samba - Apr 2019 - Windows clients require reboot once a day in order to access mapped drives

Hello,

I hope someone has seen this before and knows what's going on.  Given the
time delay between the problem recurring, I'm guessing the issue lies with
Kerberos, but I'm not sure how to verify that or how to resolve the issue.
If you need more info, please let me know.

Problem:
Each morning, windows users are not able to access their mapped drives.
Once they reboot their computers, they are fine for another day.

Configuration:

   - Samba AD DC, running on Ubuntu 18.04, using the stock samba package
   (4.7.6)
   - Samba file server, running on CentOS 7.6, using the stock samba
   package (4.8.3)
   - Mix of windows 7 and windows 10 clients.  Users on both platforms have
   reported this issue



smb.conf on AD DC
--------------------------------

# Global parameters
[global]
        dns forwarder = 10.0.38.1
        netbios name = AD1
        realm = REALM.EXAMPLE.COM
        server role = active directory domain controller
        workgroup = REALM
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/realm.example.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No


krb5.conf on AD DC
------------------------------
[libdefaults]
        default_realm =  REALM.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true



smb.conf on file server
----------------------------------

[global]
kerberos method = system keytab
workgroup = REALM
security = ads
realm = REALM.EXAMPLE.COM

# Logging
log file = /var/log/samba/%m.log
log level = 3

idmap config REALM : range = 2000000-2999999
idmap config REALM : backend = rid
idmap config * : range = 10000-999999
idmap config * : backend = tdb

winbind use default domain = no
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum groups = no
winbind enum users = no

username map = /etc/samba/user.map
bind interfaces only = yes
interfaces = lo eth0

vfs objects = acl_xattr
acl_xattr:default acl style = windows
map acl inherit = yes
store dos attributes = yes
template shell = /bin/false
disable netbios = yes
client max protocol = SMB3
smb encrypt = desired
access based share enum = yes
template homedir = /srv/samba/Users/%U
obey pam restrictions = yes

[Users]
        path = /srv/samba/Users
        comment = Share for user home dirs
        guest ok = no
        read only = no

[Shared]
       path = /srv/samba/Shared
       guest ok = no
       read only = no


krb5.conf on file server
------------------------------
[libdefaults]
        default_realm =  REALM.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true


-- 

Mason

On Thu, 18 Apr 2019 10:49:28 -0700
Mason Schmitt via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I hope someone has seen this before and knows what's going on.  Given
> the time delay between the problem recurring, I'm guessing the issue
> lies with Kerberos, but I'm not sure how to verify that or how to
> resolve the issue. If you need more info, please let me know.
> 
> Problem:
> Each morning, windows users are not able to access their mapped
> drives. Once they reboot their computers, they are fine for another
> day.
> 
> smb.conf on file server
> ----------------------------------
> 
> [global]
> kerberos method = system keytab
> workgroup = REALM
> security = ads
> realm = REALM.EXAMPLE.COM
Provided that 'REALM' is really 'DOMAIN' (a single word, 15
characters
or less, without a dot), the only thing I would do is to remove the
'kerberos method' line

Rowland

Hi Rowland,
> I hope someone has seen this before and knows what's going on.  Given
> > the time delay between the problem recurring, I'm guessing the
issue
> > lies with Kerberos, but I'm not sure how to verify that or how to
> > resolve the issue. If you need more info, please let me know.
> >
> > Problem:
> > Each morning, windows users are not able to access their mapped
> > drives. Once they reboot their computers, they are fine for another
> > day.
> >
>
> > smb.conf on file server
> > ----------------------------------
> >
> > [global]
> > kerberos method = system keytab
> > workgroup = REALM
> > security = ads
> > realm = REALM.EXAMPLE.COM
>
> Provided that 'REALM' is really 'DOMAIN' (a single word, 15
characters
> or less, without a dot)

Yes, REALM is actually a 4 letter word (but not "that kind" of 4
letter
word...).


> , the only thing I would do is to remove the
> 'kerberos method' line
>
I'll try removing that and see what happens.


--
Mason