samba - Jun 2018 - Windows 10 clients slow remapping drives and somewhat inconsistent in reconnecting to the saved map drives

Hello,
I'm a long term samba user through many different flavors from FreeBSD to
Linux.  My latest is using Ubuntu 16.04 with its older version of the 4.2 series
of samba as an AD DC and separate 4.2 series file server.  In my small test
environment the Samba 4.2 AD DC and the Samba 4.2 file server are different LXC
containers on the same host.

I've worked through many of the configuration guides to get the POSIX
attributes in the samba AD directory by provisioning with -use-rfc2307.  And
creating new accounts with appropriate samba-tool add user commands; sudo
samba-tool user add <username> --uid-number=<userUID>
gid-number=<userGID> home-directory=/homes/<username>
login-shell=/bin/bash (So we can migrate the contents of older linux file
servers and not have to change the uid/gid for files, and a few of the systems
are interactive linux systems)

SSSD OR winbind based Linux authentication with AD backend works out fine for
those Ubuntu systems that are not file servers.

The challenge I am facing is with Windows 10 clients mapping drives are somewhat
inconsistent in either their ability to reconnect or how quickly they remap the
drives.  Windows 10 in this case is 1607 LTSB.  The Windows 10 and 7 are mobile
and not domain members, so they remember connections to quickly reconnect
drives.  Fileserver is configured to support both win7 and win10 clients. 
Windows 7 clients don't seem to exhibit any of these issues.  The slow
connection takes about 5-8 seconds to open the drive in file explorer after
logging into desktop and selecting the drive from the remembered connections. 
When this fails I get one of the two errors below.

The two primary errors that the windows 10 client receives are:
1)  "The account is not authorized to log in from this station"  - not
true
I see this issue mostly after the windows 10 system comes out of sleep mode. 
And the only way to get the connection to succeed is reboot the windows 10
client.

2)  "there is a time and/or date difference between the client and
server"  - yes by like 3 seconds
I see this issue mostly after the windows 10 system has been powered off.  If I
check the time between the fileserver and the windows 10 client I see up to 3
second time difference.  IF I get the windows 10 client to update its time from
the network time server the connection reconnects fine then. The windows clients
are not dual boot systems, they use just the single OS.
                # I thought that the time difference could be up to 5 minutes
                # TimeZones seem to be set properly on the Servers and client
Windows systeminfo reports: Time Zone:                 (UTC-05:00) Eastern Time
(US & Canada)
Adjust for Daylight savings


Here is the relevant portions of the samba file server config:
My ideal config makes use of the highest level of security features available
while maintaining compatibility between the two different client versions of
windows and the samba server.

ntlm auth = no
lanman auth = no
raw NTLMv2 auth = no
# Ref:  https://www.samba.org/samba/security/CVE-2016-2111.html
#client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
winbind refresh tickets = yes
realm = dom.example.com
security = ADS
encrypt passwords = yes
# min signaling
server signaling = mandatory
min protocol = SMB2_10
#client min protocol = SMB2
max protocol = SMB3
dedicated keytab file = /etc/krb5.keytab

Diagnostic suggestions?  Recommended configuration changes?

Thanks
                Derek

Derek Werthmuller
Director of Technology Innovation and Services
Center for Technology in Government
518.442.3892
www.ctg.albany.edu<http://www.ctg.albany.edu/>

On Thu, 7 Jun 2018 14:14:50 +0000
"Werthmuller, Derek via samba" <samba at lists.samba.org> wrote:
> Hello,
> I'm a long term samba user through many different flavors from
> FreeBSD to Linux.  My latest is using Ubuntu 16.04 with its older
> version of the 4.2 series of samba as an AD DC and separate 4.2
> series file server.  In my small test environment the Samba 4.2 AD DC
> and the Samba 4.2 file server are different LXC containers on the
> same host.
I have to ask, why 4.2 ?? you would be better off using Ubuntu 18.04
which would get you 4.7.6. 4.2 is EOL as far as Samba is concerned.
> 
> I've worked through many of the configuration guides to get the POSIX
> attributes in the samba AD directory by provisioning with
> -use-rfc2307.  And creating new accounts with appropriate samba-tool
> add user commands; sudo samba-tool user add <username>
> --uid-number=<userUID> gid-number=<userGID>
> home-directory=/homes/<username> login-shell=/bin/bash (So we can
> migrate the contents of older linux file servers and not have to
> change the uid/gid for files, and a few of the systems are
> interactive linux systems)
> 
> SSSD OR winbind based Linux authentication with AD backend works out
> fine for those Ubuntu systems that are not file servers.
> 
> The challenge I am facing is with Windows 10 clients mapping drives
> are somewhat inconsistent in either their ability to reconnect or how
> quickly they remap the drives.  Windows 10 in this case is 1607
> LTSB.  The Windows 10 and 7 are mobile and not domain members, so
> they remember connections to quickly reconnect drives.  Fileserver is
> configured to support both win7 and win10 clients.  Windows 7 clients
> don't seem to exhibit any of these issues.  The slow connection takes
> about 5-8 seconds to open the drive in file explorer after logging
> into desktop and selecting the drive from the remembered
> connections.  When this fails I get one of the two errors below.
> 
> The two primary errors that the windows 10 client receives are:
> 1)  "The account is not authorized to log in from this station" 
-
> not true I see this issue mostly after the windows 10 system comes
> out of sleep mode.  And the only way to get the connection to succeed
> is reboot the windows 10 client.
> 
> 2)  "there is a time and/or date difference between the client and
> server"  - yes by like 3 seconds I see this issue mostly after the
> windows 10 system has been powered off.  If I check the time between
> the fileserver and the windows 10 client I see up to 3 second time
> difference.  IF I get the windows 10 client to update its time from
> the network time server the connection reconnects fine then. The
> windows clients are not dual boot systems, they use just the single
> OS. # I thought that the time difference could be up to 5 minutes #
> TimeZones seem to be set properly on the Servers and client Windows
> systeminfo reports: Time Zone:                 (UTC-05:00) Eastern
> Time (US & Canada) Adjust for Daylight savings
> 
> 
> Here is the relevant portions of the samba file server config:
> My ideal config makes use of the highest level of security features
> available while maintaining compatibility between the two different
> client versions of windows and the samba server.
> 
> ntlm auth = no
> lanman auth = no
> raw NTLMv2 auth = no
> # Ref:  https://www.samba.org/samba/security/CVE-2016-2111.html
> #client signing = yes
> client use spnego = yes
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
> realm = dom.example.com
> security = ADS
> encrypt passwords = yes
> # min signaling
> server signaling = mandatory
> min protocol = SMB2_10
> #client min protocol = SMB2
> max protocol = SMB3
> dedicated keytab file = /etc/krb5.keytab
> 
> Diagnostic suggestions?  Recommended configuration changes?
Yes, upgrade ;-)

Rowland

> > The two primary errors that the windows 10 client receives are:
> > 1)  "The account is not authorized to log in from this
station"  -
> > not true I see this issue mostly after the windows 10 system comes
> > out of sleep mode.  And the only way to get the connection 
> to succeed
> > is reboot the windows 10 client.
> > 
> > 2)  "there is a time and/or date difference between the client
and
> > server"  - yes by like 3 seconds I see this issue mostly after
the
> > windows 10 system has been powered off.  If I check the time between
> > the fileserver and the windows 10 client I see up to 3 second time
> > difference.  IF I get the windows 10 client to update its time from
> > the network time server the connection reconnects fine then. The
> > windows clients are not dual boot systems, they use just the single
> > OS. # I thought that the time difference could be up to 5 minutes #
> > TimeZones seem to be set properly on the Servers and client Windows
> > systeminfo reports: Time Zone:                 (UTC-05:00) Eastern
> > Time (US & Canada) Adjust for Daylight savings
1) Try, go into the bios of that computer, and check the bios time. 
	set it close to the AD DC time. 

2) see 1. and that did not help, did you see this in the even log of the PC? 
   Can you post the exact id the event info.
   Yes, you "should" have 5 min, but the event log should show that. 

> Here is the relevant portions of the samba file server config:
> My ideal config makes use of the highest level of security features
> available while maintaining compatibility between the two different
> client versions of windows and the samba server.
That's my ideal config also, but i've thats in the samba case not always
the best setting.
I also suggest you upgrade you samba as Rowland also told and then remove almost
everything you posted of that member config.
And keep: 
> realm = dom.example.com
> security = ADS
> kerberos method = secrets and keytab
> dedicated keytab file = /etc/krb5.keytab
> winbind refresh tickets = yes
And a few things you can try without upgrading samba.

Disable the "Show first sign-in animation" setting through GPO.

If you use any loginscript, what if you disable them, and you can do almost
anything with GPO also if you really need.

If you dont use onedrive. Disable it by GPO.

Computer Policy > Computer Configuration > Administrative Templates >
Windows Components > OneDrive.

Turn of Animation of every start menu item.  ( disable all live-tiles )

Go throug every windows settting in privacy. Disable as much as you can. 
	Tip. If you disable for example background apps. Follow this order. 
	Disable every single app, then disable it with the top button. The advantage of
this is.....
	If MS enables the background apps again, now all others keep disabled ;-)  
	I follow this for every privacy setting. 
	And this result in a about 10% faster windows. 

Turn off the sleep function.
 
Disable fast start.
https://www.windowscentral.com/how-disable-windows-10-fast-startup
The location maybe be in an other place.. 
Last, remove /disable smb1 from you win10 if you did not do that already. 

So a few thing you can try. 
Most things i showed above wil reduce outgoing connections to the internet.
If you take care of most, you wil notice you pc is faster now. 


Greetz, 

Louis