[Samba] security = ads parameter not working in samba 4.9.5
Rowland penny
rpenny at samba.org
Tue Dec 3 11:31:39 UTC 2019
On 03/12/2019 09:58, Sac Isilia wrote:
> Hi Rowland,
>
> The dns domain is - emea.media.global.loc .
>
OK, it looks like you need a few changes ;-)
Remove the '127.0.1.1' line from /etc/hosts
Make /etc/resolv.conf look like this:
search emea.media.global.loc
nameserver `ipaddress of a DC'
nameserver `ipaddress of another DC'
You might have to stop Network manager from managing /etc/resolv.conf
Make /etc/krb5.conf look like this:
[libdefaults]
default_realm = EMEA.MEDIA.GLOBAL.LOC
dns_lookup_realm = false
dns_lookup_kdc = true
Add 'winbind' to the 'passwd' and 'group' lines in /etc/nsswitch.conf
Try this smb.conf (it is based on my working one):
[global]
workgroup = EMEA-MEDIA
realm = EMEA.MEDIA.GLOBAL.LOC
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config EMEA-MEDIA : backend = ad
idmap config EMEA-MEDIA : schema_mode = rfc2307
idmap config EMEA-MEDIA : unix_nss_info = yes
idmap config EMEA-MEDIA : range = 16777216-33554431
#template shell = /bin/bash
#template homedir = /home/%U
domain master = no
local master = no
preferred master = no
# user Administrator workaround, without it you are unable to set
privileges
username map = /etc/samba/user.map
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
Create /etc/samba/user.map containing:
!root = EMEA-MEDIA\Administrator
I would also install the libpam-krb5 package
Rowland
More information about the samba
mailing list