[Samba] security = ads parameter not working in samba 4.9.5
Rowland penny
rpenny at samba.org
Thu Nov 28 10:21:55 UTC 2019
On 27/11/2019 23:57, Sérgio Basto wrote:
> Thank you for the warning :) [1] , I'm fighting the same problem but I
> have a different configuration that I never told you before , I'm
> running my centos 7 packages (very similar to other fellows) [2] where
> DC1 , DC2 and DC3 are running SambaAD, samba-4.8.8-2.el7.x86_64 with
> BIND9_DLZ (bind-9.11.4-9.P2.el7.x86_64) .
First things first, remove sssd, it is not supported with Samba.
Next, stop network manager altering /etc/resolv.conf
Make /etc/hosts look like this:
127.0.0.1 localhost
::1 localhost
172.27.28.1 ccdc1.corp.local
Just change the DCs info to match the DC it is on
/etc/resolv.conf should look like this:
search corp.local
nameserver 172.27.2.1
Again match the IP to the DC.
Remove these lines from smb.conf:
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
You are breaking Samba by having them.
Make /etc/named.conf look like this:
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
notify no;
empty-zones-enable no;
allow-query { any; };
allow-query-cache { any; };
forwarders { 8.8.8.8; 8.8.4.4; };
allow-transfer { none; };
dnssec-validation no;
dnssec-enable no;
dnssec-lookaside no;
listen-on port 53 { 172.27.28.1; 127.0.0.1; };
listen-on-v6 port 53 { ::1;};
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/var/lib/samba/bind-dns/named.conf";
The howto you ultimately linked to tells you to open ports 1024:5000 in
the firewall, thinks is now incorrect, you need to open ports 49152-65535
> REPO server is Domain_Member [3] with Idmap_config_ad, of DOMAIN corp
> and I'm testing with SambaAD-4.10.9 or 10 .
>
> What else ?
> getent passwd and getent group just works with previous configuration
> and stop when I set the workgroup in idmap when you wrote "it MUST be
> workgroup not realm"
>
>
> Notes on script :
> Centos 7 dns configuration is on /etc/named.conf not in
> /etc/bind/named.conf I had to hack a little the script and for dpkg -l,
> I replaced with rpm -qa
>
>
> [1]
> https://paste.centos.org/view/8d205024
> https://paste.centos.org/view/bba5f6c4
>
> [2]
> https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD/
>
> [3]
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
Fix your DCs and see how you go on ;-)
Rowland
More information about the samba
mailing list