[Samba] Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Marc-Henri Pamiseux marc-henri.pamiseux at libricks.org
Sun Jul 30 22:29:31 UTC 2017 

Hi Rowland,

Sorry if i did not post smb.conf again, just because nothing really
change since my post from 25/07/2017 14:52.
I have add "ntlm auth = yes" for testing.

# .................... START /etc/samba/smb.conf .......................
# Global parameters
[global]
        netbios name = RHEA
        workgroup = MYDOMAIN
        realm = LOCAL.MYDOMAIN
        security = ADS

        dedicated keytab file = /etc/krb5.keytab
        # use the secrets.tdb first, then the system keytab
        kerberos method = secrets and keytab

# OFF   password server = hera.local.mydomain
        username map = /etc/samba/user.map
        username level = 2
        ntlm auth = yes

        # Niveau de log :
        # all,tdb,printdrivers,lanman,smb,rpc_parse,rpc_srv,rpc_cli,passdb,
        # sam,auth,winbind,vfs,idmap,quota,acls,locking,msdfs,dmapi,registry
        log level = 2 passdb:2 auth:2 vfs:1 acls:1 locking:1
        max log size = 5000
        log file = /var/log/samba/log.%m
        os level = 53

        load printers = no
        printing = cups
        cups options = raw
        printcap name = /dev/null

#............... Section specifique a Winbind ...............
        winbind cache time = 60
        winbind reconnect delay = 15
        winbind request timeout = 2
        winbind max clients = 2000
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes

        # Without it your kerberos tickets will expire and not be renewed
        winbind refresh tickets = Yes
        winbind offline logon = Yes
        winbind separator = +
        # OFF winbind trusted domains only = no

        # See http://pig.made-it.com/uidgid.html
        idmap config * : backend = tdb
        idmap config * : range = 500-999
        idmap config MYDOMAIN:backend = ad
        idmap config MYDOMAIN:range = 1000-3000300
        idmap config MYDOMAIN:unix_nss_info = yes
        idmap config MYDOMAIN:schema_mode = rfc2307
        idmap config MYDOMAIN:unix_primary_group = yes
#............... /Section specifique a Winbind ...............

        # Network discovery
        domain master = no
        local master = no
        preferred master = no
        wins support = no

        server signing = auto
        client signing = auto
        client use spnego = yes

        keepalive = 180
        dos charset = cp850
        kernel change notify = no
        notify:inotify = false
        # use sendfile = yes

# Gestion globale des droits des partages
# Ces parametres seront - au besoin - surclassé dans la definition du
partage
        map acl inherit = yes
        store dos attributes = yes
#       valid users = %U
        acl group control = yes
        inherit permissions = yes
        browseable = yes
        read only = yes
        create mask = 0660
        directory mask = 0770
        access based share enum = yes
        hide unreadable = yes
        hide unwriteable files = yes
        hide files = /.*/desktop.ini/ntuser.ini/NTUSER.*/

        # Gestion des Locks
        locking = yes
        oplocks = yes
        strict locking = no
        veto oplock files =
/*.doc/*.DOC/.docx/.DOCX/*.xls/*.XLS/*.xlsx/*.XLSX/*.pptx/*.PPTX/*.ppsx/*.PPSX/*.ppt/*.PPT/*.pps/.PPS/*.mdb/*.MDB/*.xml/*.XML/*.db/*.DB/*.PX/*.px/*.LCX/*.lcx/*.LCK/*.lck/*.XG0/*.xg0/*.YG0/*.yg0/*.NET/*.net
/*.tmp/*.TMP

        # Virtual File System
        vfs objects = acl_xattr
#
[homes]
#    path = /home/MYDOMAIN/%U/
        comment = Repertoire Personnel
        read only = no
        browseable = no
        create mask = 0600
        directory mask = 0700

        # Locks
        oplocks = no
        level2 oplocks = no

        # corbeille
        include = /etc/samba/inc_recycle.conf
        recycle:exclude =
*.o|**obj|*.lo|*.la|*.al|.libs|*.so|*.so.*|*.a|*.pyc|*.pyo|__pycache__|*.rej|*~
#*# .#*|*.swp|.DS_Store|[Tt]humbs.db|*.sdf|*.ncb
        recycle:repository = /home/trash/%U/private
#
[Intranet]
        path = /home/web/local.mydomain/htdocs/
        comment = Intranet Haption
        read only = no

        # Locks
        oplocks = no
        level2 oplocks = no

        # corbeille
        include = /etc/samba/inc_recycle.conf
        recycle:exclude = *.tmp
        recycle:repository = /home/trash/%U/intranet
#
[projets]
        path = /home/data/projets/
        comment = Gestion des projets
        read only = no

        # Locks
        oplocks = no
        level2 oplocks = no
#
[public]
        path = /home/data/public/
        comment = Public Stuff
        read only = no

        # Locks
        oplocks = no
        level2 oplocks = no
# .................... STOP /etc/samba/smb.conf ........................

# ................... START /etc/samba/user.map ........................
!root = MYDOMAIN\Administrator MYDOMAIN\administrator Administrator
administrator
# .................... STOP /etc/samba/user.map ........................

Regards,

-- 
Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr
6 rue Léonard de Vinci - CS 20119, 53001 LAVAL Cedex
Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97

Le 28/07/2017 à 10:46, Rowland Penny via samba a écrit :
> 
> Hi, sorry but my crystal ball is away at the menders and my telepathy
> is on the fritz, so could you please post your smb.conf ;-)
> 
> Rowland
>  
>

More information about the samba mailing list