[Samba] winbind optional parameters on samba 4.10
rpenny at samba.org
Fri Feb 14 08:57:03 UTC 2020
On 14/02/2020 03:46, Sérgio Basto via samba wrote:
> I'd like do review and understand what parameters we can or should use
> in /etc/samba/smb.conf configuration almost all for winbind
> I use this smb.conf  , I'd like to know if new parameters still
> valid for Samba 4.10 and what they do .
You could always read the release notes, you can find them here:
> Thank you .
> workgroup = CORP
> realm = CORP.LOCAL
> winbind use default domain = yes
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config CORP : backend = ad
> idmap config CORP : schema_mode = rfc2307
> idmap config CORP : range = 100000-200000
> idmap config CORP : unix_nss_info = yes
> idmap config CORP : unix_primary_group = yes
> template shell = /bin/false
> template homedir = /srv/samba/users/%U
> username map = /var/lib/samba/user.map
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> 1. what is this ?
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
Having the first line in smb.conf when the computer is joined will cause
the creation of the keytab /etc/krb5.keytab.
The second uses 'secrets.tdb' first, falling back to the keytab.
> 2. and is this ?
> # Renew the kerberos tickets
> winbind refresh tickets = yes
I would have thought this was pretty obvious, it makes winbind refresh
kerberos tickets before they expire.
> winbind separator = +
Never understood why anyone sets this, I don't and it could cause problems.
> 3. what is this ?
> # Enable offline logins
> winbind offline logon = yes
Again, I would have thought this was obvious, mostly used on laptops and
allows login when a DC cannot be contacted.
> 4. This one is already defined with schema_mode = rfc2307 , we don't
> need isn't it ?
> # User uid/Gid from AD. (rfc2307)
> winbind nss info = rfc2307
No, it was replaced by 'idmap config DOMAIN : schema_mode = rfc2307'
> 5. what is this ?
> winbind trusted domains only = no
That has now been removed, this happened at 4.8.0
> 6. what is enum user ?
> # Keep no in production, set yes when debugging, this slows down your
> winbind enum users = no
> winbind enum groups = no
'enum' is short for 'enumerate' and make 'getent passwd' & 'getent
group' display all users and groups.
> 7. what change if I set 2 or 4 ?
> # Check depth of nested groups, ! slows down you samba, if to much
> groups depth
> # Samba default is 0, i suggest a minimal of 2 in this setup, advices
> is 4.
> winbind expand groups = 4
This sets the 'depth' winbind will go down to get the members of a
group. A user may not show as a member of groupA, but if the user is a
member of groupC, that is a member of groupB, that is a member of
groupA, then the user is a member of groupA.
> 8. Map acl could be set just shares that we defined ?
> map acl inherit = yes
That is your choice, but I would set it in [global]
> I have
> comment = Home Directories
> valid users = %S, %D%w%S
> browseable = No
> read only = No
> hide unreadable = Yes
> inherit acls = Yes
> root preexec = /usr/local/sbin/mkhomedir.sh %U
> 9. and BTW these two are allowed ?
> preferred master = no
> domain master = no
Well, they are in my smb.conf ;-)
Of course, you could have found out all of the above, if you had read
'man smb.conf' ;-)
More information about the samba