samba - Apr 2019 - Windows clients require reboot once a day in order to access mapped drives

>
> At this point I'm starting to get in over my head and could use some
> direction.  This looks like a Windows 10 client bug, but given that I
can't
> see the full SMB conversation (due to encryption) I'm not certain
whether
> the samba server is replying in the way the client expects.  Can you or
> someone else help me either find a work around or a resolution?  Because
> the Windows 7 clients (SMB2 not SMB3) don't exhibit this behaviour,
I'm
> thinking that forcing all clients to downgrade to SMB2 would probably work
> around the issue.  Can you confirm this?  If not, I can just try it and see
> what happens.
>
I added "server max protocol = SMB2" to my smb.conf file.  After
restarting
smbd, I tried to connect using a windows 10 client and was denied (error
message on the client and server says that a parameter is incorrect).  I
rebooted the PC and tried again.  No go...  So apparently it's not possible
to force W10 to downgrade to SMB2?

I'm really hoping someone is able to give me something to go on here,
because now I'm really stuck....
>

Forgot to mention, are sure your time sync over AD is working correctly. 
One to add to you list, check times of server and clients, (* yes again, if
needed just to be sure).
 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> L.P.H. van Belle via samba
> Verzonden: donderdag 25 april 2019 9:03
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Windows clients require reboot once a 
> day in order to access mapped drives
> 
> Hai, 
> 
> If i may suggest.. 
> 
> AD-DC, fine no changes needed. 
> File server smb.conf, i made some changes, see below. 
> 
> I change the keytab and kerberos methode because your 
> thinking that related to the problem. 
> And i changed some settings below, which are moved from 
> Global setting to Share setting. 
> 
> 3 settings where defined as (S) as in, its a "share" setting, 
> so put it in the share definition. 
> Now i suggest, play with these 2:
>     access based share enum = yes
>     smb encrypt = desired
> 
> Other option try :  acl_xattr:ignore system acls = yes 
> In place of acl_xattr:default acl style = windows 
> 
> Try as shown with the config below, then turn the smb encrypt 
> off, try again.
> Then the other, try again.  You know the drill.  ;-) test the 
> 3 changes share settings. 
> 
> Stop and start samba after changing these settings ( no restart ).
> Just to make sure everything is loaded as it should. 
> 
> (the file server's ) adjusted smb.conf
> 
> 
> [global]
> 
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> 
> workgroup = REALM
> security = ads
> realm = REALM.EXAMPLE.COM
> 
> # Logging
> log file = /var/log/samba/%m.log
> log level = 3
> 
> idmap config REALM : range = 2000000-2999999
> idmap config REALM : backend = rid
> idmap config * : range = 10000-999999
> idmap config * : backend = tdb
> 
> winbind use default domain = no
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind enum groups = no
> winbind enum users = no
> 
> username map = /etc/samba/user.map
> bind interfaces only = yes
> interfaces = lo eth0
> 
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> 
> #disable netbios = yes
> # just disable the start up of nmbd. 
> 
> template shell = /bin/false
> template homedir = /srv/samba/Users/%U
> 
> 
> [Users]
> 	  acl_xattr:default acl style = windows
>         access based share enum = yes
> 	  smb encrypt = desired
>         path = /srv/samba/Users
>         comment = Share for user home dirs
>         guest ok = no
>         read only = no
> 
> [Shared]
> 	 acl_xattr:default acl style = windows
>        access based share enum = yes
>        smb encrypt = desired 
>        path = /srv/samba/Shared
>        guest ok = no
>        read only = no
> 
> Greetz Louis
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Mason Schmitt via samba
> > Verzonden: donderdag 25 april 2019 5:29
> > Aan: Rowland Penny
> > CC: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Windows clients require reboot once a 
> > day in order to access mapped drives
> > 
> > >
> > > At this point I'm starting to get in over my head and 
> could use some
> > > direction.  This looks like a Windows 10 client bug, but 
> > given that I can't
> > > see the full SMB conversation (due to encryption) I'm not 
> > certain whether
> > > the samba server is replying in the way the client expects. 
> >  Can you or
> > > someone else help me either find a work around or a 
> > resolution?  Because
> > > the Windows 7 clients (SMB2 not SMB3) don't exhibit this 
> > behaviour, I'm
> > > thinking that forcing all clients to downgrade to SMB2 
> > would probably work
> > > around the issue.  Can you confirm this?  If not, I can 
> > just try it and see
> > > what happens.
> > >
> > 
> > I added "server max protocol = SMB2" to my smb.conf file.  
> > After restarting
> > smbd, I tried to connect using a windows 10 client and was 
> > denied (error
> > message on the client and server says that a parameter is 
> > incorrect).  I
> > rebooted the PC and tried again.  No go...  So apparently 
> > it's not possible
> > to force W10 to downgrade to SMB2?
> > 
> > I'm really hoping someone is able to give me something to 
> go on here,
> > because now I'm really stuck....
> > 
> > >
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> > 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

>
>
> Forgot to mention, are sure your time sync over AD is working correctly.
> One to add to you list, check times of server and clients, (* yes again,
> if needed just to be sure).
>
Yes, I have double check that time is correctly being synced.

FYI, Rowland, the process outlined in the wiki for using chronyd does not
work on Ubuntu 18.04 (my AD DC is on Ubuntu, but my file server is
CentOS).  I can only successfully sync windows clients with ntpd running on
the DC.  Also, if using apparmor, the default apparmor rules don't work.
Here's what I had to do to get windows clients to successfully sync with my
Ubuntu DC.

# Install ntp (if chrony is installed, this will disable and mask chrony in
systemd)
apt install ntp

# First comment out the default NTP ACLs
sed -i 's/^restrict -/#restrict -/g' /etc/ntp.conf

# Then add some samba specific settings to /etc/ntp.conf
cat << EOF >> /etc/ntp.conf

# Use AD for authenticanting Windows NTP clients
ntpsigndsocket /var/lib/samba/ntp_signd

# Acess control
# Default restriction: Allow clients to only query the time
restrict -4 default kod notrap nomodify nopeer noquery mssntp
restrict -6 default kod notrap nomodify nopeer noquery mssntp

# We're running in a VM, so we need to protect ntpd from waking up
# in a panic, in a situation where a VM has been shutdown for an
# extended period of time
tinker panic 0
EOF

# There is a bug in Ubuntu's apparmor config for ntp, so this fixes it
sed -i /ntp_signd/c'\  /var/lib/samba/ntp_signd/socket rw,'
/etc/apparmor.d/usr.sbin.ntpd
apparmor_parser --replace /etc/apparmor.d/usr.sbin.ntpd

# Set the necessary permissions on the ntp signed socket
chmod 750 /var/lib/samba/ntp_signd
chown root:ntp /var/lib/samba/ntp_signd
systemctl enable ntp.service
systemctl restart ntp.service


# Test to make sure NTP is working
ntpq -p



--
Mason