samba - Jan 2023 - Multi instance samba problem after updating from 4.15.5 to 4.17.4

Hi,

I have 3 samba instances running on one server: samba AD file and a 
printserver instance.
After updating to 4.17.4 I have the problem, that connecting the one 
instance with smbclient or from a windows client sometimes the shares of 
the other instance will be listed.
The behavior is such that this behavior remains stable for a while, then 
changes and the correct shares are delivered again. This is about 1 
minunte.
In the logfiles of the instances it is evident that the instances have 
read the correct configuration.

Bad state:
# smbclient -L fileserver -U register%XXXXXXXXXX

         Sharename       Type      Comment
         ---------       ----      -------
         print$          Disk      Printer Drivers
         n013-kyocera    Printer
         n108-lexmark    Printer
         p001-kyocera    Printer
         w105-hp         Printer
         zb-brother      Printer
         lehrer-ta       Printer
         IPC$            IPC       IPC Service (Samba 4.17.4)

Right state:
# smbclient -L fileserver -U register%XXXXXXXXXX

         Sharename       Type      Comment
         ---------       ----      -------
         groups          Disk      Shared directories of groups you are 
member in.
         users           Disk      All users
         all             Disk      Folder for all
         allteachers     Disk      Folder for all teacher
         software        Disk      Folder for software
         IPC$            IPC       IPC Service (Samba 4.17.4)
         register        Disk      Home Directories
SMB1 disabled -- no workgroup available

Connecting a specific instance works fine even if the bad shares was 
delivered immediately before.
The dns resolution works correct.
Do you have any idea?

Configfile samba-ad instance:
----------------
[global]
netbios name = admin
realm = <DOMAIN.DE>
workgroup = <DOMAIN>
dns forwarder = 172.16.0.5
server role = active directory domain controller
idmap_ldb:use rfc2307 = Yes
check password script = 
/usr/share/cranix/tools/check_password_complexity.sh
bind interfaces only = yes
interfaces = 127.0.0.1, 172.16.0.2
ntlm auth = yes
template shell = /bin/bash
ldap server require strong auth = no
hosts deny = 172.16.1.0/24
load printers = no
printcap name = /dev/null
disable spoolss = yes

[sysvol]
path = /var/lib/samba/sysvol
read only = No
browseable = No

[netlogon]
comment = Network logon
path = /var/lib/samba/sysvol/gy-ho.de/scripts
root preexec = /usr/share/cranix/plugins/share_plugin_handler.sh 
netlogon open %U %I %a %m gy-ho.de
read only = No

Config file samba file server:
--------------------
[global]
workgroup = <DOMAIN>
realm = <DOMAIN.DE>
netbios name = fileserver
security = ADS
bind interfaces only = yes
interfaces = 172.16.0.1
pid   directory = /run/sambafileserver
cache directory = /var/lib/fileserver
lock  directory = /var/lib/fileserver/lock
state directory = /var/lib/fileserver
private directory = /var/lib/fileserver/private
log level = 5
wide links = Yes
unix extensions = No
load printers = no
printcap name = /dev/null
disable spoolss = yes
min domain uid = 0
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

[itool]
comment = Imaging Tool
path = /srv/itool
root preexec = /usr/share/cranix/plugins/share_plugin_handler.sh itool 
open %u %I %a %m
inherit permissions = Yes
#valid users = @teachers, @sysadmins, @workstations, root, 
Administrator, ossreader
#force group = sysadmins
browseable = no
guest ok = no
writable = yes
strict locking = no

[profiles]
comment = Network profiles
path = /home/profiles/
root preexec = /usr/share/cranix/plugins/share_plugin_handler.sh 
profiles open %U %I %a %m gy-ho.de
browseable = No
read only = No
force create mode = 0600
force directory mode = 0700
csc policy = disable
store dos attributes = yes
vfs objects = acl_xattr

[homes]
comment = Home Directories
root preexec = /usr/share/cranix/plugins/share_plugin_handler.sh homes 
open %U %I %a %m gy-ho.de
root postexec = /usr/share/cranix/plugins/share_plugin_handler.sh homes 
close %U %I %a %m gy-ho.de
veto files = /GROUPS/ALL/
inherit permissions = Yes
browseable = No
printable = No
read only = No
guest ok = No
valid users = %S

[groups]
comment = Shared directories of groups you are member in.
path = /home/groups/LINKED/%U
root preexec = /usr/share/cranix/plugins/share_plugin_handler.sh groups 
open %U %I %a %m gy-ho.de
root postexec = /usr/share/cranix/plugins/share_plugin_handler.sh groups 
close %U %I %a %m gy-ho.de
veto files = /TEACHERS/
inherit permissions = Yes
browseable = Yes
guest ok = No
printable = No
read only = No

[users]
comment = All users
path = /home
inherit permissions = Yes
browseable = Yes
guest ok = No
printable = No
read only = No

[all]
comment = Folder for all
path = /home/all
inherit permissions = Yes
browseable = Yes
guest ok = No
writable = Yes

[allteachers]
comment = Folder for all teacher
path = /home/groups/TEACHERS
inherit permissions = Yes
browseable = Yes
guest ok = No
writable = Yes

[alladmins]
comment = Folder for administration personal
path = /home/groups/ADMINISTRATION
inherit permissions = Yes
browseable = No
guest ok = No
writable = Yes

[software]
comment = Folder for software
path = /home/software
inherit permissions = Yes
browseable = yes
guest ok = no
writable = yes

[salt-repo]
comment = Folder for Salt Packages
path = /srv/salt/win/repo-ng
inherit permissions = Yes
browseable = no
guest ok = no
writable = yes
#valid users = @sysadmins

Config file samba printserver
-------------------------------------
[global]
workgroup = <DOMAIN>
realm = <DOMAIN.DE>
netbios name = printserver
printing = CUPS
security = ADS
bind interfaces only = yes
interfaces = 172.16.0.4
load printers = no
min domain uid = 0
pid   directory = /run/sambaprintserver
cache directory = /var/lib/printserver
lock  directory = /var/lib/printserver/lock
state directory = /var/lib/printserver
private directory = /var/lib/printserver/private
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
log level = 5

[print$]
comment = Printer Drivers
path = /var/lib/printserver/drivers
read only = No

[n013-kyocera]
path = /var/tmp/
printable = yes
printer name = n013-kyocera
hosts allow = 172.16.0.0/24 172.16.3.0/25

[n108-lexmark]
path = /var/tmp/
printable = yes
printer name = n108-lexmark
hosts allow = 172.16.0.0/24 172.16.14.0/26

[p001-kyocera]
path = /var/tmp/
printable = yes
printer name = p001-kyocera
hosts allow = 172.16.0.0/24 172.16.2.128/25

[w105-hp]
path = /var/tmp/
printable = yes
printer name = w105-hp
hosts allow = 172.16.0.0/24 172.16.15.64/26

[zb-brother]
path = /var/tmp/
printable = yes
printer name = zb-brother
hosts allow = 172.16.0.0/24 172.16.2.64/26

[lehrer-ta]
path = /var/tmp/
printable = yes
printer name = lehrer-ta
hosts allow = 172.16.0.0/24 172.16.8.0/22 172.16.3.192/27


Thanks a lot!

10.01.2023 22:02, Peter Varkoly via samba wrote:
> Hi,
> 
> I have 3 samba instances running on one server: samba AD file and a
printserver instance.
> After updating to 4.17.4 I have the problem, that connecting the one
instance with smbclient or from a windows client sometimes the shares of the
> other instance will be listed.
I tried running several instances like this, - had to fight with multiple
issues, and finally
decided to run samba in containers instead.  This is possible to do off the same
root filesystem
(by mounting different /etc/samba/, /var/lib/samba/, /var/cache/samba/ and
/var/log/samba/ for
each instance). I abused systemd-nspawn for this, but had to fight with it too,
as it has quite
some checks in place which prevents it from running a container off system root.

Apparently it should be possible to do it in one system with multiple IP
addresses and a lot
of configuration, - it *should* work.  Provided nothing wants to use localhost
directly
(like samba-tool or smbpasswd).
> The behavior is such that this behavior remains stable for a while, then
changes and the correct shares are delivered again. This is about 1 minunte.
> In the logfiles of the instances it is evident that the instances have read
the correct configuration.
This smells like some cache - which is most often in /run/samba/ - is being used
by multiple
instances.  Or something else is cross-using stuff.

If it were me, I'd move regular samba dirs - which are the ones I listed
above - into
subdirs each for each instance, so there's nothing in there "by
default", - any file
appearing directly in any of these dirs indicates a misconfiguration.  Your AD
DC config
does not have all the *directory set up, so any misconfig in other instances
means that
instance will use files by AD DC instance.

Plus, a less radical, do an lsof for all the processes running and see if there
are
some files open which should not be.

Thanks,

/mjt

10.01.2023 22:02, Peter Varkoly via samba wrote:
> Hi,
> 
> I have 3 samba instances running on one server: samba AD file and a
printserver instance.
> After updating to 4.17.4 I have the problem, that connecting the one
instance with smbclient or from a windows client sometimes the shares of the
> other instance will be listed.
BTW, there's no need to run separate instances for print and file services.
Only AD-DC needs to be separate, file+print always worked together.

/mjt

That's a nice reply from the OP mailserver..

<peter at varkoly.de>: host mail.varkoly.de[5.252.225.115] said: 554 5.7.1
     <mjt at tls.msk.ru>: Sender address rejected: Go away! (in reply to
RCPT TO command)

Thank you very much :)

/mjt