samba - Mar 2021 - Linux workstations lose relationship with domain

On 22/03/2021 17:41, Denis Morejon via samba wrote:
> Hi:
>
> I have two domain controllers. dc1 and dc2. They both with debian 10 
> and samba 4.7.4 installed from source. 

Got to ask why 4.7.4 ? Debian 10 come with 4.9.5
> And working find since a long time. Since a month ago some time a 
> group of linux workstations lost domain's computer account a we had to 
> re-join It. This have been happing each two weeks. I don't know
what's
> the error. samba-tool dbcheck returns some warning:
>
> root at dc2:~# samba-tool dbcheck
> Checking 7283 objects
> NOTE: old (due to rename or delete) DN string component for 
> lastKnownParent in object CN=SRVFACT-HP LaserJet 1200 
> 0016448924\0ADEL:ff58fad6-9740-46a2-9387-13ae3adc7e0c,CN=Deleted 
> Objects,DC=dtcf,DC=etecsa,DC=cu - 
>
<GUID=6c10d77d-fedc-4931-a01b-28d4a5e2484f>;<SID=S-1-5-21-1294415360-3796152602-1730644256-3104>;CN=SRVFACT,OU=Servers,DC=dtcf,DC=etecsa,DC=cu
> Not fixing old string component

they are deleted objects

I would suggest you update Samba on the DC's (probably best to do this 
by adding new DC's and demoting? the old ones after). You can find the 
latest Samba here: https://apt.van-belle.nl/

Can you post your smb.conf files, one from a DC and another from one of 
the Unix domain members.

Rowland

We have 4.7.4 because we installed It about 4 years ago. Then, a year 
later, i tried? to update to 4.8 compiling over the 4.7.4 version and 
using samba-tool dbcheck --fix. But as result I lost some objects and a 
lot of workstations lost their relationship with the domain. So I had to 
go back (Using a previous Snapshot) because there were many computers. 
So we postponed this action and It took us a LONG time.

But we want to know if It happens because we need a stronger db backend 
like mysql or postgresql to store all this objects, instead of having 
the db in a file (Like It is as default). We do not know if we just need 
one dc and not two, in order to avoid data synchronization, or simply 
update to the last samba using the way you advised.

500 pc members and their users are too much for a simple samba domain?

Here the DC1 smb.conf

# Global parameters
[global]
 ??????? netbios name = DC1
 ??????? realm = DTCF.ETECSA.CU
 ??????? server role = active directory domain controller
 ??????? workgroup = DTCF

 ??????? idmap_ldb:use rfc2307 = yes
 ??????? ldap server require strong auth = No
 ??????? ntlm auth = yes

 ??????? dns forwarder = 192.168.91.16 192.168.91.4

 ??????? log level = 1 auth_audit:3
 ??????? log file = /var/log/samba/samba.log


[netlogon]
 ??????? path = /usr/local/samba/var/locks/sysvol/dtcf.etecsa.cu/scripts
 ??????? read only = No
 ??????? #acl_xattr:ignore system acls = yes
[sysvol]
 ??????? path = /usr/local/samba/var/locks/sysvol
 ??????? read only = No
 ??????? #acl_xattr:ignore system acls = yes


Here a file server smb.conf:

[global]

 ?? netbios name = filespace
 ?? workgroup = DTCF
 ?? security = ADS
 ?? realm = DTCF.ETECSA.CU
 ?? encrypt passwords = yes

 ?? #idmap config *:backend = rid
 ?? idmap config *:range = 100000-200000

 ?? winbind use default domain = yes
 ?? winbind enum users? = yes
 ?? winbind enum groups = yes

 ?? vfs objects = acl_xattr
 ?? map acl inherit = Yes
 ?? store dos attributes = Yes

 ?? log level = 1
 ?? log file = /var/log/samba/samba.log

[rcompartidos]
 ? comment = Recursos Compartidos de Usuarios
 ? path = /home/samba/shares/rcompartidos
 ? browseable = Yes
 ? read only = No
 ? force create mode = 0660
 ? force directory mode = 0660
 ? vfs objects = acl_xattr full_audit
 ? full_audit:prefix = %u|%I|%S
 ? full_audit:facility = local7
 ? #full_audit:success = mkdir rename unlink rmdir pwrite open
 ? full_audit:success = mkdir rename unlink rmdir pwrite
 ? full_audit:failure = none
 ? full_audit:priority = NOTICE



El 22/3/21 a las 14:22, Rowland penny via samba
escribi?:
> On 22/03/2021 17:41, Denis Morejon via samba wrote:
>> Hi:
>>
>> I have two domain controllers. dc1 and dc2. They both with debian 10 
>> and samba 4.7.4 installed from source. 
>
>
> Got to ask why 4.7.4 ? Debian 10 come with 4.9.5
>
>> And working find since a long time. Since a month ago some time a 
>> group of linux workstations lost domain's computer account a we had
>> to re-join It. This have been happing each two weeks. I don't know 
>> what's the error. samba-tool dbcheck returns some warning:
>>
>> root at dc2:~# samba-tool dbcheck
>> Checking 7283 objects
>> NOTE: old (due to rename or delete) DN string component for 
>> lastKnownParent in object CN=SRVFACT-HP LaserJet 1200 
>> 0016448924\0ADEL:ff58fad6-9740-46a2-9387-13ae3adc7e0c,CN=Deleted 
>> Objects,DC=dtcf,DC=etecsa,DC=cu - 
>>
<GUID=6c10d77d-fedc-4931-a01b-28d4a5e2484f>;<SID=S-1-5-21-1294415360-3796152602-1730644256-3104>;CN=SRVFACT,OU=Servers,DC=dtcf,DC=etecsa,DC=cu
>> Not fixing old string component
>
>
> they are deleted objects
>
> I would suggest you update Samba on the DC's (probably best to do this 
> by adding new DC's and demoting? the old ones after). You can find the 
> latest Samba here: https://apt.van-belle.nl/
>
> Can you post your smb.conf files, one from a DC and another from one 
> of the Unix domain members.
>
> Rowland
>
>
>
>