[Samba] testparm 4.6.0rc2

Vinicius Bones Silva vbs at e-trust.com.br
Tue Feb 7 18:04:55 UTC 2017 

using testparm of 4.6.0rc2 against the smb.conf of a production server (the production 
server is not using rc2, dont worry) produces the error:

[root at fwborda1 samba-460rc2]# testparm /root/smb.conf
Load smb config files from /root/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

# Global parameters
[global]
         bind interfaces only = Yes
         interfaces = 127.0.0.1 172.22.2.27
         netbios name = paladine
         realm = dragonlance.org
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, 
ntp_signd, kcc, dnsupdate
         workgroup = E-TRUST
         allow dns updates = nonsecure and secure
         log file = /var/log/samba/%M.log
         disable spoolss = Yes
         load printers = No
         printcap name = /dev/null
         passdb backend = samba_dsdb
         restrict anonymous = 2
         server role = active directory domain controller
         template homedir = /home/%U
         template shell = /bin/bash
         winbind enum groups = Yes
         winbind enum users = Yes
         winbind nss info = rfc2307
         winbind use default domain = Yes
         rpc_server:tcpip = no
         rpc_daemon:spoolssd = embedded
         rpc_server:spoolss = embedded
         rpc_server:winreg = embedded
         rpc_server:ntsvcs = embedded
         rpc_server:eventlog = embedded
         rpc_server:srvsvc = embedded
         rpc_server:svcctl = embedded
         rpc_server:default = external
         winbindd:use external pipes = true
         idmap_ldb:use rfc2307 = yes
         idmap config * : backend = tdb
         map archive = No
         map readonly = no
         store dos attributes = Yes
         printing = bsd
         vfs objects = dfs_samba4 acl_xattr


[netlogon]
         path = /var/lib/samba/sysvol/dragonlance.org/scripts
         browseable = No
         read only = No


[sysvol]
         path = /var/lib/samba/sysvol
         browseable = No
         read only = No

The original smb.conf does not have idmap set up. Is it supposed to? Here's the original 
file (yes, I'm omiting domain name and ip addresses):

# Global parameters
[global]
         netbios name = paladine
         realm = dragonlance.org
         workgroup = dragonlance
         #dns forwarder = 172.22.2.12
         server role = active directory domain controller
         interfaces = 127.0.0.1 172.22.2.27
         bind interfaces only = yes
         server services = -dns

         #Use settings from AD for login shell and home directory
         idmap_ldb:use rfc2307 = yes

         #Winbind Configuration
         winbind enum groups = yes
         winbind enum users = yes
         winbind use default domain = yes
         winbind nss info = rfc2307
         template shell = /bin/bash
         template homedir = /home/%U

         #Disable CUPS
         load printers = no
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes

         #remove vulnerability
         #"26920 - Microsoft Windows SMB NULL Session Authentication"
         restrict anonymous = 2

         allow dns updates = nonsecure
         #allow dns updates = nonsecure and secure
         #allow dns updates = secure only
         nsupdate command =  /usr/bin/nsupdate -g

         #idmap config *:backend = ad
         #idmap config *:range = 2000-9999
         #idmap config for domain E-TRUST
         #idmap config DRAGONLANCE:backend = ad
         #idmap config DRAGONLANCE:schema_mode = rfc2307
         #idmap config DRAGONLANCE:range = 10000-40000
         #idmap cache time = 1
         #idmap negative cache time = 1
         #winbind cache time = 1

         #log level=3
         #log level = 1 auth:3
         log file=/var/log/samba/%M.log

[netlogon]
         path = /var/lib/samba/sysvol/dragonlance.org/scripts
         read only = No
         browseable = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No
         browseable = No




-- 

	
Vinicius Silva
SOC


BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
vbs at e-trust.com.br
skype: vinicius.bones.silva

	







	Smiley face

www.e-trust.com.br <http://www.e-trust.com.br/>


Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você recebeu esta 
mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer atitude com 
base nestas informações. Solicitamos que você apague a mensagem imediatamente e avise a 
E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões ou 
informações contidas nesta mensagem não necessariamente refletem a posição oficial da 
E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser confirmada 
pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.

This message may contain privileged and confidential information for the use of the 
intended recipients only. If you are not an intended recipient then you should not 
disseminate, copy, or take any action based on its contents. If you have received this 
message in error then please notify E-TRUST by sending an e-mail message to 
suporte at e-trust.com.br immediately. Views and opinions expressed in this message do not 
necessarily reflect the position of E-TRUST. If this message is digitally signed, its 
authenticity can be confirmed by E-TRUST Private Certificate Authority, available at 
www.e-trust.com.br.

More information about the samba mailing list