[Samba] Fwd: Re: Kerberos and NTLMv2 authentication

Rowland penny rpenny at samba.org
Mon Jun 17 13:12:56 UTC 2019 

On 17/06/2019 13:42, Edouard Guigné via samba wrote:
> Hello,
>
> Please find here the content of my smb.cnf :
>
> [global]
>         security = ads
>         realm = MYDOMAIN.LOCAL
>         workgroup = MYDOMAIN
>         kerberos method = secrets and keytab
>         server signing = mandatory
>         client signing = mandatory
>
>         hosts allow = 127. 10.X.X.
>         hosts deny = 10.X.X.
>
>         log level = 1 auth_audit:3
>         local master = no
>         domain master = no
>         preferred master = no
>
>         use sendfile = true
>
>         load printers = no
>         cups options = raw
>         printcap name = /dev/null
>
>        disable spoolss = yes
>
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>
>     idmap config * : backend = tdb
>
>     idmap config * : range = 15000-99999
>
>         winbind nss info = rfc2307
>         idmap config MYDOMAIN : backend = ad
>         idmap config MYDOMAIN : schema_mode = rfc2307
>
>         idmap config MYDOMAIN : range = 10000-14999
>
>         idmap config MYDOMAIN : unix_nss_info = yes
>
>         idmap config MYDOMAIN : unix_primary_group = yes
>
>     client min protocol = SMB2
>
>     username map = /etc/samba/user.map
>
> [groups]
>   comment = mycomment
>   path = /var/datashared
>   public = no
>   writable = yes
>
>   valid users = @"utilisateurs du domaine at MYDOMAIN.LOCAL"
>
>   vfs objects = acl_xattr streams_xattr
>
> [homes]
>         comment = Home Directories
>         read only = No
>         create mask = 0700
>         directory mask = 0700
>         valid users = @"utilisateurs du domaine at MYDOMAIN.LOCAL"
>         path = /home
>         hide files = /~*.tmp/profile/desktop.ini/~$*/
>         browseable = no
>         public = no
>         guest ok = no
>
> [printers]
>         comment = All Printers
>         path = /var/tmp
>         printable = Yes
>         create mask = 0600
>         browseable = No
>
> [print$]
>         comment = Printer Drivers
>         path = /var/lib/samba/drivers
>         write list = root
>         create mask = 0664
>         directory mask = 0775
>
Provided you have added uidNumbers to your users and (at least) a 
gidNumber to Domain Users, that smb.conf has nothing major wrong.
> And the content of my /etc/nsswitch.conf :
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files sss
>
> netgroup:   files sss
>
> publickey:  nisplus
>
> automount:  files
> aliases:    files nisplus

Your nsswitch.conf is a different matter, you either do not have the 
passwd, group and shadow lines or you have chosen not to show them.

Rowland

More information about the samba mailing list