samba - May 2019 - Windows clients require reboot once a day in order to access mapped drives

Hi Viktor,

I didn't go through all the conversations and I'm not sure if this
will
> be of any help, I just wanted to inform that I've been using mapped
> drives with Windows 10 for ages and never had the problems you
> described. I also never added or changed the "smb encrypt"
option. My
> Samba file server (AD member) was set up pretty much the way as is
> described in the official Wiki and it just works. I can confirm this for
> several versions from Samba 4.2.x to 4.9.x. And I never changed anything
> in the Windows 10 registry either.
>
Would you be willing to share your config files?  I'd be curious to see
what's different between yours and mine.

Probably having the smb.conf and krb5.conf files from both a samba DC and
file server would be helpful.

--
Mason

Hi Mason,

On 30.04.2019 19:41, Mason Schmitt wrote:
> Hi Viktor,
> 
>     I didn't go through all the conversations and I'm not sure if
this will
>     be of any help, I just wanted to inform that I've been using mapped
>     drives with Windows 10 for ages and never had the problems you
>     described. I also never added or changed the "smb encrypt"
option. My
>     Samba file server (AD member) was set up pretty much the way as is
>     described in the official Wiki and it just works. I can confirm this
>     for
>     several versions from Samba 4.2.x to 4.9.x. And I never changed
>     anything
>     in the Windows 10 registry either.
> 
> 
> Would you be willing to share your config files?  I'd be curious to see
> what's different between yours and mine.
> 
> Probably having the smb.conf and krb5.conf files from both a samba DC 
> and file server would be helpful.
> 
Sure, here you go:

For the DC:

/etc/samba/smb.conf
--------------------

[global]
         workgroup = SAMDOM
         realm = SAMDOM.EXAMPLE.COM
         netbios name = DC1
         server role = active directory domain controller
         dns forwarder = 8.8.8.8
         idmap_ldb:use rfc2307 = yes
         interfaces = eth0
         bind interfaces only = Yes

[netlogon]
         path = /var/lib/samba/sysvol/samdom.example.com/scripts
         read only = No
         write ok = Yes
         acl_xattr:ignore system acls = yes

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No
         write ok = Yes
         acl_xattr:ignore system acls = yes


/etc/krb5.conf
--------------

default_realm = SAMDOM.EXAMPLE.COM
         dns_lookup_realm = false
         dns_lookup_kdc = true


For the domain member (krb5.conf same as on DC)

/etc/samba/smb.conf
-------------------
[global]

   netbios name = FILESERVER
   workgroup = SAMDOM
   security = ADS
   realm = SAMDOM.EXAMPLE.COM
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   username map = /etc/samba/samba_usermap

   idmap config *:backend = tdb
   idmap config *:range = 2000-9999
   idmap config SAMDOM:backend = ad
   idmap config SAMDOM:schema_mode = rfc2307
   idmap config SAMDOM:range = 10000-99999
   idmap config SAMDOM:unix_nss_info = yes

   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes
   winbind refresh tickets = Yes

   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes

[exampleshare]
   path = /srv/samba/exampleshare
   comment = "Example Data"
   writeable = yes

These particular files are on Samba 4.9.4, clients are Win10.

Just fyi, I have a second installation where I'm not using keytabs on
the member and it works just as well.

Viktor

Hi Viktor, 

Do note, 
>    winbind enum users  = yes
>    winbind enum groups = yes
Set these to 
   winbind enum users  = no 
   winbind enum groups = no

It's only slowing down your server and if you need the outputs, use :
getent passwd username


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Viktor Trojanovic via samba
> Verzonden: woensdag 1 mei 2019 11:24
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Windows clients require reboot once a 
> day in order to access mapped drives
> 
> Hi Mason,
> 
> On 30.04.2019 19:41, Mason Schmitt wrote:
> > Hi Viktor,
> > 
> >     I didn't go through all the conversations and I'm not 
> sure if this will
> >     be of any help, I just wanted to inform that I've been 
> using mapped
> >     drives with Windows 10 for ages and never had the problems you
> >     described. I also never added or changed the "smb 
> encrypt" option. My
> >     Samba file server (AD member) was set up pretty much 
> the way as is
> >     described in the official Wiki and it just works. I can 
> confirm this
> >     for
> >     several versions from Samba 4.2.x to 4.9.x. And I never changed
> >     anything
> >     in the Windows 10 registry either.
> > 
> > 
> > Would you be willing to share your config files?  I'd be 
> curious to see 
> > what's different between yours and mine.
> > 
> > Probably having the smb.conf and krb5.conf files from both 
> a samba DC 
> > and file server would be helpful.
> > 
> 
> Sure, here you go:
> 
> For the DC:
> 
> /etc/samba/smb.conf
> --------------------
> 
> [global]
>          workgroup = SAMDOM
>          realm = SAMDOM.EXAMPLE.COM
>          netbios name = DC1
>          server role = active directory domain controller
>          dns forwarder = 8.8.8.8
>          idmap_ldb:use rfc2307 = yes
>          interfaces = eth0
>          bind interfaces only = Yes
> 
> [netlogon]
>          path = /var/lib/samba/sysvol/samdom.example.com/scripts
>          read only = No
>          write ok = Yes
>          acl_xattr:ignore system acls = yes
> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>          write ok = Yes
>          acl_xattr:ignore system acls = yes
> 
> 
> /etc/krb5.conf
> --------------
> 
> default_realm = SAMDOM.EXAMPLE.COM
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
> 
> 
> For the domain member (krb5.conf same as on DC)
> 
> /etc/samba/smb.conf
> -------------------
> [global]
> 
>    netbios name = FILESERVER
>    workgroup = SAMDOM
>    security = ADS
>    realm = SAMDOM.EXAMPLE.COM
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
> 
>    username map = /etc/samba/samba_usermap
> 
>    idmap config *:backend = tdb
>    idmap config *:range = 2000-9999
>    idmap config SAMDOM:backend = ad
>    idmap config SAMDOM:schema_mode = rfc2307
>    idmap config SAMDOM:range = 10000-99999
>    idmap config SAMDOM:unix_nss_info = yes
> 
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>    winbind refresh tickets = Yes
> 
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
> 
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = yes
> 
> [exampleshare]
>    path = /srv/samba/exampleshare
>    comment = "Example Data"
>    writeable = yes
> 
> These particular files are on Samba 4.9.4, clients are Win10.
> 
> Just fyi, I have a second installation where I'm not using keytabs on
> the member and it works just as well.
> 
> Viktor
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Hi Louis,

Note taken, thank you! I guess I put those in in order to troubleshoot 
some issues I had in the very beginning and forgot to take them out later.

Viktor

On 01.05.2019 11:30, L.P.H. van Belle wrote:
> Hi Viktor,
> 
> Do note,
>>     winbind enum users  = yes
>>     winbind enum groups = yes
> 
> Set these to
>     winbind enum users  = no
>     winbind enum groups = no
> 
> It's only slowing down your server and if you need the outputs, use :
> getent passwd username
> 
> 
> Greetz,
> 
> Louis
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Viktor Trojanovic via samba
>> Verzonden: woensdag 1 mei 2019 11:24
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Windows clients require reboot once a
>> day in order to access mapped drives
>>
>> Hi Mason,
>>
>> On 30.04.2019 19:41, Mason Schmitt wrote:
>>> Hi Viktor,
>>>
>>>      I didn't go through all the conversations and I'm not
>> sure if this will
>>>      be of any help, I just wanted to inform that I've been
>> using mapped
>>>      drives with Windows 10 for ages and never had the problems you
>>>      described. I also never added or changed the "smb
>> encrypt" option. My
>>>      Samba file server (AD member) was set up pretty much
>> the way as is
>>>      described in the official Wiki and it just works. I can
>> confirm this
>>>      for
>>>      several versions from Samba 4.2.x to 4.9.x. And I never
changed
>>>      anything
>>>      in the Windows 10 registry either.
>>>
>>>
>>> Would you be willing to share your config files?  I'd be
>> curious to see
>>> what's different between yours and mine.
>>>
>>> Probably having the smb.conf and krb5.conf files from both
>> a samba DC
>>> and file server would be helpful.
>>>
>>
>> Sure, here you go:
>>
>> For the DC:
>>
>> /etc/samba/smb.conf
>> --------------------
>>
>> [global]
>>           workgroup = SAMDOM
>>           realm = SAMDOM.EXAMPLE.COM
>>           netbios name = DC1
>>           server role = active directory domain controller
>>           dns forwarder = 8.8.8.8
>>           idmap_ldb:use rfc2307 = yes
>>           interfaces = eth0
>>           bind interfaces only = Yes
>>
>> [netlogon]
>>           path = /var/lib/samba/sysvol/samdom.example.com/scripts
>>           read only = No
>>           write ok = Yes
>>           acl_xattr:ignore system acls = yes
>>
>> [sysvol]
>>           path = /var/lib/samba/sysvol
>>           read only = No
>>           write ok = Yes
>>           acl_xattr:ignore system acls = yes
>>
>>
>> /etc/krb5.conf
>> --------------
>>
>> default_realm = SAMDOM.EXAMPLE.COM
>>           dns_lookup_realm = false
>>           dns_lookup_kdc = true
>>
>>
>> For the domain member (krb5.conf same as on DC)
>>
>> /etc/samba/smb.conf
>> -------------------
>> [global]
>>
>>     netbios name = FILESERVER
>>     workgroup = SAMDOM
>>     security = ADS
>>     realm = SAMDOM.EXAMPLE.COM
>>     dedicated keytab file = /etc/krb5.keytab
>>     kerberos method = secrets and keytab
>>
>>     username map = /etc/samba/samba_usermap
>>
>>     idmap config *:backend = tdb
>>     idmap config *:range = 2000-9999
>>     idmap config SAMDOM:backend = ad
>>     idmap config SAMDOM:schema_mode = rfc2307
>>     idmap config SAMDOM:range = 10000-99999
>>     idmap config SAMDOM:unix_nss_info = yes
>>
>>     winbind use default domain = yes
>>     winbind enum users  = yes
>>     winbind enum groups = yes
>>     winbind refresh tickets = Yes
>>
>>     vfs objects = acl_xattr
>>     map acl inherit = Yes
>>     store dos attributes = Yes
>>
>>     load printers = no
>>     printing = bsd
>>     printcap name = /dev/null
>>     disable spoolss = yes
>>
>> [exampleshare]
>>     path = /srv/samba/exampleshare
>>     comment = "Example Data"
>>     writeable = yes
>>
>> These particular files are on Samba 4.9.4, clients are Win10.
>>
>> Just fyi, I have a second installation where I'm not using keytabs
on
>> the member and it works just as well.
>>
>> Viktor
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>

On Wed, 1 May 2019 11:24:18 +0200
Viktor Trojanovic via samba <samba at lists.samba.org> wrote:

 
> For the DC:
> 
> /etc/samba/smb.conf
> --------------------
> [netlogon]
>          path = /var/lib/samba/sysvol/samdom.example.com/scripts
>          read only = No
>          write ok = Yes
Why have both ?

'write ok' is a synonym for writeable, which is an inverted synonym for
'read only', so what you really have is:
    read only = No
    read only = No
> For the domain member (krb5.conf same as on DC)
> 
> /etc/samba/smb.conf
> -------------------
> [global]
>    winbind enum users  = yes
>    winbind enum groups = yes
You shouldn't really have the two lines above, they could slow your
computer down and they don't really do anything.

Rowland

>
> >     I didn't go through all the conversations and I'm not sure
if this
> will
> >     be of any help, I just wanted to inform that I've been using
mapped
> >     drives with Windows 10 for ages and never had the problems you
> >     described. I also never added or changed the "smb
encrypt" option. My
> >     Samba file server (AD member) was set up pretty much the way as is
> >     described in the official Wiki and it just works. I can confirm
this
> >     for
> >     several versions from Samba 4.2.x to 4.9.x. And I never changed
> >     anything
> >     in the Windows 10 registry either.
> >
> >
> > Would you be willing to share your config files?  I'd be curious
to see
> > what's different between yours and mine.
>

> Sure, here you go:
>
Thanks for sharing Viktor!  While I do make some comments below, they're
not intended as a criticism of your setup.  I'm just trying to relate what
you're doing to my setup.


> For the DC:
>
> /etc/krb5.conf
> --------------
>
> default_realm = SAMDOM.EXAMPLE.COM
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
>
The last line above is different than mine.  However, I think I remember
reading that it's not considered good security practice to use DNS to
lookup the location of the KDC.  As this entry is on the KDC itself, my
guess is that it's not a concern.


> For the domain member (krb5.conf same as on DC)
>
Same comment as above, but given it's on a member serve, the security issue
is perhaps more serious?


> /etc/samba/smb.conf
> -------------------
> [global]
>
>    netbios name = FILESERVER
>    workgroup = SAMDOM
>    security = ADS
>    realm = SAMDOM.EXAMPLE.COM
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>
>    username map = /etc/samba/samba_usermap
>
>    idmap config *:backend = tdb
>    idmap config *:range = 2000-9999
>    idmap config SAMDOM:backend = ad
>    idmap config SAMDOM:schema_mode = rfc2307
>    idmap config SAMDOM:range = 10000-99999
>    idmap config SAMDOM:unix_nss_info = yes
>
I'm using the RID backend instead of AD.  I doubt this would make a
difference, but who knows at this point.


>    winbind use default domain = yes
>
My config says 'no' here.  Apparently 'no' is the recommended
setting.
Again, no idea if this would result in the problems I've been seeing.


> These particular files are on Samba 4.9.4, clients are Win10.
>
When you run 'smbstatus' on your file server, do you show Win10 clients
connecting at SMB3_11 with encryption enabled?

I'm also curious about how your clients use the shares.  Do you use mapped
drives?  If you do use mapped drives, do you create them using group
policy?  Do your clients stay powered on and logged in for days on end?
Does your security policy lock workstations after a period of inactivity?

I can't say whether any of the questions above would change the behaviour
I'm seeing, but they all relate to the idea of long running persistent
sessions, which is where the problem seems to lie.  Since you're not
experiencing the issue I'm seeing, I'm wondering whether we can identify
anything else in our respective environments that might provide a clue.

Thanks again for chiming in and sharing your configs and your experience.

--
Mason