samba - May 2020 - Intermittent permission denied when accessing share

I'm having a weird situation with a freshly installed Samba v4.12.1 compiled
from source. This is a single server with DC and fileserver, I followed all the
guidelines for doing things correctly in this specific situation and I hope I
haven't missed anything.
The server works correctly as expected, I'm managing all the permissions
from Windows.
Unfortunately users occasionally experience problems in accessing some shares
they used to. This happened three times, so far only to two different shares.
When the event occur all computers in the domain are unable to access the share,
and I'm able to restore functionality by just restarting
samba-ad-dc.service. I tried "reload-config" but won't work. After
restarting the service everything is back to normal. The first time this
happened I had to restart again within 4h, then it didn't happen again for
days.

Last time it has been reported to me today, I tried accessing
"RESPONSABILI" share few minutes after 16:00 from PC 10.0.0.197
(myuser at CM-WM-W7) and access was prohibited. Restarted around 16:06 and
access was restored.
As this happened before I raised log level to 8 and I now have debug logs.

One note: I read in the logs several NT_STATUS_NO_SUCH_USER errors from the
above client. Before this Samba server we had a Samba4 installation in workgroup
mode, these auths seems to be mapped to the OLD workgroup name, and I suspect
these are from Windows' background services trying to authenticate to the
old server.

Thanks

** smb.conf
# Global parameters
[global]
        netbios name = FILESERVER
        realm = WDC.MYDOMAIN.IT
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = WDC
        netbios aliases = server3
        idmap_ldb:use rfc2307 = yes
        template homedir = /home/%U
        hide unreadable = yes
        # temporary requirements for 2 xp clients 
        server min protocol = NT1
        client min protocol = NT1
        log level = 8
[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
        browseable = No
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/wdc.mydomain.it/scripts
        read only = No
        browseable = No
[homes]
        path = /home/CONDIVISI/personali
        include = /usr/local/samba/etc/cestino.conf
        read only = No
[RESPONSABILI]
        path = /home/CONDIVISI/RESPONSABILI
        read only = No
        include = /usr/local/samba/etc/cestino.conf

** cestino.conf:
        vfs objects = dfs_samba4 acl_xattr recycle
        recycle:repository = .cestino/%U
        recycle:keeptree = yes
        recycle:touch = yes
        recycle:versions= yes
        recycle:exclude = *.tmp *.bak ~$*
        recycle:exclude_dir = /tmp /temp /cache
        recycle:noversions = *.doc *.xls *.ppt
        recycle:directory_mode = 770
        recycle:touch_mtime = yes


LOG FILES: as I couldn't find the policy for this ML I didn't dare
posting 4MB of files in a single message, so they're available on the two
links below. If it's not a problem I'll paste them to a new mail in this
thread.
https://cloud.ufficyo.com/nc/s/XaSG8GGDFwgPpHf
https://cloud.ufficyo.com/nc/s/jbwFnDDJ7mQnPQM

-- 
Lorenzo Milesi - lorenzo.milesi at yetopen.it

YetOpen S.r.l. - https://www.yetopen.it/
Via Salerno 18 - 23900 Lecco - ITALY -
Tel +39 0341 220 205 - Fax +39 178 6070 222

Think green - Non stampare questa e-mail se non necessario / Don't print
this email unless necessary

-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso
esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da
ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo
679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non
autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad
eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci
non appena possibile.
Grazie.

Confidentiality notice: this email message including any attachment is for the
sole use of the intended recipient and may contain confidential and privileged
information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection
Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or
distribution
is prohibited. If you are not the intended recepient please delete this message
without copying, printing or forwarding it to others, and alert us as soon as
possible.
Thank you.

On 16/05/2020 16:52, Lorenzo Milesi via samba wrote:
> I'm having a weird situation with a freshly installed Samba v4.12.1
compiled from source. This is a single server with DC and fileserver, I followed
all the guidelines for doing things correctly in this specific situation and I
hope I haven't missed anything.
You missed that using a DC as a fileserver isn't
recommended.
> One note: I read in the logs several NT_STATUS_NO_SUCH_USER errors from the
above client. Before this Samba server we had a Samba4 installation in workgroup
mode, these auths seems to be mapped to the OLD workgroup name, and I suspect
these are from Windows' background services trying to authenticate to the
old server.
 From reading the samba log, it looks like Samba logons are not working, 
but ldap connections are.
> ** smb.conf
> # Global parameters
> [global]
>          netbios name = FILESERVER
>          realm = WDC.MYDOMAIN.IT
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = WDC
>          netbios aliases = server3
Do not use 'netbios aliases' on a DC, use a dns CNAME
instead.
>          idmap_ldb:use rfc2307 = yes
>          template homedir = /home/%U
>          hide unreadable = yes
>          # temporary requirements for 2 xp clients
>          server min protocol = NT1
>          client min protocol = NT1
No, make your XP machines use NTLMv2 instead, better still get rid of 
them if you can.
> [homes]
>          path = /home/CONDIVISI/personali
No, you do not use 'path =' with '[homes]', change
'[homes]' to '[home]'
> LOG FILES: as I couldn't find the policy for this ML I didn't dare
posting 4MB of files in a single message, so they're available on the two
links below. If it's not a problem I'll paste them to a new mail in this
thread.
> https://cloud.ufficyo.com/nc/s/XaSG8GGDFwgPpHf
> https://cloud.ufficyo.com/nc/s/jbwFnDDJ7mQnPQM
That is the correct way to do it, if you had attached them, the mailing 
list would have removed them. If you had posted them in the body of the 
email, your post would have been rejected for being too large.

You say that you ran a workgroup, did your clients leave the workgroup 
before joining the domain ?

Rowland

> You missed that using a DC as a fileserver isn't recommended.
It was between the lines of "I followed all the guidelines for doing things
correctly in this specific situation" :)
> From reading the samba log, it looks like Samba logons are not working,
> but ldap connections are.
This means Win clients are logging in via LDAP?
Can this be related to the inaccessible shares problem?
>> [homes]
>>          path = /home/CONDIVISI/personali
> No, you do not use 'path =' with '[homes]', change
'[homes]' to '[home]'
How will it work then? I cannot find a documentation page on the wiki about
[home].
thanks
> You say that you ran a workgroup, did your clients leave the workgroup
> before joining the domain ?
I was mistaken, it was a NT4 domain.
But yes we moved the clients from the old to the new domain using Forensit
Migration Tool


While doing other maintenance I found krb5-kdc system service being in error.
Trying to start throws:
Cannot open DB2 database '/etc/krb5kdc/principal': No such file or
directory - while initializing database for realm WDC.MYDOMAIN.IT

Is this a problem? During installation I don't recall any reference to this
service, and /etc/krb5.conf doesn't mention this path.

thanks
-- 
Lorenzo Milesi - lorenzo.milesi at yetopen.it

YetOpen S.r.l. - https://www.yetopen.it/
Via Salerno 18 - 23900 Lecco - ITALY -
Tel +39 0341 220 205 - Fax +39 178 6070 222

Think green - Non stampare questa e-mail se non necessario / Don't print
this email unless necessary

-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso
esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da
ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo
679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non
autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad
eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci
non appena possibile.
Grazie.

Confidentiality notice: this email message including any attachment is for the
sole use of the intended recipient and may contain confidential and privileged
information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection
Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or
distribution
is prohibited. If you are not the intended recepient please delete this message
without copying, printing or forwarding it to others, and alert us as soon as
possible.
Thank you.