[Samba] Samba acting as a domain member + netbios

Vincent DROUIN vdrouin at chapsvision.com
Fri Jan 26 17:37:53 UTC 2024


Okay the '%' were due to bad coy paste between the source code and a local smb.conf.
The samba is running on a minimal and embedded environment, which is why it must be built using buildroot.

It turns out that we might have been too restrictive with the samba libraries embedded in our environment.
I've solved this issue using latest version available in buildroot (4.19.3) and making sure all samba libraries are there.

The command "net ads join" now works well and I can connect to a share using AD authentication without netbios.

One last thing though : I've to do a new join after each reboot because a large part of the system is not persistent at reboot (like the whole /var directory that's flushed).
The only thing for which I do backup is the passdb.tdb and the secrets.tdb (historically for local users authentication).

Are there other things to backup to avoid the Kerberos pre-authentication issue after reboot?

Thanks for your help
Vincent

-----Message d'origine-----
De : samba <samba-bounces at lists.samba.org> De la part de Rowland Penny via samba
Envoyé : vendredi 26 janvier 2024 10:58
À : samba at lists.samba.org
Cc : Rowland Penny <rpenny at samba.org>
Objet : Re: [Samba] Samba acting as a domain member + netbios

[You don't often get email from samba at lists.samba.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

On Fri, 26 Jan 2024 08:44:13 +0000
Vincent DROUIN <vdrouin at chapsvision.com> wrote:

> Active Directory running on Windows Server 2019 Samba 4.15.8 (built
> from buildroot, using heimdal & libgssapi_krb5)

It sounds like you built Samba yourself, if so, why ? Also why use an old version ?

> Samba is running on a custom Unix distribution, all ports are open for
> the tests

'custom unix' ????

>
> Testparm -s result :
>
> # Global parameters
> [global]
>         bind interfaces only = Yes
>         disable spoolss = Yes
>         idmap cache time = 300
>         idmap negative cache time = 0
>         interfaces = 127.0.0.0/8 enp0s8
>         load printers = No
>         machine password timeout = 0
>         name cache timeout = 0
>         realm = BERTINIT.TEST
>         security = ADS
>         server string = VDMACHINE File Server
>         smb ports = 445
>         template homedir = /data/cifs/%%U
>         winbind cache time = 0
>         winbind enum groups = Yes
>         winbind enum users = Yes
>         winbind use default domain = Yes
>         workgroup = BERTINIT
>         idmap config bertinit : range = 3000-999999
>         idmap config bertinit : backend = rid
>         idmap config * : range = 1000-2999
>         idmap config * : backend = tdb
>
>
> [homes]
>         comment = LDAP only
>         force create mode = 0775
>         force directory mode = 0775
>         force group = trans
>         force user = %%U
>         path = /data/cifs/%%U
>         read only = No
>         root preexec = /bin/hush /var/lib/samba/scripts/mkhomedir.sh
> %%U valid users = %%U
>         vfs objects = full_audit
>         full_audit:syslog = false
>         full_audit:success = fntimes
>         full_audit:prefix = %%u|%%I
>

Why the double '%' ?
It should be just one e.g. 'valid users = %U'
You do not actually need the 'path' parameter in '[homes]', it is set in '[global]'

Having said that, it has nothing to do with your problem, which is that you do not want to use netbios.

I said in my last post:

If 'disable netbios = yes' is set in smb.conf, then netbios shouldn't be used by Samba and you shouldn't be having problems with it.

Try adding 'disable netbios = yes' to your smb.conf , stop nmbd and stop it from starting again. Restart Samba and see if your problem has gone away, it should have.

Rowland

PS, please do not 'CC' me, just reply to the list.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list