Hi, "CLUSTER" is because this server is related to a computing cluster, and is the master node of that cluster ;) No relation with Samba infrastructure, this is just a DNS/Netbios alias. To be honnest the reason why this server is also a DC is to solve a big issue appeared when migrating from 3 to 4. We had no other choice because of a couple of reasons, however it is planed to demote it in the near future howerver at this time it needs to work Ok thank you I will try by removing the winbind lines Regarding the share structure I know this is not a good setup at that time, now we are in the first step : Migrating from 3 to 4, second step will be better share structure. This is needed to reduce disruptions. We always operate like this until now and it was always successful. Why do you say homes are not working on a DC ? We have a couple of servers which are DC and fileserver at the same time (and provide homes shares) For now, the biggest issue is shares are not working when using a DNS alias because a couple of users have network drives or shortcuts which use them Thank you ! ----- Mail original ----- De: "Rowland Penny via samba" <samba at lists.samba.org> À: samba at lists.samba.org Envoyé: Mardi 29 Août 2017 12:39:11 Objet : Re: [Samba] Shares not accessible when using FQDN Please see inline comments: On Tue, 29 Aug 2017 11:47:17 +0200 (CEST) Gaetan SLONGO <gslongo at it-optics.com> wrote:> Hi guys, > > > Thank you for your answer. Meanwhile I have new informations, the > problem also happen on a workstation in the domain. This should not > be a DNS issue. I validated that and I can authenticate and list > shares. Just cannot enter into them when i'm using the FQDN o_O > > > Note : It works well on Linux clients.You surprise me ;-)> > > Here is the Samba config file : > > > Thank you ! > > > > # Global parameters > [global] > netbios name = MOE > realm = ADS.DOMAIN.BE > workgroup = DOMAIN > netbios alias = CLUSTER'CLUSTER' ?? why ? you cannot use a Samba AD DC in a cluster, for one thing there is no need.> server role = active directory domain controller > kerberos method = secrets and keytab > idmap_ldb:use rfc2307 = yes > winbind use default domain = false > winbind offline logon = falseYou should remove the above two lines, they do nothing on an AD DC> template shell = /bin/bash > template homedir = /home/%u > ntlm auth = yes > log level = 4 > > [netlogon] > path = /var/lib/samba/sysvol/ads.DOMAIN.be/scripts > read only = Yes > browsable = no > > [sysvol] > path = /var/lib/samba/sysvol > read only = Yes > browsable = no > > [software] > comment = Installed productlines > path = /opt/DOMAIN/actran_product > read only = Yes > create mask = 0660 > directory mask = 0770 > guest ok = No > > [license] > comment = license > path = /opt/licenses/msctwo > read only = yes > guest ok = No > > [homes] > comment = Home Directories > browseable = no > read only = No > create mask = 0600 > directory mask = 0700 > guest ok = no > printable = no > veto files = > hide dot files = noOK several things here, put the [sysvol] & [netlogon] shares back to what they were when the smb.conf was created. [homes] doesn't work on a DC and you CANNOT use the old Samba3 ways of setting up shares on a DC, you MUST use Windows ACLs, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs and here: https://wiki.samba.org/index.php/User_Home_Folders Rowland Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- www.it-optics.com Gaëtan SLONGO | Head of Infrastructure Department Boulevard Initialis, 28 - 7000 Mons, BELGIUM Company : +32 (0)65 84 23 85 Direct : +32 (0)65 32 85 88 Fax : +32 (0)65 84 66 76 Skype ID : gslongo.pro GPG Key : gslongo-gpg_key.asc - Please consider your environmental responsibility before printing this e-mail -
On Tue, 29 Aug 2017 16:27:46 +0200 (CEST) Gaetan SLONGO <gslongo at it-optics.com> wrote:> Hi, > > > "CLUSTER" is because this server is related to a computing cluster, > and is the master node of that cluster ;) No relation with Samba > infrastructure, this is just a DNS/Netbios alias. To be honnest the > reason why this server is also a DC is to solve a big issue appeared > when migrating from 3 to 4. We had no other choice because of a > couple of reasons, however it is planed to demote it in the near > future howerver at this time it needs to workOK, but netbios doesn't really work on a DC, also what was the 'big issue' that meant you had to use a DC ?> > > Ok thank you I will try by removing the winbind lines > > > Regarding the share structure I know this is not a good setup at that > time, now we are in the first step : Migrating from 3 to 4, second > step will be better share structure. This is needed to reduce > disruptions. We always operate like this until now and it was always > successful. Why do you say homes are not working on a DC ? We have a > couple of servers which are DC and fileserver at the same time (and > provide homes shares)You might think [homes] is working correctly and it might appear to be working, but it will give problems, why do think we put this: The [homes] feature is not supported running on a Samba Active Directory (AD) domain controller (DC). on the 'Users Home Folder' wiki page ?> > > For now, the biggest issue is shares are not working when using a DNS > alias because a couple of users have network drives or shortcuts > which use themYou will need a CNAME in dns on the DC, but all this seems a bit of an overkill for something that is going to be demoted. I think you need to explain what you are migrating from and what you finally hope to end up with. Rowland
Hi Rowland, The reason is long to explain but shortly it was about huge amount of data ~20TB stored on that server with unix user ID (comming from a S3/LDAP setup). On a DC mode it seems unix ID are in use instead of idmap id. CNAME is in added indeed. Regarding the migration as said we came from S3/LDAP and go to 4.6. The entire future structure is not fixed yet but at this time we have a DC, a Fileserver and 3 other servers which should be simple fileservers (member) but currently are DC Thank you ----- Mail original ----- De: "Rowland Penny via samba" <samba at lists.samba.org> À: samba at lists.samba.org Envoyé: Mardi 29 Août 2017 17:03:59 Objet : Re: [Samba] Shares not accessible when using FQDN On Tue, 29 Aug 2017 16:27:46 +0200 (CEST) Gaetan SLONGO <gslongo at it-optics.com> wrote:> Hi, > > > "CLUSTER" is because this server is related to a computing cluster, > and is the master node of that cluster ;) No relation with Samba > infrastructure, this is just a DNS/Netbios alias. To be honnest the > reason why this server is also a DC is to solve a big issue appeared > when migrating from 3 to 4. We had no other choice because of a > couple of reasons, however it is planed to demote it in the near > future howerver at this time it needs to workOK, but netbios doesn't really work on a DC, also what was the 'big issue' that meant you had to use a DC ?> > > Ok thank you I will try by removing the winbind lines > > > Regarding the share structure I know this is not a good setup at that > time, now we are in the first step : Migrating from 3 to 4, second > step will be better share structure. This is needed to reduce > disruptions. We always operate like this until now and it was always > successful. Why do you say homes are not working on a DC ? We have a > couple of servers which are DC and fileserver at the same time (and > provide homes shares)You might think [homes] is working correctly and it might appear to be working, but it will give problems, why do think we put this: The [homes] feature is not supported running on a Samba Active Directory (AD) domain controller (DC). on the 'Users Home Folder' wiki page ?> > > For now, the biggest issue is shares are not working when using a DNS > alias because a couple of users have network drives or shortcuts > which use themYou will need a CNAME in dns on the DC, but all this seems a bit of an overkill for something that is going to be demoted. I think you need to explain what you are migrating from and what you finally hope to end up with. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- www.it-optics.com Gaëtan SLONGO | Head of Infrastructure Department Boulevard Initialis, 28 - 7000 Mons, BELGIUM Company : +32 (0)65 84 23 85 Direct : +32 (0)65 32 85 88 Fax : +32 (0)65 84 66 76 Skype ID : gslongo.pro GPG Key : gslongo-gpg_key.asc - Please consider your environmental responsibility before printing this e-mail -