Hello,
we have a Samba AD (AD Server: 4.9.5 / Fileserver: 4.10.11).
On the Fileserver sometimes the Users are lost. wbinfo -u does not show
any AD user. After restart winbind it works like expected.
An other strange think is, that the kerberos ticket is not updated.
Smb.conf fileserver:
security = ADS
workgroup = FOO
realm = FOO.EXAMPLE.COM
log file = /var/log/samba/%m.log
log level = 3
idmap config * : backend = tdb
idmap config * : range = 1000-1005
idmap config FOO:backend = ad
idmap config FOO:schema_mode = rfc2307
idmap config FOO:range = 1006-999999
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
template shell = /bin/bash
template homedir = /home/users/%U
host msdfs = no
# fix connection lost ?
client min protocol = SMB2
client max protocol = SMB2
# master for doamin
local master = yes
os level = 255
preferred master = yes
/etc/krb5.conf
[libdefaults]
default_realm = FOO.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
On 16.12.19 09:16, basti via samba wrote:> Hello, > > we have a Samba AD (AD Server: 4.9.5 / Fileserver: 4.10.11). > > On the Fileserver sometimes the Users are lost. wbinfo -u does not show > any AD user. After restart winbind it works like expected. > > An other strange think is, that the kerberos ticket is not updated. >Ok the kerberos tickets problem seems to be solved (https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting). I hope that helps for wbinfo too. Best regards
On 16/12/2019 08:16, basti via samba wrote:> Hello, > > we have a Samba AD (AD Server: 4.9.5 / Fileserver: 4.10.11). > > On the Fileserver sometimes the Users are lost. wbinfo -u does not show > any AD user. After restart winbind it works like expected. > > An other strange think is, that the kerberos ticket is not updated. > > Smb.conf fileserver: > > > security = ADS > workgroup = FOO > realm = FOO.EXAMPLE.COM > > log file = /var/log/samba/%m.log > log level = 3 > > idmap config * : backend = tdb > idmap config * : range = 1000-1005Interesting, how do you get around 200 users and groups into 5 ? I also take it that you do not have any local users and groups.> > idmap config FOO:backend = ad > idmap config FOO:schema_mode = rfc2307 > idmap config FOO:range = 1006-999999Have you added uidNumber & gidNumber attributes to AD, they are not added automatically.> > winbind enum users = yes > winbind enum groups = yesYou do not need the winbind enum lines.> > winbind use default domain = yes > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > template shell = /bin/bash > template homedir = /home/users/%U > > host msdfs = no > > # fix connection lost ? > client min protocol = SMB2 > client max protocol = SMB2 > > # master for doamin > local master = yes > os level = 255 > preferred master = yesThose are for an NT4-style domain, so you should remove them. To stop the tickets expiring, add: winbind refresh tickets = yes Rowland