is not the prettiest config, as we didn't have > prerequisites for idmap_ad, we tried idmap_ldap backend and it works.You don't have to use the 'ad' backend, in fact in your case I would use the 'rid' backend> Using several fileservers, they resolve the same uid/gid for a > specific user. > IMO I don't think this setup can cause such a cylic problem (exactly > every week..), but I'm probably wrong.I don't think it is either, what I think is going wrong is the kerberos ticket is expiring and I don't think you can fix it with your smb.conf. I would have expected an idmap block something like this: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config DOMAIN_A : backend = rid idmap config DOMAIN_A : range = 10000-99999 idmap config DOMAIN_B : backend = rid idmap config DOMAIN_B : range = 10000000-19999999 I would also have expected to see this line: winbind refresh tickets = Yes> > > (as an > > aside, I do hope that workgroup DOMAIN_A != realm DOMAIN_A). > >> For sure, in production they are different (this is the result of > anonymising config) > > You should > > also probably be using the winbind 'rid' backend for DOMAIN_B > >> We actually use nss. what advantage offers using rid backend > >> instead > of nss ? > > and ALL > > ranges should not overlap. > >> A mistake in copy/paste configuration, it's not the case actually. > > > > > Can I also ask, why are you still using Samba 3.5.x ? > > It went EOL 5 years ago. > >> :) you're right. Upgrading the main production PDC from this old > version has to be studied carrefully. Head chiefs decided to migrate > to another windows domain instead of maintaining this one as I > explained above.Good choice to migrate, you just seem to have gone about it the wrong way, but they are your domains and you can do it your way. Rowland
Julien TEHERY
2017-Aug-17 08:05 UTC
[Samba] SAMBA4 - Trusted relationship lost every Weeks
Le 16/08/2017 à 18:18, Rowland Penny via samba a écrit :> Very hard to understand this post, but see inline comments: > > On Wed, 16 Aug 2017 17:47:25 +0200 > Julien TEHERY via samba <samba at lists.samba.org> wrote: > >>> You did say that this machine is joined to the AD domain (DOMAIN >>> A), didn't you ? >> >> Yes >>> If so, why, if 'security = ADS' is in smb.conf, are you trying to >>> use ldap to connect to the AD DC ????? >> >> Not at all. If it was the case the machine would have never be >> joined to DOMAIN_A >> Joining this machine to the 2008 domain (via net ads join..) succeed >> whitout any problem. >> About ldap connector we just thought winbind would use it towards >> ldap server for DOMAIN_B (Samba 3.5 domain) uid/gid resolution. >> We actually use nss to resolve those uid/gid > It doesn't and idmap_nss is used to ensure that a local Unix is mapped > to an AD user, the only problem with your setup is, you cannot have a > user with the same name in AD and /etc/passwd. > >>> Can I suggest you read 'man smb.conf', 'man idmap_rid' 'man >>> idmap_ad', 'man idmap_nss' and finally this: >>> >>> wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > Please read the manpages and the wikipage > > >>> Sorry to be the bearer of bad news, but your smb.conf is a mess, you >>> should be using the winbind 'ad' or 'rid' backend for DOMAIN_A >> >> Yes I know it's ugly, but this configuration is a transitionnal >> >> one >> to migrate users and their homes from an old samba NT4 domain to an >> AD domain. >> Main goal was to make resources available to users from both domains >> (actually it works through bidirectional trust). >> The fact is this is not the prettiest config, as we didn't have >> prerequisites for idmap_ad, we tried idmap_ldap backend and it works. > You don't have to use the 'ad' backend, in fact in your case I would > use the 'rid' backend > >> Using several fileservers, they resolve the same uid/gid for a >> specific user. >> IMO I don't think this setup can cause such a cylic problem (exactly >> every week..), but I'm probably wrong. > I don't think it is either, what I think is going wrong is the kerberos > ticket is expiring and I don't think you can fix it with your smb.conf. > I would have expected an idmap block something like this: > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config DOMAIN_A : backend = rid > idmap config DOMAIN_A : range = 10000-99999 > idmap config DOMAIN_B : backend = rid > idmap config DOMAIN_B : range = 10000000-19999999 > > I would also have expected to see this line: > > winbind refresh tickets = Yes > >>> (as an >>> aside, I do hope that workgroup DOMAIN_A != realm DOMAIN_A). >> >> For sure, in production they are different (this is the result of >> anonymising config) >>> You should >>> also probably be using the winbind 'rid' backend for DOMAIN_B >> >> We actually use nss. what advantage offers using rid backend >> >> instead >> of nss ? >>> and ALL >>> ranges should not overlap. >> >> A mistake in copy/paste configuration, it's not the case actually. >> >>> Can I also ask, why are you still using Samba 3.5.x ? >>> It went EOL 5 years ago. >> >> :) you're right. Upgrading the main production PDC from this old >> version has to be studied carrefully. Head chiefs decided to migrate >> to another windows domain instead of maintaining this one as I >> explained above. > Good choice to migrate, you just seem to have gone about it the wrong > way, but they are your domains and you can do it your way. > > Rowland > >Ticket lifetime is 24 hours by default and renewal lifetime is 7 days in an Active Directory. I will add those configurations: krb5.conf: ticket_lifetime = 24h renew_lifetime = 7d smb.conf: winbind refresh tickets = Yes My guess is that I didn't have proper setup in krb5.conf. I'll let you know in a week. Thanks for your help.