[Samba] security = ads parameter not working in samba 4.9.5

Rowland penny rpenny at samba.org
Tue Dec 3 11:31:39 UTC 2019 

On 03/12/2019 09:58, Sac Isilia wrote:
> Hi Rowland,
>
> The dns domain is - emea.media.global.loc  .
>
OK, it looks like you need a few changes ;-)

Remove the '127.0.1.1' line from /etc/hosts

Make /etc/resolv.conf look like this:

search emea.media.global.loc
nameserver `ipaddress of a DC'
nameserver `ipaddress of another DC'

You might have to stop Network manager from managing /etc/resolv.conf

Make /etc/krb5.conf look like this:

[libdefaults]
     default_realm = EMEA.MEDIA.GLOBAL.LOC
     dns_lookup_realm = false
     dns_lookup_kdc = true

Add 'winbind' to the 'passwd' and 'group' lines in /etc/nsswitch.conf

Try this smb.conf (it is based on my working one):

[global]
    workgroup = EMEA-MEDIA
    realm = EMEA.MEDIA.GLOBAL.LOC
    security = ADS
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    winbind use default domain = yes
    winbind expand groups = 2
    winbind refresh tickets = Yes

    idmap config * : backend = tdb
    idmap config * : range = 3000-7999

    idmap config EMEA-MEDIA : backend = ad
    idmap config EMEA-MEDIA : schema_mode = rfc2307
    idmap config EMEA-MEDIA : unix_nss_info = yes
    idmap config EMEA-MEDIA : range = 16777216-33554431
    #template shell = /bin/bash
    #template homedir = /home/%U

    domain master = no
    local master = no
    preferred master = no

    # user Administrator workaround, without it you are unable to set 
privileges
    username map = /etc/samba/user.map

    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes

    log file = /var/log/samba/log.%m
    max log size = 1000
    logging = file
    panic action = /usr/share/samba/panic-action %d

[homes]
    comment = Home Directories
    browseable = no
    read only = no
    create mask = 0700
    directory mask = 0700
    valid users = %S

[printers]
    comment = All Printers
    browseable = no
    path = /var/spool/samba
    printable = yes
    create mask = 0700

[print$]
    comment = Printer Drivers
    path = /var/lib/samba/printers


Create /etc/samba/user.map containing:

!root = EMEA-MEDIA\Administrator

I would also install the libpam-krb5 package

Rowland

More information about the samba mailing list