[Samba] AD woes

Emmanuel Florac eflorac at intellique.com
Wed Apr 21 16:03:54 UTC 2021 

Le Wed, 21 Apr 2021 16:55:53 +0100
Rowland penny via samba <samba at lists.samba.org> écrivait:

> On 21/04/2021 16:24, Emmanuel Florac via samba wrote:
> > Hello,
> >
> > I have an old ( 4.5.16-Debian ) samba server in an AD. The AD server
> > has been migrated to a new server, however
> >
> >
> >   wbinfo --dc-info=DOMAIN.local
> >
> > still reports the old server.  
> 
> 
> This is probably coming from the cache

Yes, probably. Ditto the existing users, that still connect without any
problem.
 
> >   It also looks like new users don't appear
> > in "wbinfo -u" output... And can't logon of course (However old
> > users still work fine).  
> 
> 
> This is your main problem, why cannot the new users logon ?

As they(re not even listed, unsurprisingly they can't login... And
that's actually the main problem. 
> >
> > What's the right thing to do from there? Should I "net ads leave"
> > and "join" again?  
> 
> 
> I would 'leave' the domain, but not for the reason you think. You
> need to upgrade Samba and to do this, you will probably need to
> upgrade your OS (Debian Stretch ?) as well.

I'd rather keep that for later if possible :)

> 
> Before you do upgrade, post your smb.conf

[global]
    workgroup = SOMEDOMAIN
    security = ADS
    realm = SOMEDOMAIN.LOCAL

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    server string = Data %h

    winbind use default domain = yes
    winbind expand groups = 4
    winbind nss info = rfc2307
    winbind refresh tickets = Yes
    winbind offline logon = yes
    winbind normalize names = Yes

    ## map ids outside of domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config SOMEDOMAIN : backend = rid
    idmap config SOMEDOMAIN : range = 10000-999999
    template shell = /bin/bash
    template homedir = /home/SOMEDOMAIN/%U

    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no

    # user Administrator workaround, without it you are unable to set
    privileges username map = /etc/samba/user.map

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    # disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes


Cheers
-- 
------------------------------------------------------------------------
Emmanuel Florac     |   Direction technique
                    |   Intellique
                    |	<eflorac at intellique.com>
                    |   +33 1 78 94 84 02
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: Signature digitale OpenPGP
URL: <http://lists.samba.org/pipermail/samba/attachments/20210421/0137db3f/attachment.sig>

More information about the samba mailing list