samba - Jan 2020 - samba domain member strange behavior lost users and shares

Hello,
my samba domain member file server do some strange thinks.

First of all Version 4.9.5-Debian and smb.conf is this:

[global]
   workgroup = SAMDOM
   security = ADS
   realm = SAMDOM.EXAMPLE.COM

   log file = /var/log/samba/%m.log
   log level = 1

   winbind refresh tickets = Yes
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   winbind use default domain = yes

   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes

   idmap config * : backend = tdb
   idmap config * : range = 1000-1005
   # idmap config for the SAMDOM domain
   # alf has uid 1007
   # yes i know its not the best
   idmap config SAMDOM:backend = ad
   idmap config SAMDOM:schema_mode = rfc2307
   idmap config SAMDOM:range = 1006-999999
   idmap config SAMDOM:unix_nss_info = yes

    # fix dfs error's in log ?
    host msdfs = no

   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 10000
   panic action = /usr/share/samba/panic-action %d

   vfs object = recycle
   recycle:repository = /home/samba/Papierkorb/%U
   recycle:keeptree = yes
   recycle:exclude = *.tmp *.temp *.swp
   recycle:exclude_dir = /tmp /temp
   recycle:touch = yes

   admin users = root, Administrator, @Domain Admins, admin

[... shares]


Sometimes (multiple times a week) users can't login.
wbinfo -u does not show any user. restart winbind sometimes solve this
but not in all cases. then a "net ads join" is needed.

today there is an other problem.
user cant connect to share via login script (system error 1240). look
around on google and / or mailing list it indicates some "encrypted
passwords = no" problem. But man page say: Default: encrypt passwords = yes

the samba log show errors like:
reject request to share [Transfer] as 'SAMDOM\user' without encryption
or signing. Disconnecting.

I also look at the man page and the settings in my smb.conf seem to be ok.

That is not the only user / client pc that has problems with this samba
server. other samba server with the same global config does not have
this problems. I have also try to reinstall samba (delete all tdb and
ldb files) an rejoin without suggests.

At the moment i have no idea how to fix it or find the problem.

Best regards,

p.s. klist show only expired tickets, on all member server? should that
be updated if winbind refresh tickets = Yes is set?

Hai, 

Few things to look at. 
>    idmap config * : range = 1000-1005
>    idmap config SAMDOM:range = 1006-999999
>    # alf has uid 1007 
First or all, you should not use UID, that are within the server (localusers)
range.
If you install debian, and you created 1 user, if you did that, i dont know, but
if..
Then you have an overlap of UID 1000 
If user "Alf" has UID 1007 its overlapping withing the DOMAIN range

The ID * range is to small. 

This is/should not needed in smb.conf admin users = .....  
Note, im not saying this is wrong, i dont know you manage your servers.. 


And last, im missing 

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/samba_usermapping
*(content: !root = SAMDOM\Administrator SAMDOM\administrator) 


Besides above, you config looks ok. 
If users can long again, i suggest verify the time on AD-DC and the member also.


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> basti via samba
> Verzonden: vrijdag 10 januari 2020 10:02
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] samba domain member strange behavior lost 
> users and shares
> 
> Hello,
> my samba domain member file server do some strange thinks.
> 
> First of all Version 4.9.5-Debian and smb.conf is this:
> 
> [global]
>    workgroup = SAMDOM
>    security = ADS
>    realm = SAMDOM.EXAMPLE.COM
> 
>    log file = /var/log/samba/%m.log
>    log level = 1
> 
>    winbind refresh tickets = Yes
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
> 
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
> 
>    winbind use default domain = yes
> 
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = yes
> 
>    idmap config * : backend = tdb
>    idmap config * : range = 1000-1005
>    # idmap config for the SAMDOM domain
>    # alf has uid 1007
>    # yes i know its not the best
>    idmap config SAMDOM:backend = ad
>    idmap config SAMDOM:schema_mode = rfc2307
>    idmap config SAMDOM:range = 1006-999999
>    idmap config SAMDOM:unix_nss_info = yes
> 
>     # fix dfs error's in log ?
>     host msdfs = no
> 
>    dns proxy = no
>    log file = /var/log/samba/log.%m
>    max log size = 10000
>    panic action = /usr/share/samba/panic-action %d
> 
>    vfs object = recycle
>    recycle:repository = /home/samba/Papierkorb/%U
>    recycle:keeptree = yes
>    recycle:exclude = *.tmp *.temp *.swp
>    recycle:exclude_dir = /tmp /temp
>    recycle:touch = yes
> 
>    admin users = root, Administrator, @Domain Admins, admin
> 
> [... shares]
> 
> 
> Sometimes (multiple times a week) users can't login.
> wbinfo -u does not show any user. restart winbind sometimes solve this
> but not in all cases. then a "net ads join" is needed.
> 
> today there is an other problem.
> user cant connect to share via login script (system error 1240). look
> around on google and / or mailing list it indicates some "encrypted
> passwords = no" problem. But man page say: Default: encrypt 
> passwords = yes
> 
> the samba log show errors like:
> reject request to share [Transfer] as 'SAMDOM\user' without
encryption
> or signing. Disconnecting.
> 
> I also look at the man page and the settings in my smb.conf 
> seem to be ok.
> 
> That is not the only user / client pc that has problems with 
> this samba
> server. other samba server with the same global config does not have
> this problems. I have also try to reinstall samba (delete all tdb and
> ldb files) an rejoin without suggests.
> 
> At the moment i have no idea how to fix it or find the problem.
> 
> Best regards,
> 
> p.s. klist show only expired tickets, on all member server? 
> should that
> be updated if winbind refresh tickets = Yes is set?
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 10/01/2020 09:01, basti via samba wrote:
> Hello,
> my samba domain member file server do some strange thinks.
>
> First of all Version 4.9.5-Debian and smb.conf is this:
>
> [global]
>     workgroup = SAMDOM
>     security = ADS
>     realm = SAMDOM.EXAMPLE.COM
>
>     log file = /var/log/samba/%m.log
>     log level = 1
>
>     winbind refresh tickets = Yes
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>
>     winbind use default domain = yes
>
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
>
>     idmap config * : backend = tdb
>     idmap config * : range = 1000-1005
OK, just how are you going to get circa (at least) 200 users and groups 
into 6 IDs ?
>     # idmap config for the SAMDOM domain
>     # alf has uid 1007
>     # yes i know its not the best
Then change it, or change the range for the '*' domain

Rowland

On 10.01.20 10:30, Rowland penny via samba wrote:
> On 10/01/2020 09:01, basti via samba wrote:
>> Hello,
>> my samba domain member file server do some strange thinks.
>>
>> First of all Version 4.9.5-Debian and smb.conf is this:
>>
>> [global]
>> ??? workgroup = SAMDOM
>> ??? security = ADS
>> ??? realm = SAMDOM.EXAMPLE.COM
>>
>> ??? log file = /var/log/samba/%m.log
>> ??? log level = 1
>>
>> ??? winbind refresh tickets = Yes
>> ??? vfs objects = acl_xattr
>> ??? map acl inherit = Yes
>> ??? store dos attributes = Yes
>>
>> ??? dedicated keytab file = /etc/krb5.keytab
>> ??? kerberos method = secrets and keytab
>>
>> ??? winbind use default domain = yes
>>
>> ??? load printers = no
>> ??? printing = bsd
>> ??? printcap name = /dev/null
>> ??? disable spoolss = yes
>>
>> ??? idmap config * : backend = tdb
>> ??? idmap config * : range = 1000-1005
> OK, just how are you going to get circa (at least) 200 users and groups
> into 6 IDs ?
>> ??? # idmap config for the SAMDOM domain
>> ??? # alf has uid 1007
>> ??? # yes i know its not the best
> Then change it, or change the range for the '*' domain
> 
> Rowland
alf is an old domain user, not need it anymore. so i have change the
range to

 idmap config * : range = 1000-2000
 idmap config SAMDOM:range = 2001-999999

But i do not think that this is the problem, the config before work for
a log time.

perhaps something is wrong with kerberos / keytab?