SAMBA4 - Trusted relationship lost every Weeks

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

SAMBA4 - Trusted relationship lost every Weeks

Samba - General mailing list
Hello,


We recently put in place a trust relationship between a Win2008 R2 AD
server (Domain A) and a samba PDC (sernet-samba 3.5.18-28) : DOMAIN B

This works as expected and the bi directional relationship is stable.
Several services are using this trusted relationship without any problem.


We recently added a fresh new samba4 file server ( Debian 8.7with samba
4.2.14+dfsg-0+deb8u5) , which is joined to the AD domain (DOMAIN A).
This server is actually able to serve files for users from both domains
(A & B), as we can set up ACLs for every domain on it.

The only trouble we encoutner is that every monday morning, it seems
that this samba4 server looses the approbation from AD server.

Using smbclient we encounter this error:


[SambaServer]:~#wbinfo -a "DOMAIN_B+myuser"
Enter DOMAIN_B+myuser's password:
plaintext password authentication failed
Could not authenticate user DOMAIN_B+myuser with plaintext password
Enter DOMAIN_B+myuser's password:
challenge/response password authentication failed
error code was NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc000018c)
error message was: Trusted domain failure
Could not authenticate user DOMAIN_B+myuser with challenge/response

To make it work again, we have to disjoin/rejoin the server to the AD
domain, restart winbind and then samba.

Putting debul loglevel on the samb4server itself, we don't see anything
particular in the logs. The fact is that this happens every monday morning.

Is there anything particular I should know on Win2008 Domain side
(something regarding the sambaserver machine account?)


FYI, relationship between the 2 domains has been setup with a dedicated
account which has the "I" flag (InterDomain trust) on DOMAIN B.

My guess is that relationship is fine, but samba4 server on Domain A
looses periodically is mind for a reason I don't know.


If any of you have an idea or experienced something similar, please let
me know! :)


--
Regards,

Julien Téhéry - Ingénieur Systèmes et Réseaux



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: SAMBA4 - Trusted relationship lost every Weeks

Samba - General mailing list
Hi All,

Answering to myself, this problem still occurs again and again, every
week as I mentioned before.
Rejoining the domain each time for samba4 file server is the only
workaround.

What could be the origin of this kind of problem?

Any answer would be helpfull

Regards

Le 17/07/2017 à 10:12, Julien TEHERY a écrit :

> Hello,
>
>
> We recently put in place a trust relationship between a Win2008 R2 AD
> server (Domain A) and a samba PDC (sernet-samba 3.5.18-28) : DOMAIN B
>
> This works as expected and the bi directional relationship is stable.
> Several services are using this trusted relationship without any problem.
>
>
> We recently added a fresh new samba4 file server ( Debian 8.7with
> samba 4.2.14+dfsg-0+deb8u5) , which is joined to the AD domain (DOMAIN
> A). This server is actually able to serve files for users from both
> domains (A & B), as we can set up ACLs for every domain on it.
>
> The only trouble we encoutner is that every monday morning, it seems
> that this samba4 server looses the approbation from AD server.
>
> Using smbclient we encounter this error:
>
>
> [SambaServer]:~#wbinfo -a "DOMAIN_B+myuser"
> Enter DOMAIN_B+myuser's password:
> plaintext password authentication failed
> Could not authenticate user DOMAIN_B+myuser with plaintext password
> Enter DOMAIN_B+myuser's password:
> challenge/response password authentication failed
> error code was NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc000018c)
> error message was: Trusted domain failure
> Could not authenticate user DOMAIN_B+myuser with challenge/response
>
> To make it work again, we have to disjoin/rejoin the server to the AD
> domain, restart winbind and then samba.
>
> Putting debul loglevel on the samb4server itself, we don't see
> anything particular in the logs. The fact is that this happens every
> monday morning.
>
> Is there anything particular I should know on Win2008 Domain side
> (something regarding the sambaserver machine account?)
>
>
> FYI, relationship between the 2 domains has been setup with a
> dedicated account which has the "I" flag (InterDomain trust) on DOMAIN B.
>
> My guess is that relationship is fine, but samba4 server on Domain A
> looses periodically is mind for a reason I don't know.
>
>
> If any of you have an idea or experienced something similar, please
> let me know! :)
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: SAMBA4 - Trusted relationship lost every Weeks

Samba - General mailing list
On Sun, 13 Aug 2017 10:42:44 +0200
Julien TEHERY via samba <[hidden email]> wrote:

> Hi All,
>
> Answering to myself, this problem still occurs again and again, every
> week as I mentioned before.
> Rejoining the domain each time for samba4 file server is the only
> workaround.
>
> What could be the origin of this kind of problem?
>

Can you post your smb.conf.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: SAMBA4 - Trusted relationship lost every Weeks

Samba - General mailing list
Hi,


Here is our smb.conf.

Please note that this server uses nss resolution for DOMAIN_B users and
idmap_ldap backend to resolve DOMAIN_A users.

Trusted relationship between works well for other services between those
two domains. Only samba4 fileserver needs to rejoin DOMAIN_A domain (AD
2008 server) every week.

#======================= Global Settings
=====================================
[global]
         server string = FILESERVER
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         realm = DOMAIN_A
         workgroup = DOMAIN_A
         os level = 80
         bind interfaces only = yes
         interfaces = eth0

         ## Encoding ##
         dos charset = 850
         #display charset = UTF8

         ## Name resolution ##
         dns proxy = no
         wins support = no
         name resolve order =  host wins bcast lmhosts

         ## Logs ##
         max log size = 50
         log level = 10
         log file = /var/log/samba/%m.log
         syslog only = no
         syslog = 0
         panic action = /usr/share/samba/panic-action %d

         ## Passwords ##
         security = ADS
         encrypt passwords = true
         unix password sync = no
         passwd program = /usr/bin/passwd %u
         passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
         invalid users = root

         ## Restrictions ##
         hide special files = no
         hide unreadable = no
         hide dot files = no

         ## Resolve office save problems ##
         oplocks = no

         ## ACL SUPPORT ##
         nt acl support = yes
         acl check permissions = yes
         acl group control = yes

     # WINBIND
     ldap ssl =off
     ldap admin dn = cn=SuperUser,dc=domain_a,dc=com
     ldap suffix = dc=domain_a,dc=xm
         ldap timeout = 90
         ldap connection timeout = 20
         winbind nested groups = yes
         winbind expand groups = yes
         winbind cache time = 5
         winbind enum users = yes
         winbind enum groups = yes
         winbind separator = +
         winbind use default domain = no
         allow trusted domains = yes

     # IDMAP MDMAD XM
     #GLOBAL
         idmap config *: backend = tdb
         idmap config *: range = 19000-19999
     #DOMAIN_A
     idmap config DOMAIN_A : backend      = ldap
     idmap config DOMAIN_A : range        = 20000-9999999999
     idmap config DOMAIN_A : ldap_url     = ldap://myldap.domain_a.com
     idmap config DOMAIN_A : ldap_base_dn = ou=Idmap,dc=domain_a,dc=com
     idmap config DOMAIN_A : ldap_user_dn = cn=SuperUser,dc=domain_a,dc=com
     #DOMAIN_B
         idmap config DOMAIN_B backend      = nss
         idmap config DOMAIN_B: range = 500-19000

         guest account = nobody
         map to guest = Bad User


Le 13/08/2017 à 10:58, Rowland Penny via samba a écrit :

> On Sun, 13 Aug 2017 10:42:44 +0200
> Julien TEHERY via samba <[hidden email]> wrote:
>
>> Hi All,
>>
>> Answering to myself, this problem still occurs again and again, every
>> week as I mentioned before.
>> Rejoining the domain each time for samba4 file server is the only
>> workaround.
>>
>> What could be the origin of this kind of problem?
>>
> Can you post your smb.conf.
>
> Rowland
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: SAMBA4 - Trusted relationship lost every Weeks

Samba - General mailing list
On Wed, 16 Aug 2017 09:05:32 +0200
Julien TEHERY via samba <[hidden email]> wrote:

> Hi,
>
>
> Here is our smb.conf.
>
> Please note that this server uses nss resolution for DOMAIN_B users
> and idmap_ldap backend to resolve DOMAIN_A users.
>
> Trusted relationship between works well for other services between
> those two domains. Only samba4 fileserver needs to rejoin DOMAIN_A
> domain (AD 2008 server) every week.
>
> #======================= Global Settings
> =====================================
> [global]
>          server string = FILESERVER
>          socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>          realm = DOMAIN_A
>          workgroup = DOMAIN_A
>          os level = 80
>          bind interfaces only = yes
>          interfaces = eth0
>
>          ## Encoding ##
>          dos charset = 850
>          #display charset = UTF8
>
>          ## Name resolution ##
>          dns proxy = no
>          wins support = no
>          name resolve order =  host wins bcast lmhosts
>
>          ## Logs ##
>          max log size = 50
>          log level = 10
>          log file = /var/log/samba/%m.log
>          syslog only = no
>          syslog = 0
>          panic action = /usr/share/samba/panic-action %d
>
>          ## Passwords ##
>          security = ADS
>          encrypt passwords = true
>          unix password sync = no
>          passwd program = /usr/bin/passwd %u
>          passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n .
>          invalid users = root
>
>          ## Restrictions ##
>          hide special files = no
>          hide unreadable = no
>          hide dot files = no
>
>          ## Resolve office save problems ##
>          oplocks = no
>
>          ## ACL SUPPORT ##
>          nt acl support = yes
>          acl check permissions = yes
>          acl group control = yes
>
>      # WINBIND
>      ldap ssl =off
>      ldap admin dn = cn=SuperUser,dc=domain_a,dc=com
>      ldap suffix = dc=domain_a,dc=xm
>          ldap timeout = 90
>          ldap connection timeout = 20
>          winbind nested groups = yes
>          winbind expand groups = yes
>          winbind cache time = 5
>          winbind enum users = yes
>          winbind enum groups = yes
>          winbind separator = +
>          winbind use default domain = no
>          allow trusted domains = yes
>
>      # IDMAP MDMAD XM
>      #GLOBAL
>          idmap config *: backend = tdb
>          idmap config *: range = 19000-19999
>      #DOMAIN_A
>      idmap config DOMAIN_A : backend      = ldap
>      idmap config DOMAIN_A : range        = 20000-9999999999
>      idmap config DOMAIN_A : ldap_url     = ldap://myldap.domain_a.com
>      idmap config DOMAIN_A : ldap_base_dn =
> ou=Idmap,dc=domain_a,dc=com idmap config DOMAIN_A : ldap_user_dn =
> cn=SuperUser,dc=domain_a,dc=com #DOMAIN_B
>          idmap config DOMAIN_B backend      = nss
>          idmap config DOMAIN_B: range = 500-19000
>
>          guest account = nobody
>          map to guest = Bad User
>
>
> Le 13/08/2017 à 10:58, Rowland Penny via samba a écrit :
> > On Sun, 13 Aug 2017 10:42:44 +0200
> > Julien TEHERY via samba <[hidden email]> wrote:
> >
> >> Hi All,
> >>
> >> Answering to myself, this problem still occurs again and again,
> >> every week as I mentioned before.
> >> Rejoining the domain each time for samba4 file server is the only
> >> workaround.
> >>
> >> What could be the origin of this kind of problem?
> >>
> > Can you post your smb.conf.
> >
> > Rowland
> >
>
>

You did say that this machine is joined to the AD domain (DOMAIN
A), didn't you ?

If so, why, if 'security = ADS' is in smb.conf, are you trying to use
ldap to connect to the AD DC ?????

Can I suggest you read 'man smb.conf', 'man idmap_rid' 'man idmap_ad',
'man idmap_nss' and finally this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Sorry to be the bearer of bad news, but your smb.conf is a mess, you
should be using the winbind 'ad' or 'rid' backend for DOMAIN_A (as an
aside, I do hope that workgroup DOMAIN_A != realm DOMAIN_A). You should
also probably be using the winbind 'rid' backend for DOMAIN_B and ALL
ranges should not overlap.

Can I also ask, why are you still using Samba 3.5.x ?
It went EOL 5 years ago.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: SAMBA4 - Trusted relationship lost every Weeks

Samba - General mailing list
> You did say that this machine is joined to the AD domain (DOMAIN
> A), didn't you ?
 >> Yes
>
> If so, why, if 'security = ADS' is in smb.conf, are you trying to use
> ldap to connect to the AD DC ?????

 >> Not at all. If it was the case the machine would have never be
joined to DOMAIN_A
Joining this machine to the 2008 domain (via net ads join..) succeed
whitout any problem.
About ldap connector we just thought winbind would use it towards ldap
server for DOMAIN_B (Samba 3.5 domain) uid/gid  resolution.
We actually use nss to resolve those uid/gid
>
> Can I suggest you read 'man smb.conf', 'man idmap_rid' 'man idmap_ad',
> 'man idmap_nss' and finally this:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> Sorry to be the bearer of bad news, but your smb.conf is a mess, you
> should be using the winbind 'ad' or 'rid' backend for DOMAIN_A
 >> Yes I know it's ugly, but this configuration is a transitionnal one
to migrate users and their homes from an old samba NT4 domain to an AD
domain.
Main goal was to make resources available to users from both domains
(actually it works through bidirectional trust).
The fact is this is not the prettiest config, as we didn't have
prerequisites for idmap_ad, we tried idmap_ldap backend and it works.
Using several fileservers, they resolve the same uid/gid for a specific
user.
IMO I don't think this setup can cause such  a cylic problem (exactly
every week..), but I'm probably wrong.

> (as an
> aside, I do hope that workgroup DOMAIN_A != realm DOMAIN_A).
 >> For sure, in production they are different (this is the result of
anonymising config)
> You should
> also probably be using the winbind 'rid' backend for DOMAIN_B
 >> We actually use nss. what advantage offers using rid backend instead
of nss ?
>   and ALL
> ranges should not overlap.
 >> A mistake in copy/paste configuration, it's not the case actually.

>
> Can I also ask, why are you still using Samba 3.5.x ?
> It went EOL 5 years ago.
 >> :) you're right. Upgrading the main production PDC from this old
version has to be studied carrefully. Head chiefs decided to migrate to
another windows domain instead of maintaining this one as I explained above.
>
> Rowland
>

Julien

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: SAMBA4 - Trusted relationship lost every Weeks

Samba - General mailing list

Very hard to understand this post, but see inline comments:

On Wed, 16 Aug 2017 17:47:25 +0200
Julien TEHERY via samba <[hidden email]> wrote:

> > You did say that this machine is joined to the AD domain (DOMAIN
> > A), didn't you ?
>  >> Yes
> >
> > If so, why, if 'security = ADS' is in smb.conf, are you trying to
> > use ldap to connect to the AD DC ?????
>
>  >> Not at all. If it was the case the machine would have never be
> joined to DOMAIN_A
> Joining this machine to the 2008 domain (via net ads join..) succeed
> whitout any problem.
> About ldap connector we just thought winbind would use it towards
> ldap server for DOMAIN_B (Samba 3.5 domain) uid/gid  resolution.
> We actually use nss to resolve those uid/gid

It doesn't and idmap_nss is used to ensure that a local Unix is mapped
to an AD user, the only problem with your setup is, you cannot have a
user with the same name in AD and /etc/passwd.

> >
> > Can I suggest you read 'man smb.conf', 'man idmap_rid' 'man
> > idmap_ad', 'man idmap_nss' and finally this:
> >
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Please read the manpages and the wikipage


> >
> > Sorry to be the bearer of bad news, but your smb.conf is a mess, you
> > should be using the winbind 'ad' or 'rid' backend for DOMAIN_A
>  >> Yes I know it's ugly, but this configuration is a transitionnal
>  >> one
> to migrate users and their homes from an old samba NT4 domain to an
> AD domain.
> Main goal was to make resources available to users from both domains
> (actually it works through bidirectional trust).
> The fact is this is not the prettiest config, as we didn't have
> prerequisites for idmap_ad, we tried idmap_ldap backend and it works.

You don't have to use the 'ad' backend, in fact in your case I would
use the 'rid' backend

> Using several fileservers, they resolve the same uid/gid for a
> specific user.
> IMO I don't think this setup can cause such  a cylic problem (exactly
> every week..), but I'm probably wrong.

I don't think it is either, what I think is going wrong is the kerberos
ticket is expiring and I don't think you can fix it with your smb.conf.
I would have expected an idmap block something like this:

    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    idmap config DOMAIN_A : backend = rid
    idmap config DOMAIN_A : range = 10000-99999
    idmap config DOMAIN_B : backend = rid
    idmap config DOMAIN_B : range = 10000000-19999999

I would also have expected to see this line:

    winbind refresh tickets = Yes

>
> > (as an
> > aside, I do hope that workgroup DOMAIN_A != realm DOMAIN_A).
>  >> For sure, in production they are different (this is the result of
> anonymising config)
> > You should
> > also probably be using the winbind 'rid' backend for DOMAIN_B
>  >> We actually use nss. what advantage offers using rid backend
>  >> instead
> of nss ?
> >   and ALL
> > ranges should not overlap.
>  >> A mistake in copy/paste configuration, it's not the case actually.
>
> >
> > Can I also ask, why are you still using Samba 3.5.x ?
> > It went EOL 5 years ago.
>  >> :) you're right. Upgrading the main production PDC from this old
> version has to be studied carrefully. Head chiefs decided to migrate
> to another windows domain instead of maintaining this one as I
> explained above.

Good choice to migrate, you just seem to have gone about it the wrong
way, but they are your domains and you can do it your way.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: SAMBA4 - Trusted relationship lost every Weeks

Samba - General mailing list

Le 16/08/2017 à 18:18, Rowland Penny via samba a écrit :

> Very hard to understand this post, but see inline comments:
>
> On Wed, 16 Aug 2017 17:47:25 +0200
> Julien TEHERY via samba <[hidden email]> wrote:
>
>>> You did say that this machine is joined to the AD domain (DOMAIN
>>> A), didn't you ?
>>   >> Yes
>>> If so, why, if 'security = ADS' is in smb.conf, are you trying to
>>> use ldap to connect to the AD DC ?????
>>   >> Not at all. If it was the case the machine would have never be
>> joined to DOMAIN_A
>> Joining this machine to the 2008 domain (via net ads join..) succeed
>> whitout any problem.
>> About ldap connector we just thought winbind would use it towards
>> ldap server for DOMAIN_B (Samba 3.5 domain) uid/gid  resolution.
>> We actually use nss to resolve those uid/gid
> It doesn't and idmap_nss is used to ensure that a local Unix is mapped
> to an AD user, the only problem with your setup is, you cannot have a
> user with the same name in AD and /etc/passwd.
>
>>> Can I suggest you read 'man smb.conf', 'man idmap_rid' 'man
>>> idmap_ad', 'man idmap_nss' and finally this:
>>>
>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> Please read the manpages and the wikipage
>
>
>>> Sorry to be the bearer of bad news, but your smb.conf is a mess, you
>>> should be using the winbind 'ad' or 'rid' backend for DOMAIN_A
>>   >> Yes I know it's ugly, but this configuration is a transitionnal
>>   >> one
>> to migrate users and their homes from an old samba NT4 domain to an
>> AD domain.
>> Main goal was to make resources available to users from both domains
>> (actually it works through bidirectional trust).
>> The fact is this is not the prettiest config, as we didn't have
>> prerequisites for idmap_ad, we tried idmap_ldap backend and it works.
> You don't have to use the 'ad' backend, in fact in your case I would
> use the 'rid' backend
>
>> Using several fileservers, they resolve the same uid/gid for a
>> specific user.
>> IMO I don't think this setup can cause such  a cylic problem (exactly
>> every week..), but I'm probably wrong.
> I don't think it is either, what I think is going wrong is the kerberos
> ticket is expiring and I don't think you can fix it with your smb.conf.
> I would have expected an idmap block something like this:
>
>      idmap config * : backend = tdb
>      idmap config * : range = 3000-7999
>      idmap config DOMAIN_A : backend = rid
>      idmap config DOMAIN_A : range = 10000-99999
>      idmap config DOMAIN_B : backend = rid
>      idmap config DOMAIN_B : range = 10000000-19999999
>
> I would also have expected to see this line:
>
>      winbind refresh tickets = Yes
>
>>> (as an
>>> aside, I do hope that workgroup DOMAIN_A != realm DOMAIN_A).
>>   >> For sure, in production they are different (this is the result of
>> anonymising config)
>>> You should
>>> also probably be using the winbind 'rid' backend for DOMAIN_B
>>   >> We actually use nss. what advantage offers using rid backend
>>   >> instead
>> of nss ?
>>>    and ALL
>>> ranges should not overlap.
>>   >> A mistake in copy/paste configuration, it's not the case actually.
>>
>>> Can I also ask, why are you still using Samba 3.5.x ?
>>> It went EOL 5 years ago.
>>   >> :) you're right. Upgrading the main production PDC from this old
>> version has to be studied carrefully. Head chiefs decided to migrate
>> to another windows domain instead of maintaining this one as I
>> explained above.
> Good choice to migrate, you just seem to have gone about it the wrong
> way, but they are your domains and you can do it your way.
>
> Rowland
>
>

Ticket lifetime is 24 hours by default and renewal lifetime is 7 days in
an Active Directory.

I will add those configurations:

krb5.conf:

  ticket_lifetime = 24h
  renew_lifetime = 7d

smb.conf:
winbind refresh tickets = Yes

My guess is that I didn't have proper setup in krb5.conf.
I'll let you know in a week.

Thanks for your help.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: SAMBA4 - Trusted relationship lost every Weeks

Samba - General mailing list
On Thu, 17 Aug 2017 10:05:36 +0200
Julien TEHERY via samba <[hidden email]> wrote:

>
> Le 16/08/2017 à 18:18, Rowland Penny via samba a écrit :
> > Very hard to understand this post, but see inline comments:
> >
> > On Wed, 16 Aug 2017 17:47:25 +0200
> > Julien TEHERY via samba <[hidden email]> wrote:
> >
> >>> You did say that this machine is joined to the AD domain (DOMAIN
> >>> A), didn't you ?
> >>   >> Yes
> >>> If so, why, if 'security = ADS' is in smb.conf, are you trying to
> >>> use ldap to connect to the AD DC ?????
> >>   >> Not at all. If it was the case the machine would have never be
> >> joined to DOMAIN_A
> >> Joining this machine to the 2008 domain (via net ads join..)
> >> succeed whitout any problem.
> >> About ldap connector we just thought winbind would use it towards
> >> ldap server for DOMAIN_B (Samba 3.5 domain) uid/gid  resolution.
> >> We actually use nss to resolve those uid/gid
> > It doesn't and idmap_nss is used to ensure that a local Unix is
> > mapped to an AD user, the only problem with your setup is, you
> > cannot have a user with the same name in AD and /etc/passwd.
> >
> >>> Can I suggest you read 'man smb.conf', 'man idmap_rid' 'man
> >>> idmap_ad', 'man idmap_nss' and finally this:
> >>>
> >>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > Please read the manpages and the wikipage
> >
> >
> >>> Sorry to be the bearer of bad news, but your smb.conf is a mess,
> >>> you should be using the winbind 'ad' or 'rid' backend for DOMAIN_A
> >>   >> Yes I know it's ugly, but this configuration is a
> >>   >> transitionnal one
> >> to migrate users and their homes from an old samba NT4 domain to an
> >> AD domain.
> >> Main goal was to make resources available to users from both
> >> domains (actually it works through bidirectional trust).
> >> The fact is this is not the prettiest config, as we didn't have
> >> prerequisites for idmap_ad, we tried idmap_ldap backend and it
> >> works.
> > You don't have to use the 'ad' backend, in fact in your case I would
> > use the 'rid' backend
> >
> >> Using several fileservers, they resolve the same uid/gid for a
> >> specific user.
> >> IMO I don't think this setup can cause such  a cylic problem
> >> (exactly every week..), but I'm probably wrong.
> > I don't think it is either, what I think is going wrong is the
> > kerberos ticket is expiring and I don't think you can fix it with
> > your smb.conf. I would have expected an idmap block something like
> > this:
> >
> >      idmap config * : backend = tdb
> >      idmap config * : range = 3000-7999
> >      idmap config DOMAIN_A : backend = rid
> >      idmap config DOMAIN_A : range = 10000-99999
> >      idmap config DOMAIN_B : backend = rid
> >      idmap config DOMAIN_B : range = 10000000-19999999
> >
> > I would also have expected to see this line:
> >
> >      winbind refresh tickets = Yes
> >
> >>> (as an
> >>> aside, I do hope that workgroup DOMAIN_A != realm DOMAIN_A).
> >>   >> For sure, in production they are different (this is the
> >>   >> result of
> >> anonymising config)
> >>> You should
> >>> also probably be using the winbind 'rid' backend for DOMAIN_B
> >>   >> We actually use nss. what advantage offers using rid backend
> >>   >> instead
> >> of nss ?
> >>>    and ALL
> >>> ranges should not overlap.
> >>   >> A mistake in copy/paste configuration, it's not the case
> >>   >> actually.
> >>
> >>> Can I also ask, why are you still using Samba 3.5.x ?
> >>> It went EOL 5 years ago.
> >>   >> :) you're right. Upgrading the main production PDC from this
> >>   >> old
> >> version has to be studied carrefully. Head chiefs decided to
> >> migrate to another windows domain instead of maintaining this one
> >> as I explained above.
> > Good choice to migrate, you just seem to have gone about it the
> > wrong way, but they are your domains and you can do it your way.
> >
> > Rowland
> >
> >
>
> Ticket lifetime is 24 hours by default and renewal lifetime is 7 days
> in an Active Directory.
>
> I will add those configurations:
>
> krb5.conf:
>
>   ticket_lifetime = 24h
>   renew_lifetime = 7d
>

You only need this in /etc/krb5.conf

[libdefaults]
        default_realm = SAMDOM.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba