[Samba] Upgrading samba from jessie (4.2) to stretch (4.5) in AD mode...

Rowland Penny rpenny at samba.org
Wed Jun 21 16:30:19 UTC 2017 

On Wed, 21 Jun 2017 18:06:45 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > He did not post smb.conf ;-) 
> 
> It is full of comment, now, because i'm moving some settings from my
> old 'NT' domain...
> 
> 
> [From other thread...]
> 
> > If he has added 'security = user' to his smb.conf, he needs to
> > remove it, you do not use this on a DC.
> 
> Clearly, i've removed that; i've added exclusively to finish the
> post-installation task of debian package.
> Sorry if iwas not clear.
> 
> 
> > It looks like he got hit by the 'winbind package not installed on
> > debian unless you ask for it' error.
> 
> ?!
> 
> 
> > The rest is shown because he used testparm not samba-tool testparm 

Well, you learn something new every day, I never use 'testparm', I
always use 'samba-tool testparm' and I thought they would give the same
output, obviously not ;-)

> 
> I don't know about that. ;-)
> 
>  root at lupus:~# samba-tool testparm 
>  Press enter to see a dump of your service definitions
>  # Global parameters
>  [global]
> 	bind interfaces only = Yes
> 	interfaces = lo eth0.17
> 	netbios aliases = CUPS FILE MEDIA TIME
> 	netbios name = LUPUS
> 	realm = AD.CORSI.SV.LNF.IT
> 	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = SVCORSI
> 	ldap server require strong auth = allow_sasl_over_tls
> 	logon drive = p:
> 	logon home = \\LUPUS\%U
> 	logon path = \\LUPUS\profiles\%U
> 	logon script = startup.bat
> 	load printers = Yes
> 	printcap name = cups
> 	server role = active directory domain controller
> 	winbind enum groups = Yes
> 	winbind enum users = Yes
> 	winbind nss info = rfc2307
> 	idmap config svcorsi : schema_mode = rfc2307
> 	idmap config svcorsi : backend = ad
> 	idmap_ldb:use rfc2307 = yes
> 	dsdb:schema update allowed = true
> 	comment = 
> 	printing = cups
> 
> effectively it is simpler. 

No it isn't, you should definitely remove the 'idmap config' lines.

> I've added surely 'ldap server require
> strong auth = allow_sasl_over_tls' to make exim work, and
> 'dsdb:schema update allowed = true' to modify schema.

You should only have the 'dsdb' line active in smb.conf when you need to
modify the schema, you should turn it off when not required.

> Clearly i've added 'logon *' options bacause i need it. ;)

No you don't ;-)
Read up on the Windows and RFC2307 attributes you now have at your
disposal
 
> 
> Other things probably added to make windbind NSS and PAM providers
> work, but finally i've switched to SSSD.

Your decision, but everything that sssd can do, winbind can do and
using sssd is not supported by Samba.

Rowland

More information about the samba mailing list