samba - Mar 2021 - Linux workstations lose relationship with domain

On 22/03/2021 20:46, Denis Morejon via samba wrote:
> We have 4.7.4 because we installed It about 4 years ago. Then, a year 
> later, i tried? to update to 4.8 compiling over the 4.7.4 version and 
> using samba-tool dbcheck --fix. But as result I lost some objects and 
> a lot of workstations lost their relationship with the domain. So I 
> had to go back (Using a previous Snapshot) because there were many 
> computers. So we postponed this action and It took us a LONG time.

I think that would have been because you are either using sssd on the 
clients or your clients smb.conf files are borked.

You should have also joined a new DC to the domain using the new version 
of Samba.
>
> But we want to know if It happens because we need a stronger db 
> backend like mysql or postgresql to store all this objects, instead of 
> having the db in a file (Like It is as default). 

You cannot use anything but the builtin ldap, it is as strong (if not 
stronger) as mysql etc.

> We do not know if we just need one dc and not two, in order to avoid 
> data synchronization, or simply update to the last samba using the way 
> you advised.

Multiple DC's are always better than one.
>
> 500 pc members and their users are too much for a simple samba domain?

That is a small domain, there are much bigger ones.
>
> Here a file server smb.conf:
>
> [global]
>
> ?? netbios name = filespace
> ?? workgroup = DTCF
> ?? security = ADS
> ?? realm = DTCF.ETECSA.CU
> ?? encrypt passwords = yes
>
> ?? #idmap config *:backend = rid
> ?? idmap config *:range = 100000-200000

If you are not using sssd (and you cannot if using a version of Samba >= 
4.8.0) then you need more 'idmap config' lines.
>
> ?? winbind use default domain = yes
> ?? winbind enum users? = yes
> ?? winbind enum groups = yes
>
> ?? vfs objects = acl_xattr
> ?? map acl inherit = Yes
> ?? store dos attributes = Yes
>
> ?? log level = 1
> ?? log file = /var/log/samba/samba.log
>
> [rcompartidos]
> ? comment = Recursos Compartidos de Usuarios
> ? path = /home/samba/shares/rcompartidos
> ? browseable = Yes
> ? read only = No
> ? force create mode = 0660
> ? force directory mode = 0660
> ? vfs objects = acl_xattr full_audit
> ? full_audit:prefix = %u|%I|%S
> ? full_audit:facility = local7
> ? #full_audit:success = mkdir rename unlink rmdir pwrite open
> ? full_audit:success = mkdir rename unlink rmdir pwrite
> ? full_audit:failure = none
> ? full_audit:priority = NOTICE

You would be better setting the share permissions from Windows rather 
than using the 'force' lines.

Your version of Samba is extremely old, I would you suggest you upgrade 
as soon as possible.

Rowland

Thank you Rowland!

I have another clue for my problem (The lost of domain relationship). 
The problem began just after the change of time in my country on Sunday. 
I changed the time manually on both domain servers

(They use ntp for the clients to sync with they) and after that, on 
Monday, some linux workstations lost the relationship. But you know 
what? none of my Windows 10 workstations lost the domain relationship!

We use pbis en Ubuntu 18.04 and Linux Mint 20 workstations to connect to 
the domain. I suspect that the change of time was the cause. But even 
changing the time on those linux workstations first (For some reason ntp 
didn't work, but this is not the point right now), they didn't connected
to the domain! And It was necessary to join again manually (One by one!).


This is the smb.conf of a workstation that lost the domain ralationship


[global]
 ??? server string = %h server (Samba, Ubuntu)
;?? wins server = w.x.y.z
 ?? dns proxy = no
;?? interfaces = 127.0.0.0/8 eth0
;?? bind interfaces only = yes
 ?? log file = /var/log/samba/log.%m
 ?? max log size = 1000
 ?? syslog = 0
 ?? panic action = /usr/share/samba/panic-action %d
 ?? server role = standalone server
 ?? passdb backend = tdbsam
 ?? obey pam restrictions = yes
 ?? unix password sync = yes
 ?? passwd program = /usr/bin/passwd %u
 ?? passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
 ?? pam password change = yes
 ?? map to guest = bad user
;?? logon path = \\%N\profiles\%U
;?? logon drive = H:
;?? logon script = logon.cmd
; add user script = /usr/sbin/adduser --quiet --disabled-password 
--gecos "" %u
; add machine script? = /usr/sbin/useradd -g machines -c "%u machine 
account" -d /var/lib/samba -s /bin/false %u
; add group script = /usr/sbin/addgroup --force-badname %g
;?? include = /home/samba/etc/smb.conf.%m
;?? idmap uid = 10000-20000
;?? idmap gid = 10000-20000
;?? template shell = /bin/bash
;?? usershare max shares = 100
 ?? usershare allow guests = yes

;[homes]
;?? comment = Home Directories
;?? browseable = no
;?? read only = yes
;?? create mask = 0700
;?? directory mask = 0700
;?? valid users = %S

;[netlogon]
;?? comment = Network Logon Service
;?? path = /home/samba/netlogon
;?? guest ok = yes
;?? read only = yes

;[profiles]
;?? comment = Users profiles
;?? path = /home/samba/profiles
;?? guest ok = no
;?? browseable = no
;?? create mask = 0600
;?? directory mask = 0700

[printers]
 ?? comment = All Printers
 ?? browseable = no
 ?? path = /var/spool/samba
 ?? printable = yes
 ?? guest ok = no
 ?? read only = yes
 ?? create mask = 0700

[print$]
 ?? comment = Printer Drivers
 ?? path = /var/lib/samba/printers
 ?? browseable = yes
 ?? read only = yes
 ?? guest ok = no

;?? write list = root, @lpadmin