[Samba] Simple question about netbios name and workgroup, in smb.conf
Rowland Penny
rpenny at samba.org
Fri Oct 6 19:11:20 UTC 2023
On Fri, 6 Oct 2023 15:43:08 -0300
Ricardo Campos <rdiascampos at gmail.com> wrote:
> Thanks, Rowland for your quick answer.
>
> 1. testparm -s
>
> Loaded services file OK.
> Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility
> fallback)
>
> Server role: ROLE_STANDALONE
You need to add 'domain logons = yes', it now defaults to 'no', hence
Samba is not running a a PDC.
>
> # Global parameters
> [global]
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> add machine script = /usr/sbin/smbldap-useradd -W "%u"
> add user script = /usr/sbin/smbldap-useradd -a -m "%u"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
> "%g" delete group script = /usr/sbin/smbldap-groupdel "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x
> "%u" "%g"
> delete user script = /usr/sbin/smbldap-userdel "%u"
> domain master = Yes
> dos charset = iso-8859-1
> ldap admin dn = uid=XXXX,ou=xxx,dc=xxx,dc=xxx,dc=xx
> ldap group suffix = ou=grupos
> ldap idmap suffix = ou=usuarios
> ldap machine suffix = ou=computadores
> ldap page size = 1024
> ldap ssl = no
> ldap suffix = dc=xxxx,dc=xxx,dc=xx
> ldap user suffix = ou=usuarios
> log file = /var/log/samba/%U_%m.log
> logon drive = U:
> logon home =
> logon path =
> logon script = logon.bat
> max log size = 8000
> netbios aliases = newatena
> netbios name = NEWATENA
> ntlm auth = ntlmv1-permitted
> os level = 33
> passdb backend = ldapsam:ldap://127.0.0.1
> preferred master = Yes
> printcap name = cups
> security = USER
> server max protocol = NT1
> server string = Servidor de arquivos - em testes
> set primary group script = /usr/sbin/smbldap-usermod -g "%g"
> "%u" time server = Yes
> unix charset = iso-8859-1
> username map = /usr/local/samba/etc/samba/smbusers
> workgroup = FUTURO
> recycle:subdir_mode = 0700
> recycle:exclude_dir = /tmp /temp /cache /recycle
> /xxxx/transfer recycle:exclude = *.tmp *.temp *.o *.obj ~$* *.~??
> thumbs.db recycle:maxsixe = 0
> recycle:versions = Yes
> recycle:touch = Yes
> recycle:keeptree = Yes
> recycle:repository = /dados/recycle/%U
> idmap config * : backend = tdb
> comment = qq
> hide unreadable = Yes
> inherit acls = Yes
> inherit permissions = Yes
> map acl inherit = Yes
> path = /dados
> preserve case = No
> printer name = impsuporte
> short preserve case = No
> vfs objects = recycle
>
>
> [netlogon]
> browseable = No
> path = /home/%u
> write list = simone mdourado
>
>
> [profiles]
> browseable = No
> create mask = 0600
> directory mask = 0700
> path = /var/lib/samba/profiles
> read only = No
>
>
> [homes]
> browseable = No
> comment = Home Directories
> read only = No
>
>
> [print$]
> guest ok = Yes
> path = /var/lib/samba/drivers
> write list = root
>
>
> [saf]
> browseable = No
> comment = Area SAF
> create mask = 0600
> directory mask = 0700
> force group = saf
> path = /dados/saf
> read list = @saf @suporte
> write list = @saf @suporte
>
> [des]
> browseable = No
> comment = Area DES
> create mask = 0600
> directory mask = 0700
> force group = des
> path = /dados/des
> read list = @des @suporte
> write list = @des @suporte
>
>
> [ensur]
> browseable = No
> comment = Area ENSUR
> create mask = 0600
> directory mask = 0700
> force group = ensur
> path = /dados/ensur
> read list = @ensur @suporte
> write list = @ensur @suporte
>
>
> [oeg]
> browseable = No
> comment = Area O&G
> create mask = 0600
> directory mask = 0700
> force group = oeg
> path = /dados/oeg
> write list = @oeg @suporte sandra
>
>
> [sistemas]
> force group = sistemas
> path = /dados/sistemas
> write list = @suporte @sistemas
>
>
> [malas]
> force group = malas
> path = /dados/malas
> write list = @suporte @malas
> root at massa:/usr/local/samba/etc#
>
> 2. you said: Samba 4.4 is extremely old
>
> Yes, I know. The problem is that some people resist upgrading things.
>
> 3. you said: Because, there are two workgroups on a Samba server,
> one, the 'local'
> one, uses the NetBIOS name and the 'domain' that uses the NetBIOS
> domain name
>
> Well, why then is there only one sambaDomainName in ldap, till now?
Because Samba isn't running as a PDC.
>
> 4. you said: why are you trying to keep an old obsolete system
> working ? The old 'PDC' type domains rely on SMBv1 and that protocol
> is very, very insecure. You would be better off either upgrading your
> existing domain to AD, or setting up a new domain, the latter is
> probably better because it gets rid of all the really old ways of
> doing things.
>
> I couldn't agree more but there are very old windows machines that
> people do not want to get rid off.
If you are doing this for other people, then I suggest you run away
before it all blows up in your face, If they want to run unsupported
Windows versions, that is their decision, but you really do not want to
be part of it. When it does get compromised (that's 'when' not 'if'),
you will get all the blame. The SMBv1 protocol is very insecure and is
turned off by default on Windows and Samba now, you really shouldn't
use it in production unless forced by the computer being part of a very
expensive machine that cannot easily be replaced and they should be
sandboxed from your main network.
Rowland
More information about the samba
mailing list