[Samba] security = ads parameter not working in samba 4.9.5
Rowland penny
rpenny at samba.org
Fri Nov 29 17:19:58 UTC 2019
Lets start by removing this: krb5-server-1.15.1-37.el7_7.2.x86_64
And if it is installed on the DCs remove it from them as well.
Not sure if I asked this, but where did you get the Samba packages from ?
Can I also point out, when I ask for the output of the script in a post
here, I mean here, not somewhere on the internet that can and will
disappear. If needed, I can then review the output easily, I cannot, if
it has disappeared, so, to make sure it doesn't disappear, here is your
latest output:
Collected config --- 2019-11-29-16:51 -----------
Hostname: estagiov2
DNS Domain: corp.local
FQDN: estagiov2.corp.local
ipaddress: 172.27.2.56
-----------
Kerberos SRV _kerberos._tcp.corp.local record verified ok, sample output:
Server: 172.27.28.1
Address: 172.27.28.1#53
_kerberos._tcp.corp.local service = 0 100 88 aldc3.corp.local.
_kerberos._tcp.corp.local service = 0 100 88 ccdc1.corp.local.
_kerberos._tcp.corp.local service = 0 100 88 ccdc2.corp.local.
Samba is running as a Unix domain member
-----------
Checking file: /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
-----------
This computer is running an unknown distribution x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9c:25:86 brd ff:ff:ff:ff:ff:ff
inet 172.27.2.56/22 brd 172.27.3.255 scope global noprefixroute ens160
inet6 fe80::bbc2:13a4:154:7fb8/64 scope link noprefixroute
-----------
Checking file: /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.27.2.56 estagiov2.corp.local estagiov2
-----------
Checking file: /etc/resolv.conf
# Generated by NetworkManager
search corp.local
nameserver 172.27.28.1
nameserver 172.27.2.5
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = CORP.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
#passwd: files winbind sss
#shadow: files sss
#group: files winbind sss
passwd: files winbind
shadow: files
group: files winbind
#initgroups: files sss
#hosts: db files nisplus nis dns
hosts: files dns myhostname
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: nisplus sss
publickey: nisplus
automount: files nisplus sss
aliases: files nisplus
-----------
Checking file: /etc/samba/smb.conf
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
#netbios name = ESTAGIOV2
workgroup = CORP
realm = CORP.LOCAL
security = ADS
log file = /var/log/samba/%m.log
log level = 9
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config CORP:backend = ad
idmap config CORP:schema_mode = rfc2307
idmap config CORP:range = 10000-999999
idmap config CORP:unix_nss_info = yes
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U
username map = /var/lib/samba/user.map
# printing = cups
# printcap name = cups
# load printers = yes
# cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775
[]
path = /srv/samba//
read only = no
-----------
Running as Unix domain member and user.map detected.
Contents of /var/lib/samba/user.map
!root = CORP\Administrator CORP\administrator
Server Role is set to : auto
-----------
Installed packages:
samba-common-tools-4.10.10-2.el7.x86_64
samba-dc-libs-4.10.10-2.el7.x86_64
samba-dc-bind-dlz-4.10.10-2.el7.x86_64
samba-python-test-4.10.10-2.el7.x86_64
pyxattr-0.5.1-5.el7.x86_64
krb5-workstation-1.15.1-37.el7_7.2.x86_64
samba-python-4.10.10-2.el7.x86_64
samba-client-4.10.10-2.el7.x86_64
samba-4.10.10-2.el7.x86_64
samba-dc-4.10.10-2.el7.x86_64
samba-test-4.10.10-2.el7.x86_64
samba-winbind-krb5-locator-4.10.10-2.el7.x86_64
samba-winbind-clients-4.10.10-2.el7.x86_64
samba-pidl-4.10.10-2.el7.noarch
krb5-server-1.15.1-37.el7_7.2.x86_64
samba-winbind-modules-4.10.10-2.el7.x86_64
samba-common-libs-4.10.10-2.el7.x86_64
samba-python-dc-4.10.10-2.el7.x86_64
libsmbclient-4.10.10-2.el7.x86_64
libacl-2.2.51-14.el7.x86_64
samba-libs-4.10.10-2.el7.x86_64
samba-test-libs-4.10.10-2.el7.x86_64
samba-krb5-printing-4.10.10-2.el7.x86_64
libattr-2.4.46-13.el7.x86_64
krb5-libs-1.15.1-37.el7_7.2.x86_64
acl-2.2.51-14.el7.x86_64
samba-common-4.10.10-2.el7.noarch
samba-client-libs-4.10.10-2.el7.x86_64
samba-winbind-4.10.10-2.el7.x86_64
-----------
Rowland
More information about the samba
mailing list