[Samba] Question: Samba and YP-Yellow Pages relation.
Rowland Penny
rpenny at samba.org
Fri Apr 6 08:15:28 UTC 2018
On Thu, 5 Apr 2018 18:57:03 -0300
"Suporte - KONTROL" <suporte at kontrolsecurity.com.br> wrote:
> Hi Rowland,
> Actually I don't want to disable the Yellow Pages, that's a situation
> I already have in the pFsense, cause YP was disabled by the pfsense
> developers.
Yellow pages is the old name for NIS and unless it is installed it
isn't used by Linux and I suspect the same goes for freebsd.
>So my doubt is: Is there a way to make samba (latest
> version) to work without the YP enabled? What about what people made
> with that samba version 4.4.16 I mentioned? Not sure how they did
> that. The only thing I know is that it is working fine even without
> the YP.
I would love to know what they did, perhaps the relevant code has been
accepted into Samba.
>
> The Microsoft environment is mixed. I have Win2008R2 / Win2012 R2 and
> Win2016. It is working today with all of them.
>
Here is the good part, Unless you extend Windows by installing 'IDMU',
it has no knowledge of NIS and you cannot install 'IDMU' on Win2016
> No problems, Here is the smb4.conf file:
and here is my version for 4.7.6, basically yours with default lines
remove and the deprecated 'idmap uid & gid' lines replaced with their
modern counterparts:
[global]
workgroup = SAMDOM
security = ads
realm = SAMDOM.EXAMPLE.COM
## map ids outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the ranges may not overlap !
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999
template shell = /bin/bash
winbind offline logon = yes
winbind refresh tickets = yes
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
log level = 3 passdb:5 winbind:3
printcap name = /dev/null
load printers = no
printing = bsd
local master = no
kerberos method = secrets and keytab
winbind refresh tickets = yes
[homes]
comment = Home Directories
valid users = %s, %D%W%S
browseable = no
read only = no
inherit acls = yes
With that smb.conf, I joined it to my domain with:
net ads join
createupn=HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM -k
Using short domain name -- SAMDOM
Joined 'TESTCLIENT1' to dns domain 'samdom.example.com'
and if I examine the keytab created, I find this:
ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
2 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
3 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
4 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
5 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
6 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
7 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
8 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
9 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
10 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
11 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
12 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
13 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
14 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
15 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
16 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
17 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
18 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
19 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
20 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
So the required UPN is there, so all I can suggest is, give it a try.
I do not use Squid, but I know a man that does ;-)
So over to you Louis.
Rowland
More information about the samba
mailing list