[Samba] winbind optional parameters on samba 4.10

Rowland penny rpenny at samba.org
Fri Feb 14 08:57:03 UTC 2020 

On 14/02/2020 03:46, Sérgio Basto via samba wrote:
> Hi,
> I'd like do review and understand what parameters we can or should use
> in /etc/samba/smb.conf configuration almost all for winbind
> I use this smb.conf [1] , I'd like to know if new parameters still
> valid for Samba 4.10 and what they do .

You could always read the release notes, you can find them here:

https://wiki.samba.org/index.php/Samba_Features_added/changed_(by_release)

>
> Thank you .
>
> [1]
>      workgroup = CORP
>      realm = CORP.LOCAL
>      winbind use default domain = yes
>      idmap config * : backend = tdb
>      idmap config * : range = 3000-7999
>      idmap config CORP : backend = ad
>      idmap config CORP : schema_mode = rfc2307
>      idmap config CORP : range = 100000-200000
>      idmap config CORP : unix_nss_info = yes
>      idmap config CORP : unix_primary_group = yes
>      template shell = /bin/false
>      template homedir = /srv/samba/users/%U
>      username map = /var/lib/samba/user.map
>      vfs objects = acl_xattr
>      map acl inherit = yes
>      store dos attributes = yes
>
> 1.  what is this ?
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab

Having the first line in smb.conf when the computer is joined will cause 
the creation of the keytab /etc/krb5.keytab.

The second uses 'secrets.tdb' first, falling back to the keytab.

>
> 2. and is this ?
> # Renew the kerberos tickets
> winbind refresh tickets = yes
I would have thought this was pretty obvious, it makes winbind refresh 
kerberos tickets before they expire.
> winbind separator = +
Never understood why anyone sets this, I don't and it could cause problems.
>
> 3. what is this ?
> # Enable offline logins
> winbind offline logon = yes
Again, I would have thought this was obvious, mostly used on laptops and 
allows login when a DC cannot be contacted.
>
> 4. This one is already defined with  schema_mode = rfc2307 , we don't
> need isn't it ?
> # User uid/Gid from AD. (rfc2307)
> winbind nss info = rfc2307
No, it was replaced by 'idmap config DOMAIN : schema_mode = rfc2307'
>
> 5. what is this ?
> winbind trusted domains only = no
That has now been removed, this happened at 4.8.0
>
> 6. what is enum user ?
> # Keep no in production, set yes when debugging, this slows down your
> samba.
> winbind enum users  = no
> winbind enum groups = no
'enum' is short for 'enumerate' and make 'getent passwd' & 'getent 
group' display all users and groups.
>
> 7. what change if I set 2 or 4 ?
> # Check depth of nested groups, ! slows down you samba, if to much
> groups depth
> # Samba default is 0, i suggest a minimal of 2 in this setup, advices
> is 4.
> winbind expand groups = 4

This sets the 'depth' winbind will go down to get the members of a 
group. A user may not show as a member of groupA, but if the user is a 
member of groupC, that is a member of groupB, that is a member of 
groupA, then the user is a member of groupA.


>
>
> 8. Map acl could be set just shares that we defined ?
>      map acl inherit = yes
That is your choice, but I would set it in [global]
>
> I have
> [homes]
>      comment = Home Directories
>      valid users = %S, %D%w%S
>      browseable = No
>      read only = No
>      hide unreadable = Yes
>      inherit acls = Yes
>      root preexec = /usr/local/sbin/mkhomedir.sh %U
>
> 9. and BTW these two are allowed ?
>      preferred master = no
>      domain master = no
>
Well, they are in my smb.conf ;-)

Of course, you could have found out all of the above, if you had read 
'man smb.conf' ;-)

Rowland

More information about the samba mailing list