Hi Jason, I was following this thread with interest, but it seems to have died a silent death. We might be seeing something similar on our samba domain member servers. We run (automatic) nightly reboots of our DCs, one reboots at 02:00, one at 03:00 and the third at 04:00. On our main (winbind) fileserver we often (but not always) see that at one of the above times, for a few minutes, the AD groups are gone. (I run a script on the member server that verifies the existance of our AD groups using "getent group") We know that at DC-reboot time, the two other DCs are up and running, so the reboots should really be little (or even: no) impact on the member servers. I was hoping for continued dialogue in this ticket. Curious if everybody here can actually reboot their DCs (or stop samba on them) without any consequence on their domain member servers? We have three DCs, no problems between them, they have recently been examined by sernet with basically no remarks. The DCs run 4.12.8 sernet, and the domain member server is still on 4.10.18. (yes, we will upgrade that soon) And, Jason: On 12/8/20 10:09 PM, Jason Keltz via samba wrote:> I don't think this can be just my system.? I suspect there's a lot of > users out there running multiple DCs with a similar setup to me, > believing that it's all working, and maybe, because there hasn't been a > failure, everything works great, but who knows what will happen when > there's actually a failure.I think we agree with you there. :-) Curious to the experience of others... MJ
On 28/12/2020 11:35, mj via samba wrote:> Hi Jason, > > I was following this thread with interest, but it seems to have died a > silent death. > > We might be seeing something similar on our samba domain member servers. > > We run (automatic) nightly reboots of our DCs, one reboots at 02:00, > one at 03:00 and the third at 04:00.Why do you reboot your DC's every night ?> > On our main (winbind) fileserver we often (but not always) see that at > one of the above times, for a few minutes, the AD groups are gone.That shouldn't happen> > (I run a script on the member server that verifies the existance of > our AD groups using "getent group")But then again 'getent group' (without a specific group) shouldn't work because you shouldn't have the 'winbind enum' lines in a production Unix domain member smb.conf> > We know that at DC-reboot time, the two other DCs are up and running, > so the reboots should really be little (or even: no) impact on the > member servers.I agree with that, a DC going down shouldn't affect the Unix domain member.> > I was hoping for continued dialogue in this ticket. > > Curious if everybody here can actually reboot their DCs (or stop samba > on them) without any consequence on their domain member servers?Yes, I can.> > We have three DCs, no problems between them, they have recently been > examined by sernet with basically no remarks. The DCs run 4.12.8 > sernet, and the domain member server is still on 4.10.18. (yes, we > will upgrade that soon)Well if Sernet cannot find anything wrong (unless they only gave them a cursory glance), then there shouldn't be anything wrong, quite a few of the Samba team work there ? Rowland