[Samba] testparm comaprison

Rowland penny rpenny at samba.org
Mon Sep 23 09:54:10 UTC 2019 

On 23/09/2019 10:22, Trenta sis via samba wrote:
> Hi,
>
> I have used testparm.
I would suggest you only use 'samba-tool testparm' on a DC.
>
> smb.conf from dc1 4.4.5
> # Global parameters
> [global]
>
>          bind interfaces only = Yes
>          interfaces = lo eth0 eth0:0
>          netbios name = server1
>          realm = DOMAIN.COM
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = DOMAIN
>          server role = active directory domain controller
>          idmap_ldb:use rfc2307 = yes
>          comment =
>
>          winbind enum users = yes
>          winbind enum groups = yes
>
>          tls enabled = yes
>          tls keyfile = tls/server1.pem.key
>          tls certfile = tls/server1.pem.crt
>          tls cafile = tls/ca.pem.crt
>          tls verify peer = ca_and_name
>          ldap server require strong auth = no
>
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/domain.com/scripts
>          read only = No
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
>
Apart from the 'comment' and 'winbind enum' lines (hint, remove them), 
nothing wrong there.
> smb.conf dc2 4.10.7
> # Global parameters
> [global]
>          bind interfaces only = Yes
>          interfaces = lo eth0 eth0:0
>          netbios name = server2
>          realm = DOMAIN.COM
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = DOMAIN
>          idmap_ldb:use rfc2307  = yes
>
>          winbind enum users = yes
>          winbind enum groups = yes
>
>          tls enabled = yes
>          tls keyfile = tls/server2.pem.key
>          tls certfile = tls/server2.pem.crt
>          tls cafile = tls/ca.pem.crt
>          tls verify peer = ca_and_name
>
>          ldap server require strong auth = no
>
>         # tmp lan
>         ntlm auth = yes
>
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/domain.com/scripts
>          read only = No
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
>
> It seems that samba-tool testparm doesn't show
>          map readonly = no
>          store dos attributes = Yes
>
> Our actual config is good?
Yes, apart from the 'winbind enum' lines and do you really need the 
'ntlm auth = yes' line ?
> Next step is demote and rejoin 4.4.5, and then I'll suspect that this
> attributes will be removed with 4.10.7, but not sure if this can have
> any impact to our infraestructure
>
It will have no impact, at least one of the parameters is now the 
default and been removed as a settable parameter.

Rowland

More information about the samba mailing list