[Samba] Question: Samba and YP-Yellow Pages relation.

Suporte - KONTROL suporte at kontrolsecurity.com.br
Fri Apr 6 13:57:31 UTC 2018

Hi Rowland,
That looks GREAT!
I will give it a try for sure and let you know.

I am trying to talk to the guys who "modified/patched" the Samba 44 to get details. If I got it, I will send it to you.

Many Thanks!!!


-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Friday, April 6, 2018 5:15 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Question: Samba and YP-Yellow Pages relation.

On Thu, 5 Apr 2018 18:57:03 -0300
"Suporte - KONTROL" <suporte at kontrolsecurity.com.br> wrote:

> Hi Rowland,
> Actually I don't want to disable the Yellow Pages, that's a situation 
> I already have in the pFsense, cause YP was disabled by the pfsense 
> developers.

Yellow pages is the old name for NIS and unless it is installed it isn't used by Linux and I suspect the same goes for freebsd.

>So my doubt is: Is there a way to make samba (latest
> version) to work without the YP enabled? What about what people made  
>with that samba version 4.4.16 I mentioned? Not sure how they did  
>that. The only thing I know is that it is working fine even without  
>the YP.

I would love to know what they did, perhaps the relevant code has been accepted into Samba.

> The Microsoft environment is mixed. I have Win2008R2 / Win2012 R2 and 
> Win2016. It is working today with all of them.

Here is the good part, Unless you extend Windows by installing 'IDMU', it has no knowledge of NIS and you cannot install 'IDMU' on Win2016
> No problems, Here is the smb4.conf file:

and here is my version for 4.7.6, basically yours with default lines remove and the deprecated 'idmap uid & gid' lines replaced with their modern counterparts:

workgroup = SAMDOM
security = ads

## map ids outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain  the ranges may not overlap !
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999

template shell = /bin/bash
winbind offline logon = yes
winbind refresh tickets = yes
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes

log level = 3 passdb:5 winbind:3
printcap name = /dev/null
load printers = no
printing = bsd
local master = no
kerberos method = secrets and keytab
winbind refresh tickets = yes

comment = Home Directories
valid users = %s, %D%W%S
browseable = no
read only = no
inherit acls = yes

With that smb.conf, I joined it to my domain with:

net ads join
createupn=HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM -k Using short domain name -- SAMDOM Joined 'TESTCLIENT1' to dns domain 'samdom.example.com'

and if I examine the keytab created, I find this:

ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
   2    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
   3    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
   4    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
   5    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
   6    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
   7    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
   8    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
   9    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  10    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
  16    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  17    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  18    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  19    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  20    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM

So the required UPN is there, so all I can suggest is, give it a try.

I do not use Squid, but I know a man that does ;-)

So over to you Louis.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list