thr3ads.net - samba - [Samba] domain join becomes invalid every 24h [Apr 2024]

If this information is useful, please help other people find it:
Share via:

Alexis Pellicier

2024-Apr-24 07:58 UTC

[Samba] domain join becomes invalid every 24h

Hi Rowland,
> Your smb.conf seems to be insufficient, there are no 'idmap config'
> lines, are you using sssd ?Yes I'm using sssd and I didn't posted idmap config lines to keep it
brief, here it is:
[global]
       netbios name = FILESEVER
       workgroup = WORKGROUP
       security = ads
       realm = MY.DOMAIN
       preferred master = no
       domain master = no
       local master = no
       disable netbios = Yes
       server signing = auto
       kerberos method = secrets and keytab

        min domain uid = 500
        idmap config * : backend = tdb
        idmap config * : range = 1000100-3000000
        idmap config WORKGROUP : backend  = ad
        idmap config WORKGROUP : range = 500-1000000
        idmap config WORKGROUP : unix_nss_info = yes
        idmap config WORKGROUP : unix_primary_group = yes
        idmap config WORKGROUP : schema_mode = rfc2307

        reset on zero vc = yes
        socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=30
TCP_KEEPCNT=3 TCP_KEEPINTVL=3

        disable spoolss = yes
>
> Rowland
>
> PS there really wasn't much point in sanitising the realm in the
> fileserver and not in the DC, also what happened to the 'workgroup'
> line ?Oups... I guess it's too late now.
Here a more complete version of DC's smb.conf
[global]
       workgroup = WORKGROUP
       realm = my.domain
       netbios name = DOM
       server role = active directory domain controller
       server services = -nbt
       smb ports = 445
       idmap_ldb:use rfc2307 = yes
       kerberos method = default
       kdc enable fast = yes
       allow dns updates = signed
       ntp signd socket directory = /var/lib/ntp/ntp_signd
        ldap server require strong auth = no

Rowland Penny

2024-Apr-24 08:46 UTC

head link

[Samba] domain join becomes invalid every 24h

On Wed, 24 Apr 2024 10:58:50 +0300
Alexis Pellicier <alexis.pellicier at nds.k12.tr> wrote:
> Hi Rowland,
> 
> > Your smb.conf seems to be insufficient, there are no 'idmap
config'
> > lines, are you using sssd ?
> Yes I'm using sssd and I didn't posted idmap config lines to keep
it
> brief, here it is:
Why are you using sssd and Samba ?
Presumably winbind is also running ?

You do not need both and as you need winbind and smbd for file sharing
on a Unix domain member, I suggest you turn off and remove sssd.
> [global]
>        netbios name = FILESEVER
>        workgroup = WORKGROUP
>        security = ads
>        realm = MY.DOMAIN
>        preferred master = no
>        domain master = no
>        local master = no
>        disable netbios = Yes
>        server signing = auto
>        kerberos method = secrets and keytab
> 
>         min domain uid = 500
>         idmap config * : backend = tdb
>         idmap config * : range = 1000100-3000000
>         idmap config WORKGROUP : backend  = ad
>         idmap config WORKGROUP : range = 500-1000000
>         idmap config WORKGROUP : unix_nss_info = yes
>         idmap config WORKGROUP : unix_primary_group = yes
>         idmap config WORKGROUP : schema_mode = rfc2307
Not the ranges I would have chosen, but this is where you are, I just
hope your 'WORKGROUP' range never gets to 1000100
> 
>         reset on zero vc = yes
>         socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=30
> TCP_KEEPCNT=3 TCP_KEEPINTVL=3
> 
>         disable spoolss = yes
Based on my working smb.conf and yours, I suggest you try this:

[global]
       workgroup = WORKGROUP
       security = ads
       realm = MY.DOMAIN
       kerberos method = secrets and keytab

       winbind use default domain = yes
       winbind expand groups = 2
       winbind refresh tickets = Yes
       disable netbios = yes
       dns proxy = no

       min domain uid = 500
       idmap config * : backend = tdb
       idmap config * : range = 1000100-3000000
       idmap config WORKGROUP : backend  = ad
       idmap config WORKGROUP : range = 500-1000000
       idmap config WORKGROUP : unix_nss_info = yes
       idmap config WORKGROUP : unix_primary_group = yes
       idmap config WORKGROUP : schema_mode = rfc2307

       vfs objects = acl_xattr
       map acl inherit = Yes

       # Comment the following 4 lines to act as a print server
       printcap name = /dev/null
       load printers = no
       disable spoolss = yes
       printing = bsd
> Here a more complete version of DC's smb.conf
> [global]
>        workgroup = WORKGROUP
>        realm = my.domain
>        netbios name = DOM
>        server role = active directory domain controller
>        server services = -nbt
>        smb ports = 445
>        idmap_ldb:use rfc2307 = yes
>        kerberos method = default
>        kdc enable fast = yes
>        allow dns updates = signed
>        ntp signd socket directory = /var/lib/ntp/ntp_signd
Is there a reason for moving the ntp_signd directory from its default
/var/lib/samba/ntp_signd ?
>         ldap server require strong auth = no
Rowland

Maybe Matching Threads

Search for more seemingly similar threads

samba - Apr 2024 - domain join becomes invalid every 24h

[Samba] domain join becomes invalid every 24h

[Samba] domain join becomes invalid every 24h

Maybe Matching Threads