[Samba] Shares not accessible when using FQDN
Rowland Penny
rpenny at samba.org
Wed Aug 30 10:47:46 UTC 2017
On Wed, 30 Aug 2017 12:20:04 +0200 (CEST)
Gaetan SLONGO <gslongo at it-optics.com> wrote:
>
> Hi Rowland My test SMB have several test lines and is dirty, for sure
> not correct :-) Could you share your setup to achieve this ?
>
This is my working smb.conf (note: I use Samba 4.6.x)
[global]
workgroup = SAMDOM
security = ADS
realm = SAMDOM.EXAMPLE.COM
# Uncomment the next two lines if you require a keytab for dovecot etc
#dedicated keytab file = /etc/krb5.keytab
#kerberos method = secrets and keytab
server string = Samba 4 Client %h
winbind use default domain = yes
winbind expand groups = 4
winbind refresh tickets = Yes
winbind offline logon = yes
## map ids outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the ranges may not overlap !
idmap config SAMDOM : backend = ad
idmap config SAMDOM : schema_mode = rfc2307
idmap config SAMDOM : unix_nss_info = yes
idmap config SAMDOM : range = 10000-999999
# uncomment next two lines if not storing shell & unixhomedir in AD
#template shell = /bin/bash
#template homedir = /home/%U
domain master = no
local master = no
preferred master = no
os level = 20
map to guest = bad user
host msdfs = no
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/user.map
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# Share Setting Globally
unix extensions = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
# disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# logging
log level = 0
If you using a version of Samba before 4.6.0, you should remove:
idmap config SAMDOM : unix_nss_info = yes
and replace it with:
winbind nss info = rfc2307
For this to work, all my users have a uidNumber attribute containing a
unique number inside the 'SAMDOM' range set in smb.conf (10000-999999)
and 'Domain Users' has a gidNumber inside the same range (note: you can
start the uidNumbers & gidNumbers at the same number, there is no need
to use different start numbers)
I also have a user.map, which contains this:
!root = SAMDOM\Administrator SAMDOM\administrator Administrator
administrator
NOTE 'SAMDOM' is my workgroup name and 'SAMDOM.EXAMPLE.COM' is my realm
name, you should replace them with yours.
Rowland
More information about the samba
mailing list