Hi everyone, I'm running a domain-joined fileserver with Samba 4.9.5 and
SSSD on Debian 10.
My DC is also running Samba 4.9.5 on Debian 10. I have recently joined
it to an older domain with a DC that wasn't feeling well (Zentyal with
much older Samba). Everything was working great for a while after I've
moved the FSMO roles and demoted the old DC. I don't seem to have any
issues whatsoever with the domain itself. However, my good old
domain-joined file server has started feeling less well:
* Users sporadically lose access to their home folders. They can still
access other shared folders with the correct permissions.
* Running `ls -la` on /home takes a VERY long time. Sometimes over 10
minutes.
* SSH-ing into the file server as a domain user is also very slow and
can take up to a minute, but works 90% of the time.
* If samba-ad-dc (on the DC) or the DC itself are restarted, I will have
to rejoin the domain on the file server. Otherwise the shared folders
stop working for everyone after a while.
With that said, if I re-join the domain and restart smbd and sssd then
after a while it works fine. I can't find anything of value in the logs,
and I'm also not sure what I would be looking for as it mostly seems it
is the the communication to the DC that is very slow.
This is my smb.conf on the file server:
[global]
workgroup = COMPANY
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = INTERNAL.COMPANY.COM
security = ADS
interfaces = enp0s25
bind interfaces only = yes
log file = /var/log/samba/smb.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 3000-7999
vfs objects = shadow_copy2
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = zfs-auto-snap_%S-%Y-%m-%d-%H%M
shadow:localtime = yes
template shell = /bin/bash
template homedir = /home/%U
??? winbind use default domain = yes
??? winbind expand groups = 4
??? winbind nss info = rfc2307
??? winbind refresh tickets = Yes
??? winbind offline logon = yes
??? winbind normalize names = Yes
??? idmap config COMPANY: backend = ad
??? idmap config COMPANY: range = 10000-999999999
??? idmap config COMPANY: ldap_server = ad
??? idmap config COMPANY: schema_mode = rfc2307
??? idmap config COMPANY: unix_nss_info = yes
[Shared]
??????? path = /storage/shared
??????? browseable = Yes
??????? writeable = yes
??????? create mask = 0660
??????? directory mask = 0775
??????? veto files = /Thumbs.db/.DS_Store/
??????? delete veto files = yes
??????? inherit owner = yes
[homes]
?? path = /home/%U
?? browseable = no
?? read only = no
?? inherit acls = Yes
And here's my smb.conf on the DC:
[global]
??????? netbios name = DC2
??????? realm = INTERNAL.COMPANY.COM
??????? server role = active directory domain controller
??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
??????? workgroup = BLUETEST
??????? idmap_ldb:use rfc2307? = yes
??????? template shell = /bin/bash
??????? template homedir = /home/%U
??????? ldap server require strong auth = no
??? tls enabled? = yes
??? tls keyfile? = /etc/ssl/private/dc2.pem
??? tls certfile = /etc/ssl/certs/dc2.pem
??????? ldap debug level = 3
??????? ntlm auth = mschapv2-and-ntlmv2-only
??????? log level = 3 auth:5 winbind:5
[netlogon]
??????? path = /var/lib/samba/sysvol/internal.company.com/scripts
??????? read only = No
[sysvol]
??????? path = /var/lib/samba/sysvol
??????? read only = No
Is something wrongly configured here? What should I be looking for in
the logs?
I hope I didn't forget any important config here. Please let me know
otherwise!
And thank you in advance.
Oleg