samba - Oct 2020 - Home folder permissions disappear sometimes

Hi everyone, I'm running a domain-joined fileserver with Samba 4.9.5 and 
SSSD on Debian 10.

My DC is also running Samba 4.9.5 on Debian 10. I have recently joined 
it to an older domain with a DC that wasn't feeling well (Zentyal with 
much older Samba). Everything was working great for a while after I've 
moved the FSMO roles and demoted the old DC. I don't seem to have any 
issues whatsoever with the domain itself. However, my good old 
domain-joined file server has started feeling less well:

* Users sporadically lose access to their home folders. They can still 
access other shared folders with the correct permissions.

* Running `ls -la` on /home takes a VERY long time. Sometimes over 10 
minutes.

* SSH-ing into the file server as a domain user is also very slow and 
can take up to a minute, but works 90% of the time.

* If samba-ad-dc (on the DC) or the DC itself are restarted, I will have 
to rejoin the domain on the file server. Otherwise the shared folders 
stop working for everyone after a while.

With that said, if I re-join the domain and restart smbd and sssd then 
after a while it works fine. I can't find anything of value in the logs, 
and I'm also not sure what I would be looking for as it mostly seems it 
is the the communication to the DC that is very slow.

This is my smb.conf on the file server:

[global]

workgroup = COMPANY
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = INTERNAL.COMPANY.COM
security = ADS
interfaces = enp0s25
bind interfaces only = yes

log file = /var/log/samba/smb.log
log level = 1

idmap config * : backend = tdb
idmap config * : range = 3000-7999
vfs objects = shadow_copy2
shadow: snapdir = .zfs/snapshot
shadow: sort = desc
shadow: format = zfs-auto-snap_%S-%Y-%m-%d-%H%M
shadow:localtime = yes
template shell = /bin/bash
template homedir = /home/%U

 ??? winbind use default domain = yes
 ??? winbind expand groups = 4
 ??? winbind nss info = rfc2307
 ??? winbind refresh tickets = Yes
 ??? winbind offline logon = yes
 ??? winbind normalize names = Yes

 ??? idmap config COMPANY: backend = ad
 ??? idmap config COMPANY: range = 10000-999999999
 ??? idmap config COMPANY: ldap_server = ad
 ??? idmap config COMPANY: schema_mode = rfc2307
 ??? idmap config COMPANY: unix_nss_info = yes

[Shared]
 ??????? path = /storage/shared
 ??????? browseable = Yes
 ??????? writeable = yes
 ??????? create mask = 0660
 ??????? directory mask = 0775
 ??????? veto files = /Thumbs.db/.DS_Store/
 ??????? delete veto files = yes
 ??????? inherit owner = yes

[homes]
 ?? path = /home/%U
 ?? browseable = no
 ?? read only = no
 ?? inherit acls = Yes


And here's my smb.conf on the DC:

[global]
 ??????? netbios name = DC2
 ??????? realm = INTERNAL.COMPANY.COM
 ??????? server role = active directory domain controller
 ??????? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
 ??????? workgroup = BLUETEST
 ??????? idmap_ldb:use rfc2307? = yes
 ??????? template shell = /bin/bash
 ??????? template homedir = /home/%U
 ??????? ldap server require strong auth = no

 ??? tls enabled? = yes
 ??? tls keyfile? = /etc/ssl/private/dc2.pem
 ??? tls certfile = /etc/ssl/certs/dc2.pem
 ??????? ldap debug level = 3

 ??????? ntlm auth = mschapv2-and-ntlmv2-only
 ??????? log level = 3 auth:5 winbind:5

[netlogon]
 ??????? path = /var/lib/samba/sysvol/internal.company.com/scripts
 ??????? read only = No

[sysvol]
 ??????? path = /var/lib/samba/sysvol
 ??????? read only = No


Is something wrongly configured here? What should I be looking for in 
the logs?

I hope I didn't forget any important config here. Please let me know 
otherwise!

And thank you in advance.

Oleg

On 15/10/2020 12:27, Oleg Blyahher via samba wrote:
> Hi everyone, I'm running a domain-joined fileserver with Samba 4.9.5 
> and SSSD on Debian 10.
First the good news, you can find much newer versions of Samba here: 
http://apt.van-belle.nl/

Now the bad news, you cannot use sssd with Samba >= 4.8.0

Before 4.8.0, smbd could contact AD directly, this was removed and from 
Samba 4.8.0, with 'security = ADS', you must install and run winbind. 
sssd uses its own version of winbind libs so it cannot be used with 
winbind, it also doesn't do NTLM.

The use of sssd with Samba is no longer supported, not even by red-hat 
who produces sssd.

Rowland

On 15/10/2020 14:36, Oleg Blyahher wrote:
> Thanks for the quick response.
>
> Would the following be a reasonable way of solving this on a backup 
> server? I'm guessing the smb.conf-file is ok and doesn't need 
> modification?
>
> 1. Take a backup
Oh yes, never do anything without a backup
>
> 2. Remove SSSD from the file server
Yes
>
> 3. Upgrade Samba on the DC
Yes
>
>
> 4.? Upgrade Samba on the file server.
Yes
>
>
> 5. Set winbind up on the file server according to the instructions 
> here: 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member ?
I would (obviously) prefer you to use my set up
>
> ??? or perhaps here? 
> https://www.server-world.info/en/note?os=Debian_10&p=samba&f=3
But seeing as that is based on what I wrote on the Samba wiki, you could 
use either.

There is a big gotcha coming here, you are going to get different ID 
numbers what ever you do. sssd creates the ID's using the complete SID 
and the winbind 'rid' backend calculates them using the low Domain range
from smb.conf and the RID.

Rowland

Ok, I see. Does the gotcha mean that users will receive new UIDs/GIDs 
and that I will have to chown files/folders and set new ACLs, or will 
those bits "just work"?

Oleg

On 2020-10-15 16:21, Rowland penny via samba wrote:
> On 15/10/2020 14:36, Oleg Blyahher wrote:
>> Thanks for the quick response.
>>
>> Would the following be a reasonable way of solving this on a backup 
>> server? I'm guessing the smb.conf-file is ok and doesn't need 
>> modification?
>>
>> 1. Take a backup
> Oh yes, never do anything without a backup
>>
>> 2. Remove SSSD from the file server
> Yes
>>
>> 3. Upgrade Samba on the DC
> Yes
>>
>>
>> 4.? Upgrade Samba on the file server.
> Yes
>>
>>
>> 5. Set winbind up on the file server according to the instructions 
>> here: 
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member ?
> I would (obviously) prefer you to use my set up
>>
>> ??? or perhaps here? 
>> https://www.server-world.info/en/note?os=Debian_10&p=samba&f=3
> But seeing as that is based on what I wrote on the Samba wiki, you 
> could use either.
>
> There is a big gotcha coming here, you are going to get different ID 
> numbers what ever you do. sssd creates the ID's using the complete SID 
> and the winbind 'rid' backend calculates them using the low Domain 
> range from smb.conf and the RID.
>
> Rowland
>
>
>