samba - Jan 2020 - samba domain member strange behavior lost users and shares

On 10.01.20 10:30, Rowland penny via samba wrote:
> On 10/01/2020 09:01, basti via samba wrote:
>> Hello,
>> my samba domain member file server do some strange thinks.
>>
>> First of all Version 4.9.5-Debian and smb.conf is this:
>>
>> [global]
>> ??? workgroup = SAMDOM
>> ??? security = ADS
>> ??? realm = SAMDOM.EXAMPLE.COM
>>
>> ??? log file = /var/log/samba/%m.log
>> ??? log level = 1
>>
>> ??? winbind refresh tickets = Yes
>> ??? vfs objects = acl_xattr
>> ??? map acl inherit = Yes
>> ??? store dos attributes = Yes
>>
>> ??? dedicated keytab file = /etc/krb5.keytab
>> ??? kerberos method = secrets and keytab
>>
>> ??? winbind use default domain = yes
>>
>> ??? load printers = no
>> ??? printing = bsd
>> ??? printcap name = /dev/null
>> ??? disable spoolss = yes
>>
>> ??? idmap config * : backend = tdb
>> ??? idmap config * : range = 1000-1005
> OK, just how are you going to get circa (at least) 200 users and groups
> into 6 IDs ?
>> ??? # idmap config for the SAMDOM domain
>> ??? # alf has uid 1007
>> ??? # yes i know its not the best
> Then change it, or change the range for the '*' domain
> 
> Rowland
alf is an old domain user, not need it anymore. so i have change the
range to

 idmap config * : range = 1000-2000
 idmap config SAMDOM:range = 2001-999999

But i do not think that this is the problem, the config before work for
a log time.

perhaps something is wrong with kerberos / keytab?

On 10/01/2020 11:09, basti via samba wrote:
> alf is an old domain user, not need it anymore. so i have change the
> range to
>
>   idmap config * : range = 1000-2000
>   idmap config SAMDOM:range = 2001-999999
As you are using the winbind 'ad' backend, you have probably just cut 
off any users between 1006-1999 and if the gidNumber for 'Domain Users' 
is inside '1006-1999', you will now ignore all your
users.
>
> But i do not think that this is the problem, the config before work for
> a log time.
>
> perhaps something is wrong with kerberos / keytab?
Possibly, but the idea behind 'winbind refresh tickets = yes' is that 
when a user connects and their ticket has expired, it is refreshed.

I take it this domain was classicupgraded from an NT4-style domain.

Rowland

On 10.01.20 12:37, Rowland penny via samba wrote:
> On 10/01/2020 11:09, basti via samba wrote:
>> alf is an old domain user, not need it anymore. so i have change the
>> range to
>>
>> ? idmap config * : range = 1000-2000
>> ? idmap config SAMDOM:range = 2001-999999
> As you are using the winbind 'ad' backend, you have probably just
cut
> off any users between 1006-1999 and if the gidNumber for 'Domain
Users'
> is inside '1006-1999', you will now ignore all your users.
>>
>> But i do not think that this is the problem, the config before work for
>> a log time.
>>
>> perhaps something is wrong with kerberos / keytab?
> 
> Possibly, but the idea behind 'winbind refresh tickets = yes' is
that
> when a user connects and their ticket has expired, it is refreshed.
> 
> I take it this domain was classicupgraded from an NT4-style domain.
> 
> Rowland
I haven't any domain user between 1006-1999 anymore. Yes the Domain was
a classicupgraded from an NT4-style domain.

Is there a way to list user tickets?
klist -k /etc/krb5.keytab only show the domain member tickets.