[Samba] testparm comaprison
Rowland penny
rpenny at samba.org
Mon Sep 23 09:54:10 UTC 2019
On 23/09/2019 10:22, Trenta sis via samba wrote:
> Hi,
>
> I have used testparm.
I would suggest you only use 'samba-tool testparm' on a DC.
>
> smb.conf from dc1 4.4.5
> # Global parameters
> [global]
>
> bind interfaces only = Yes
> interfaces = lo eth0 eth0:0
> netbios name = server1
> realm = DOMAIN.COM
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = DOMAIN
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> comment =
>
> winbind enum users = yes
> winbind enum groups = yes
>
> tls enabled = yes
> tls keyfile = tls/server1.pem.key
> tls certfile = tls/server1.pem.crt
> tls cafile = tls/ca.pem.crt
> tls verify peer = ca_and_name
> ldap server require strong auth = no
>
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/domain.com/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
Apart from the 'comment' and 'winbind enum' lines (hint, remove them),
nothing wrong there.
> smb.conf dc2 4.10.7
> # Global parameters
> [global]
> bind interfaces only = Yes
> interfaces = lo eth0 eth0:0
> netbios name = server2
> realm = DOMAIN.COM
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = DOMAIN
> idmap_ldb:use rfc2307 = yes
>
> winbind enum users = yes
> winbind enum groups = yes
>
> tls enabled = yes
> tls keyfile = tls/server2.pem.key
> tls certfile = tls/server2.pem.crt
> tls cafile = tls/ca.pem.crt
> tls verify peer = ca_and_name
>
> ldap server require strong auth = no
>
> # tmp lan
> ntlm auth = yes
>
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/domain.com/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> It seems that samba-tool testparm doesn't show
> map readonly = no
> store dos attributes = Yes
>
> Our actual config is good?
Yes, apart from the 'winbind enum' lines and do you really need the
'ntlm auth = yes' line ?
> Next step is demote and rejoin 4.4.5, and then I'll suspect that this
> attributes will be removed with 4.10.7, but not sure if this can have
> any impact to our infraestructure
>
It will have no impact, at least one of the parameters is now the
default and been removed as a settable parameter.
Rowland
More information about the samba
mailing list