[Samba] authentication problem

Pisch Tamás pischta at gmail.com
Fri Jan 10 09:37:51 UTC 2020

> You also have these lines:
> logon path = ""
> name resolve order = lmhosts host bcast
> You should remove these, they have no place in an AD smb.conf

The smb.conf manpage mention that:
'Disable the use of roaming profiles by setting the value of this
parameter to the empty string. For example, logon path = "".'
I don't want roaming profiles, so I thought I need this parameter. Is
it enough if user profiles has empty Profile Path entries?
"Disabling of all roaming profile use requires that the user account
settings must also be blank."
What does it mean exactly?
name resolve order: I removed this settings from dcs. man offers wins
bcast settings for security = ADS, and SRV8 has that setting.

> Now we come to a line that you should add to all the smb.conf files:
> winbind refresh tickets = yes
> This will ensure that your kerberos tickets will be refreshed.

For this, I need libpam-winbind, according to the manual.
I've read that:
"Note: For a DC you do not need libpam-winbind libnss-winbind
libpam-krb5, unless you require AD users to login "
I think, to login locally. I don't want them to login locally, so I
thought I don't want these on DCs. Do I really need libpam-winbind,
and 'winbind refresh tickets' on DCs?
I set it up on SRV8 and DC3.

I still have the auth problem. 1-2 months ago I reinstalled the
computhers that had this problem, and after that the authentication
problem disappeared, but I wouldn't like to do it frequently.
Another question, but might be related to this problem.
I usually reinstall computers from clone image file, but I don't use
sysprep. What problem(s) can cause that?

More information about the samba mailing list