[Samba] Question: Samba and YP-Yellow Pages relation.

Rowland Penny rpenny at samba.org
Fri Apr 6 08:15:28 UTC 2018 

On Thu, 5 Apr 2018 18:57:03 -0300
"Suporte - KONTROL" <suporte at kontrolsecurity.com.br> wrote:

> Hi Rowland,
> Actually I don't want to disable the Yellow Pages, that's a situation
> I already have in the pFsense, cause YP was disabled by the pfsense
> developers. 

Yellow pages is the old name for NIS and unless it is installed it
isn't used by Linux and I suspect the same goes for freebsd.

>So my doubt is: Is there a way to make samba (latest
> version) to work without the YP enabled? What about what people made
> with that samba version 4.4.16 I mentioned? Not sure how they did
> that. The only thing I know is that it is working fine even without
> the YP.

I would love to know what they did, perhaps the relevant code has been
accepted into Samba.

> 
> The Microsoft environment is mixed. I have Win2008R2 / Win2012 R2 and
> Win2016. It is working today with all of them.
>

Here is the good part, Unless you extend Windows by installing 'IDMU',
it has no knowledge of NIS and you cannot install 'IDMU' on Win2016
  
> No problems, Here is the smb4.conf file:

and here is my version for 4.7.6, basically yours with default lines
remove and the deprecated 'idmap uid & gid' lines replaced with their
modern counterparts:

[global]
workgroup = SAMDOM
security = ads
realm  = SAMDOM.EXAMPLE.COM

## map ids outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain  the ranges may not overlap !
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999

template shell = /bin/bash
winbind offline logon = yes
winbind refresh tickets = yes
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes

log level = 3 passdb:5 winbind:3
printcap name = /dev/null
load printers = no
printing = bsd
local master = no
kerberos method = secrets and keytab
winbind refresh tickets = yes

[homes]
comment = Home Directories
valid users = %s, %D%W%S
browseable = no
read only = no
inherit acls = yes

With that smb.conf, I joined it to my domain with:

net ads join
createupn=HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM -k
Using short domain name -- SAMDOM
Joined 'TESTCLIENT1' to dns domain 'samdom.example.com'

and if I examine the keytab created, I find this:

ktutil
ktutil:  rkt /etc/krb5.keytab 
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
   2    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
   3    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
   4    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
   5    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
   6    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
   7    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
   8    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
   9    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  10    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
  11    2          TESTCLIENT1$@SAMDOM.EXAMPLE.COM
  12    2          TESTCLIENT1$@SAMDOM.EXAMPLE.COM
  13    2          TESTCLIENT1$@SAMDOM.EXAMPLE.COM
  14    2          TESTCLIENT1$@SAMDOM.EXAMPLE.COM
  15    2          TESTCLIENT1$@SAMDOM.EXAMPLE.COM
  16    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  17    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  18    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  19    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  20    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM

So the required UPN is there, so all I can suggest is, give it a try.

I do not use Squid, but I know a man that does ;-)

So over to you Louis.

Rowland

More information about the samba mailing list