[Samba] Question: Samba and YP-Yellow Pages relation.
Suporte - KONTROL
suporte at kontrolsecurity.com.br
Fri Apr 6 13:57:31 UTC 2018
Hi Rowland,
That looks GREAT!
I will give it a try for sure and let you know.
I am trying to talk to the guys who "modified/patched" the Samba 44 to get details. If I got it, I will send it to you.
Many Thanks!!!
Fabricio.
-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Friday, April 6, 2018 5:15 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Question: Samba and YP-Yellow Pages relation.
On Thu, 5 Apr 2018 18:57:03 -0300
"Suporte - KONTROL" <suporte at kontrolsecurity.com.br> wrote:
> Hi Rowland,
> Actually I don't want to disable the Yellow Pages, that's a situation
> I already have in the pFsense, cause YP was disabled by the pfsense
> developers.
Yellow pages is the old name for NIS and unless it is installed it isn't used by Linux and I suspect the same goes for freebsd.
>So my doubt is: Is there a way to make samba (latest
> version) to work without the YP enabled? What about what people made
>with that samba version 4.4.16 I mentioned? Not sure how they did
>that. The only thing I know is that it is working fine even without
>the YP.
I would love to know what they did, perhaps the relevant code has been accepted into Samba.
>
> The Microsoft environment is mixed. I have Win2008R2 / Win2012 R2 and
> Win2016. It is working today with all of them.
>
Here is the good part, Unless you extend Windows by installing 'IDMU', it has no knowledge of NIS and you cannot install 'IDMU' on Win2016
> No problems, Here is the smb4.conf file:
and here is my version for 4.7.6, basically yours with default lines remove and the deprecated 'idmap uid & gid' lines replaced with their modern counterparts:
[global]
workgroup = SAMDOM
security = ads
realm = SAMDOM.EXAMPLE.COM
## map ids outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the ranges may not overlap !
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999
template shell = /bin/bash
winbind offline logon = yes
winbind refresh tickets = yes
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
log level = 3 passdb:5 winbind:3
printcap name = /dev/null
load printers = no
printing = bsd
local master = no
kerberos method = secrets and keytab
winbind refresh tickets = yes
[homes]
comment = Home Directories
valid users = %s, %D%W%S
browseable = no
read only = no
inherit acls = yes
With that smb.conf, I joined it to my domain with:
net ads join
createupn=HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM -k Using short domain name -- SAMDOM Joined 'TESTCLIENT1' to dns domain 'samdom.example.com'
and if I examine the keytab created, I find this:
ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
2 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
3 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
4 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
5 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
6 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
7 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
8 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
9 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
10 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
11 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
12 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
13 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
14 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
15 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
16 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
17 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
18 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
19 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
20 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
So the required UPN is there, so all I can suggest is, give it a try.
I do not use Squid, but I know a man that does ;-)
So over to you Louis.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list