[Samba] Fwd: Re: Ressources needed (cpus, ram, etc.) for a Samba server

Rowland Penny rpenny at samba.org
Wed Apr 10 15:38:12 UTC 2019 

On Wed, 10 Apr 2019 12:08:55 -0300
Edouard Guigné via samba <samba at lists.samba.org> wrote:

> Hello Rowland,
> 
> Yes, this is an Unix Domain member.
> 
> Below, my smb.conf :
> 
> [global]
>      security = ads
>      realm = IPGAD.MYDOMAIN.FR
>      workgroup = IPGAD
>      kerberos method = secrets and keytab
>      server signing = mandatory
>      client signing = mandatory
>      hosts allow = 127. 10.9.X. 10.9.X. 10.9.X. 10.9.4. 10.9.X.
>      hosts deny = 10.9.X. 10.9.X.
> 
>      log file = /var/log/samba/%m.log
>      max log size = 5000
> 
>      log level = 10
>      local master = no
>      domain master = no
>      preferred master = no
>      use sendfile = true
>      load printers = no
>      cups options = raw
>      printcap name = /dev/null
> 
>     disable spoolss = yes
> 
>      vfs objects = acl_xattr
>      map acl inherit = yes
>      store dos attributes = yes
> 
>     idmap config * : backend = tdb
>     idmap config * : range = 15000-99999
> 
>      winbind nss info = rfc2307
>      idmap config IPGAD : backend = ad
>      idmap config IPGAD : schema_mode = rfc2307
>      idmap config IPGAD : range = 1-14999
>      idmap config IPGAD : unix_nss_info = yes
>      idmap config IPGAD : unix_primary_group = yes
> 
>      client min protocol = SMB2

I have removed all the default lines, but just a couple of questions
about [global]:

Why have you set the log level to 10 ? this will swamp your logfile.
Is there some reason why you have started the 'IPGAD' range at '1' ?
The normal practise is at '10000', also using '1' means that you
should move everything from /etc/passwd and /etc/group into AD, or to
put it another way, this is a stupid range.
You are also using the winbind 'ad' backend, so have you added
anything to AD ?
Have you read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

and this:

https://wiki.samba.org/index.php/Idmap_config_ad

> 
> #[myshare]
> [groups]
>    comment = jaguar2
>    path = /var/datashared
>    public = no
>    writable = yes
>    guest ok = no

Interesting fact: 'public' is a synonym for 'guest ok', so you don't
need both and the default for 'guest ok' is 'no', so you don't really
need either.

Rowland

More information about the samba mailing list