[Samba] Question: Samba and YP-Yellow Pages relation.

Rowland Penny rpenny at samba.org
Fri Apr 6 08:15:28 UTC 2018

On Thu, 5 Apr 2018 18:57:03 -0300
"Suporte - KONTROL" <suporte at kontrolsecurity.com.br> wrote:

> Hi Rowland,
> Actually I don't want to disable the Yellow Pages, that's a situation
> I already have in the pFsense, cause YP was disabled by the pfsense
> developers. 

Yellow pages is the old name for NIS and unless it is installed it
isn't used by Linux and I suspect the same goes for freebsd.

>So my doubt is: Is there a way to make samba (latest
> version) to work without the YP enabled? What about what people made
> with that samba version 4.4.16 I mentioned? Not sure how they did
> that. The only thing I know is that it is working fine even without
> the YP.

I would love to know what they did, perhaps the relevant code has been
accepted into Samba.

> The Microsoft environment is mixed. I have Win2008R2 / Win2012 R2 and
> Win2016. It is working today with all of them.

Here is the good part, Unless you extend Windows by installing 'IDMU',
it has no knowledge of NIS and you cannot install 'IDMU' on Win2016
> No problems, Here is the smb4.conf file:

and here is my version for 4.7.6, basically yours with default lines
remove and the deprecated 'idmap uid & gid' lines replaced with their
modern counterparts:

workgroup = SAMDOM
security = ads

## map ids outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain  the ranges may not overlap !
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999

template shell = /bin/bash
winbind offline logon = yes
winbind refresh tickets = yes
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes

log level = 3 passdb:5 winbind:3
printcap name = /dev/null
load printers = no
printing = bsd
local master = no
kerberos method = secrets and keytab
winbind refresh tickets = yes

comment = Home Directories
valid users = %s, %D%W%S
browseable = no
read only = no
inherit acls = yes

With that smb.conf, I joined it to my domain with:

net ads join
createupn=HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM -k
Using short domain name -- SAMDOM
Joined 'TESTCLIENT1' to dns domain 'samdom.example.com'

and if I examine the keytab created, I find this:

ktutil:  rkt /etc/krb5.keytab 
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
   2    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
   3    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
   4    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
   5    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
   6    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
   7    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
   8    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
   9    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  10    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
  16    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  17    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  18    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  19    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  20    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM

So the required UPN is there, so all I can suggest is, give it a try.

I do not use Squid, but I know a man that does ;-)

So over to you Louis.


More information about the samba mailing list