[Samba] Question: Samba and YP-Yellow Pages relation.

Suporte - KONTROL suporte at kontrolsecurity.com.br
Fri Apr 6 13:57:31 UTC 2018 

Hi Rowland,
That looks GREAT!
I will give it a try for sure and let you know.

I am trying to talk to the guys who "modified/patched" the Samba 44 to get details. If I got it, I will send it to you.

Many Thanks!!!

Fabricio.


-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Friday, April 6, 2018 5:15 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Question: Samba and YP-Yellow Pages relation.

On Thu, 5 Apr 2018 18:57:03 -0300
"Suporte - KONTROL" <suporte at kontrolsecurity.com.br> wrote:

> Hi Rowland,
> Actually I don't want to disable the Yellow Pages, that's a situation 
> I already have in the pFsense, cause YP was disabled by the pfsense 
> developers.

Yellow pages is the old name for NIS and unless it is installed it isn't used by Linux and I suspect the same goes for freebsd.

>So my doubt is: Is there a way to make samba (latest
> version) to work without the YP enabled? What about what people made  
>with that samba version 4.4.16 I mentioned? Not sure how they did  
>that. The only thing I know is that it is working fine even without  
>the YP.

I would love to know what they did, perhaps the relevant code has been accepted into Samba.

> 
> The Microsoft environment is mixed. I have Win2008R2 / Win2012 R2 and 
> Win2016. It is working today with all of them.
>

Here is the good part, Unless you extend Windows by installing 'IDMU', it has no knowledge of NIS and you cannot install 'IDMU' on Win2016
  
> No problems, Here is the smb4.conf file:

and here is my version for 4.7.6, basically yours with default lines remove and the deprecated 'idmap uid & gid' lines replaced with their modern counterparts:

[global]
workgroup = SAMDOM
security = ads
realm  = SAMDOM.EXAMPLE.COM

## map ids outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain  the ranges may not overlap !
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999

template shell = /bin/bash
winbind offline logon = yes
winbind refresh tickets = yes
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes

log level = 3 passdb:5 winbind:3
printcap name = /dev/null
load printers = no
printing = bsd
local master = no
kerberos method = secrets and keytab
winbind refresh tickets = yes

[homes]
comment = Home Directories
valid users = %s, %D%W%S
browseable = no
read only = no
inherit acls = yes

With that smb.conf, I joined it to my domain with:

net ads join
createupn=HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM -k Using short domain name -- SAMDOM Joined 'TESTCLIENT1' to dns domain 'samdom.example.com'

and if I examine the keytab created, I find this:

ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
   2    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
   3    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
   4    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
   5    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
   6    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
   7    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
   8    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
   9    2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  10    2      host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
  11    2          TESTCLIENT1$@SAMDOM.EXAMPLE.COM
  12    2          TESTCLIENT1$@SAMDOM.EXAMPLE.COM
  13    2          TESTCLIENT1$@SAMDOM.EXAMPLE.COM
  14    2          TESTCLIENT1$@SAMDOM.EXAMPLE.COM
  15    2          TESTCLIENT1$@SAMDOM.EXAMPLE.COM
  16    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  17    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  18    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  19    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
  20    2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM

So the required UPN is there, so all I can suggest is, give it a try.

I do not use Squid, but I know a man that does ;-)

So over to you Louis.

Rowland





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list