samba - Mar 2021 - Linux workstations lose relationship with domain

We have 4.7.4 because we installed It about 4 years ago. Then, a year 
later, i tried? to update to 4.8 compiling over the 4.7.4 version and 
using samba-tool dbcheck --fix. But as result I lost some objects and a 
lot of workstations lost their relationship with the domain. So I had to 
go back (Using a previous Snapshot) because there were many computers. 
So we postponed this action and It took us a LONG time.

But we want to know if It happens because we need a stronger db backend 
like mysql or postgresql to store all this objects, instead of having 
the db in a file (Like It is as default). We do not know if we just need 
one dc and not two, in order to avoid data synchronization, or simply 
update to the last samba using the way you advised.

500 pc members and their users are too much for a simple samba domain?

Here the DC1 smb.conf

# Global parameters
[global]
 ??????? netbios name = DC1
 ??????? realm = DTCF.ETECSA.CU
 ??????? server role = active directory domain controller
 ??????? workgroup = DTCF

 ??????? idmap_ldb:use rfc2307 = yes
 ??????? ldap server require strong auth = No
 ??????? ntlm auth = yes

 ??????? dns forwarder = 192.168.91.16 192.168.91.4

 ??????? log level = 1 auth_audit:3
 ??????? log file = /var/log/samba/samba.log


[netlogon]
 ??????? path = /usr/local/samba/var/locks/sysvol/dtcf.etecsa.cu/scripts
 ??????? read only = No
 ??????? #acl_xattr:ignore system acls = yes
[sysvol]
 ??????? path = /usr/local/samba/var/locks/sysvol
 ??????? read only = No
 ??????? #acl_xattr:ignore system acls = yes


Here a file server smb.conf:

[global]

 ?? netbios name = filespace
 ?? workgroup = DTCF
 ?? security = ADS
 ?? realm = DTCF.ETECSA.CU
 ?? encrypt passwords = yes

 ?? #idmap config *:backend = rid
 ?? idmap config *:range = 100000-200000

 ?? winbind use default domain = yes
 ?? winbind enum users? = yes
 ?? winbind enum groups = yes

 ?? vfs objects = acl_xattr
 ?? map acl inherit = Yes
 ?? store dos attributes = Yes

 ?? log level = 1
 ?? log file = /var/log/samba/samba.log

[rcompartidos]
 ? comment = Recursos Compartidos de Usuarios
 ? path = /home/samba/shares/rcompartidos
 ? browseable = Yes
 ? read only = No
 ? force create mode = 0660
 ? force directory mode = 0660
 ? vfs objects = acl_xattr full_audit
 ? full_audit:prefix = %u|%I|%S
 ? full_audit:facility = local7
 ? #full_audit:success = mkdir rename unlink rmdir pwrite open
 ? full_audit:success = mkdir rename unlink rmdir pwrite
 ? full_audit:failure = none
 ? full_audit:priority = NOTICE



El 22/3/21 a las 14:22, Rowland penny via samba
escribi?:
> On 22/03/2021 17:41, Denis Morejon via samba wrote:
>> Hi:
>>
>> I have two domain controllers. dc1 and dc2. They both with debian 10 
>> and samba 4.7.4 installed from source. 
>
>
> Got to ask why 4.7.4 ? Debian 10 come with 4.9.5
>
>> And working find since a long time. Since a month ago some time a 
>> group of linux workstations lost domain's computer account a we had
>> to re-join It. This have been happing each two weeks. I don't know 
>> what's the error. samba-tool dbcheck returns some warning:
>>
>> root at dc2:~# samba-tool dbcheck
>> Checking 7283 objects
>> NOTE: old (due to rename or delete) DN string component for 
>> lastKnownParent in object CN=SRVFACT-HP LaserJet 1200 
>> 0016448924\0ADEL:ff58fad6-9740-46a2-9387-13ae3adc7e0c,CN=Deleted 
>> Objects,DC=dtcf,DC=etecsa,DC=cu - 
>>
<GUID=6c10d77d-fedc-4931-a01b-28d4a5e2484f>;<SID=S-1-5-21-1294415360-3796152602-1730644256-3104>;CN=SRVFACT,OU=Servers,DC=dtcf,DC=etecsa,DC=cu
>> Not fixing old string component
>
>
> they are deleted objects
>
> I would suggest you update Samba on the DC's (probably best to do this 
> by adding new DC's and demoting? the old ones after). You can find the 
> latest Samba here: https://apt.van-belle.nl/
>
> Can you post your smb.conf files, one from a DC and another from one 
> of the Unix domain members.
>
> Rowland
>
>
>
>

On 22/03/2021 20:46, Denis Morejon via samba wrote:
> We have 4.7.4 because we installed It about 4 years ago. Then, a year 
> later, i tried? to update to 4.8 compiling over the 4.7.4 version and 
> using samba-tool dbcheck --fix. But as result I lost some objects and 
> a lot of workstations lost their relationship with the domain. So I 
> had to go back (Using a previous Snapshot) because there were many 
> computers. So we postponed this action and It took us a LONG time.

I think that would have been because you are either using sssd on the 
clients or your clients smb.conf files are borked.

You should have also joined a new DC to the domain using the new version 
of Samba.
>
> But we want to know if It happens because we need a stronger db 
> backend like mysql or postgresql to store all this objects, instead of 
> having the db in a file (Like It is as default). 

You cannot use anything but the builtin ldap, it is as strong (if not 
stronger) as mysql etc.

> We do not know if we just need one dc and not two, in order to avoid 
> data synchronization, or simply update to the last samba using the way 
> you advised.

Multiple DC's are always better than one.
>
> 500 pc members and their users are too much for a simple samba domain?

That is a small domain, there are much bigger ones.
>
> Here a file server smb.conf:
>
> [global]
>
> ?? netbios name = filespace
> ?? workgroup = DTCF
> ?? security = ADS
> ?? realm = DTCF.ETECSA.CU
> ?? encrypt passwords = yes
>
> ?? #idmap config *:backend = rid
> ?? idmap config *:range = 100000-200000

If you are not using sssd (and you cannot if using a version of Samba >= 
4.8.0) then you need more 'idmap config' lines.
>
> ?? winbind use default domain = yes
> ?? winbind enum users? = yes
> ?? winbind enum groups = yes
>
> ?? vfs objects = acl_xattr
> ?? map acl inherit = Yes
> ?? store dos attributes = Yes
>
> ?? log level = 1
> ?? log file = /var/log/samba/samba.log
>
> [rcompartidos]
> ? comment = Recursos Compartidos de Usuarios
> ? path = /home/samba/shares/rcompartidos
> ? browseable = Yes
> ? read only = No
> ? force create mode = 0660
> ? force directory mode = 0660
> ? vfs objects = acl_xattr full_audit
> ? full_audit:prefix = %u|%I|%S
> ? full_audit:facility = local7
> ? #full_audit:success = mkdir rename unlink rmdir pwrite open
> ? full_audit:success = mkdir rename unlink rmdir pwrite
> ? full_audit:failure = none
> ? full_audit:priority = NOTICE

You would be better setting the share permissions from Windows rather 
than using the 'force' lines.

Your version of Samba is extremely old, I would you suggest you upgrade 
as soon as possible.

Rowland