Hi Rowland, thanks for your quick response. Here it is a member smb.conf: # Global parameters [global] ??????? workgroup = UPC-CT ??????? realm = UPC-CT.UPC.EDU ??????? netbios name = RADI ??????? netbios aliases = RADI.UPC.ES RADI.UPC.EDU ??????? security = ADS ??????? log level = 5 ??????? username map = /var/lib/samba/user.map ??????? winbind enum users = yes ??????? winbind enum groups = yes ??????? winbind nss info = rfc2307 ??????? winbind use default domain = Yes ??????? winbind refresh tickets = yes ??????? winbind offline logon = yes ??????? winbind cache time = 60 idmap config * : backend = tdb idmap config * : range = 100-499 idmap config UPC-CT:backend = ad idmap config UPC-CT:schema_mode = rfc2307 idmap config UPC-CT:range = 500-999999 idmap config UPC-CT:unix_nss_info = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes ??????? interfaces = lo eth0 ??????? bind interfaces only = yes [users] ???????? path = /home/users/ ???????? read only = no ???????? force create mode = 0600 ???????? force directory mode = 0700 ..........<here come shares>.............. Francesc Bassas Serrami? Serveis Inform?tics Campus Terrassa C/ Colom 2 08222 Terrassa (Barcelona) Tel?fon : 93.73.98630 https://serveis.terrassa.upc.edu/sict El 31/3/2022 a les 14:00, samba-request at lists.samba.org ha escrit:> On Thu, 2022-03-31 at 11:56 +0200, Frank via samba wrote: >> Hi there, >> >> we have a Samba 4 AD installation with one DC and two members. >> >> All of them are ubuntu 20.04 with samba 4.13 >> >> The thing is when DC is rebooted, it seems members loose its >> membership, >> and the only way to recover it is to reboot the member. >> >> In the wrong state, we get the following in members: >> >> # net ads testjoin >> ads_connect: No logon servers are currently available to service the >> logon request. >> Join to doman is not valid: No logon servers are currently available >> to >> service the logon request. >> >> After member reboot, "testjoin" shows membership recovered: >> >> # net ads testjoin >> Join is OK. >> >> We suspect it has to do with some winbind parameter. > It may be, but has you haven't provided the smb.conf files you are > using, saying which parameter, if any, would be a guess. > Please post the smb.conf from the DC and a Unix domain member. > > Rowland > > > >-- Aquest missatge ha estat escanejat per trobar-hi virus i contingut perill?s per MailScanner i es considera que ?s net.
Patrick Goetz
2022-Mar-31 13:54 UTC
[Samba] Samba 4 AD member loose membership after DC reboot
On 3/31/22 07:29, Frank via samba wrote:> Hi Rowland, > > thanks for your quick response. > > Here it is a member smb.conf: > > # Global parameters > [global] > ??????? workgroup = UPC-CT > ??????? realm = UPC-CT.UPC.EDU > ??????? netbios name = RADI > ??????? netbios aliases = RADI.UPC.ES RADI.UPC.EDU > ??????? security = ADS > > ??????? log level = 5 > ??????? username map = /var/lib/samba/user.map > > ??????? winbind enum users = yes > ??????? winbind enum groups = yes > ??????? winbind nss info = rfc2307 > ??????? winbind use default domain = Yes > ??????? winbind refresh tickets = yes > ??????? winbind offline logon = yes > ??????? winbind cache time = 60 > > idmap config * : backend = tdb > idmap config * : range = 100-499 > idmap config UPC-CT:backend = ad > idmap config UPC-CT:schema_mode = rfc2307 > idmap config UPC-CT:range = 500-999999This is a red flag. You need to reserve UIDs 0-999 for system service accounts, and you should probably reserve a few UIDs for local accounts as well, so something like idmap config * : range = 3000-9999 idmap config UPC-CT:range = 10000-999999 If you have users with UIDs less than 1000, bite the bullet and reset their UID's to something larger to avoid endless headaches down the road.> idmap config UPC-CT:unix_nss_info = yes > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > ??????? interfaces = lo eth0 > ??????? bind interfaces only = yes > > [users] > ???????? path = /home/users/ > ???????? read only = no > ???????? force create mode = 0600 > ???????? force directory mode = 0700 > ..........<here come shares>.............. > > Francesc Bassas Serrami? > Serveis Inform?tics Campus Terrassa > C/ Colom 2 > 08222 Terrassa (Barcelona) > Tel?fon : 93.73.98630 > https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fserveis.terrassa.upc.edu%2Fsict&data=04%7C01%7C%7Cf461ca3b9b99478bc73508da13122fef%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C0%7C0%7C637843266085249100%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9jt6lTTjfYO0n8i2I1QePP1D5Pc1%2F%2FGJmYT5009x6Kc%3D&reserved=0 > > > El 31/3/2022 a les 14:00, samba-request at lists.samba.org ha escrit: >> On Thu, 2022-03-31 at 11:56 +0200, Frank via samba wrote: >>> Hi there, >>> >>> we have a Samba 4 AD installation with one DC and two members. >>> >>> All of them are ubuntu 20.04 with samba 4.13 >>> >>> The thing is when DC is rebooted, it seems members loose its >>> membership, >>> and the only way to recover it is to reboot the member. >>> >>> In the wrong state, we get the following in members: >>> >>> # net ads testjoin >>> ads_connect: No logon servers are currently available to service the >>> logon request. >>> Join to doman is not valid: No logon servers are currently available >>> to >>> service the logon request. >>> >>> After member reboot, "testjoin" shows membership recovered: >>> >>> # net ads testjoin >>> Join is OK. >>> >>> We suspect it has to do with some winbind parameter. >> It may be, but has you haven't provided the smb.conf files you are >> using, saying which parameter, if any, would be a guess. >> Please post the smb.conf from the DC and a Unix domain member. >> >> Rowland >> >> >> >>
Rowland Penny
2022-Mar-31 13:56 UTC
[Samba] Samba 4 AD member loose membership after DC reboot
On Thu, 2022-03-31 at 14:29 +0200, Frank via samba wrote:> Hi Rowland, > > thanks for your quick response. > > Here it is a member smb.conf: > > # Global parameters > [global] > workgroup = UPC-CT > realm = UPC-CT.UPC.EDU > netbios name = RADI > netbios aliases = RADI.UPC.ES RADI.UPC.EDUYou cannot use netbios aliases on a Unix domain member, use a CNAME instead.> security = ADS > > log level = 5 > username map = /var/lib/samba/user.map > > winbind enum users = yes > winbind enum groups = yesRemove the above two lines when you are sure everything is working correctly, they should not be used in production.> winbind nss info = rfc2307 > winbind use default domain = Yes > winbind refresh tickets = yes > winbind offline logon = yes > winbind cache time = 60 > > idmap config * : backend = tdb > idmap config * : range = 100-499 > idmap config UPC-CT:backend = ad > idmap config UPC-CT:schema_mode = rfc2307 > idmap config UPC-CT:range = 500-999999 > idmap config UPC-CT:unix_nss_info = yesWas this an upgrade from an NT4-style domain ? Even if it was, your '*' range is clobbering local system users. Rowland