samba - Dec 2019 - Connection dropping every 24 hours from Windows Client.

Hello

 

I have a problem with my Windows 10 drive connections dropping every 24
hours, very briefly.  It's enough to cause me to be unable to save my file,
or access a geodatabase.  I have followed much trouble shooting and I
believe that its due to the KDC Service ticket lifetime expiring, I have it
set for 24 hours in smb.conf.  

 

I have a Samba 4.9 DC and an Ubuntu 18.04 member file server where the
shares are running  4.7.6 and connected to the DC by Winbindd.  I notice
that when my 24 hours is up, smbstatus will show that I have a new PID.  The
files are unfortunately still being held open by the old PID and are no
longer accessible (I think.).

 

Here is the global part of my DC smb.conf

[global]

        workgroup = MYNET

        realm = mynet.mynet.com

        netbios name = MY_DC

        server role = active directory domain controller

        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate

        idmap_ldb:use rfc2307 = yes

        kdc:service ticket lifetime = 24

        kdc:user ticket lifetime = 360

        kdc:renewal lifetime = 1800

        dsdb:schema update allowed = true

        tls enabled  = yes

        tls keyfile  = tls/myKey.pem

        tls certfile = tls/myCert.pem

        tls cafile   
        wins support = yes

        ldap server require strong auth = no

 

And here is the global part of my file server smb.conf

workgroup = MYNET

client signing = yes

client use spnego = yes

kerberos method = secrets and keytab

realm = MYNET.MYNET.COM

security = ads

vfs object = acl_xattr

map acl inherit = yes

hide unreadable = yes

winbind refresh tickets = Yes

idmap config * : backend = tdb

idmap config *:range = 50000-1000000

                winbind use default domain = true

                winbind offline logon = false

                 winbind nss info = rfc2307

                 winbind enum users = yes

                winbind enum groups = yes

                store dos attributes = yes

 

When I used to host the shares on the same DC, I never had this trouble.
When I had kdc:service ticket lifetime = 10, then the connections dropped
every 10 hours.  Do I just keep upping that number to something useful and
hope I don't get hacked, or is there something else I am missing.  To me, it
sounds a lot like this problem,
https://lists.samba.org/archive/samba/2014-March/179555.html

 

Thanks

On 11/12/2019 00:46, Hans Rasmussen via samba wrote:
> Hello
>
>   
>
> I have a problem with my Windows 10 drive connections dropping every 24
> hours, very briefly.  It's enough to cause me to be unable to save my
file,
> or access a geodatabase.  I have followed much trouble shooting and I
> believe that its due to the KDC Service ticket lifetime expiring, I have it
> set for 24 hours in smb.conf.
>
>   
>
> I have a Samba 4.9 DC and an Ubuntu 18.04 member file server where the
> shares are running  4.7.6 and connected to the DC by Winbindd.  I notice
> that when my 24 hours is up, smbstatus will show that I have a new PID. 
The
> files are unfortunately still being held open by the old PID and are no
> longer accessible (I think.).
>
>   
>
> Here is the global part of my DC smb.conf
>
> [global]
>
>          workgroup = MYNET
>
>          realm = mynet.mynet.com
>
>          netbios name = MY_DC
>
>          server role = active directory domain controller
>
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate
>
>          idmap_ldb:use rfc2307 = yes
>
>          kdc:service ticket lifetime = 24
>
>          kdc:user ticket lifetime = 360
>
>          kdc:renewal lifetime = 1800
>
>          dsdb:schema update allowed = true
>
>          tls enabled  = yes
>
>          tls keyfile  = tls/myKey.pem
>
>          tls certfile = tls/myCert.pem
>
>          tls cafile   >
>          wins support = yes
>
>          ldap server require strong auth = no
>
>   
>
> And here is the global part of my file server smb.conf
>
> workgroup = MYNET
>
> client signing = yes
>
> client use spnego = yes
>
> kerberos method = secrets and keytab
>
> realm = MYNET.MYNET.COM
>
> security = ads
>
> idmap config * : backend = tdb
> idmap config *:range = 50000-1000000
Hmm, where are the 'idmap config MYNET' lines ??

Or are you using sssd ?

Rowland

Am 11.12.19 um 01:46 schrieb Hans Rasmussen via samba:
> kdc:service ticket lifetime = 24
Your cifs-Service Ticket is invalide after 24 Hours an wil not be
renewed becyuse you don't have "winbind referesh tickets = yes"
set in
your smb.conf

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre Privatsph?re.
Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html

On 11/12/2019 13:13, Stefan Kania via samba wrote:
> Am 11.12.19 um 01:46 schrieb Hans Rasmussen via samba:
>> kdc:service ticket lifetime = 24
> Your cifs-Service Ticket is invalide after 24 Hours an wil not be
> renewed becyuse you don't have "winbind referesh tickets =
yes" set in
> your smb.conf
Ah, but it is set on the Unix domain member and I think this is the one 
that throws its hand in after 24 hours and that smb.conf is not correct ;-)

Rowland