[Samba] security = ads parameter not working in samba 4.9.5

Rowland penny rpenny at samba.org
Tue Dec 10 11:29:13 UTC 2019

On 10/12/2019 11:10, Sac Isilia wrote:
> Hi Rowland,
> Please let me know what else I can try from my side. We are stuck as 
> the server cant be joined to domain.
Sorry, I thought you had fixed this :-(

You seem to be doing everything correctly, so it should work, but 
obviously, it isn't for you.

Can I suggest you use Louis's repo: http://apt.van-belle.nl/

This will get you a more up to date Samba version and may, by itself, 
fix your problem.

Try this smb.conf:

     workgroup = SAMDOM
     security = ADS

     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab

     winbind use default domain = yes
     winbind expand groups = 2
     winbind refresh tickets = Yes

     idmap config *:backend = tdb
     idmap config *:range = 3000-7999
     idmap config SAMDOM : backend = rid
     idmap config SAMDOM : range = 10000-999999
     template shell = /bin/bash
     template homedir = /home/%U

     # user Administrator workaround, without it you are unable to set 
     username map = /etc/samba/user.map

     # For ACL support on domain member
     vfs objects = acl_xattr
     map acl inherit = Yes
     store dos attributes = Yes

     # disable printing completely
     load printers = no
     printing = bsd
     printcap name = /dev/null
     disable spoolss = yes

     # logging
     log level = 4

Create /etc/samba/user.map
!root = SAMDOM\Administrator

Replace 'SAMDOM' with your workgroup name and the realm name 
'SAMDOM.EXAMPLE.COM' with your realm name (which must be the dns domain 
in uppercase)

If this doesn't work, I am running out of ideas, it normally just works.


More information about the samba mailing list