[Samba] AD woes
Emmanuel Florac
eflorac at intellique.com
Wed Apr 21 16:03:54 UTC 2021
Le Wed, 21 Apr 2021 16:55:53 +0100
Rowland penny via samba <samba at lists.samba.org> écrivait:
> On 21/04/2021 16:24, Emmanuel Florac via samba wrote:
> > Hello,
> >
> > I have an old ( 4.5.16-Debian ) samba server in an AD. The AD server
> > has been migrated to a new server, however
> >
> >
> > wbinfo --dc-info=DOMAIN.local
> >
> > still reports the old server.
>
>
> This is probably coming from the cache
Yes, probably. Ditto the existing users, that still connect without any
problem.
> > It also looks like new users don't appear
> > in "wbinfo -u" output... And can't logon of course (However old
> > users still work fine).
>
>
> This is your main problem, why cannot the new users logon ?
As they(re not even listed, unsurprisingly they can't login... And
that's actually the main problem.
> >
> > What's the right thing to do from there? Should I "net ads leave"
> > and "join" again?
>
>
> I would 'leave' the domain, but not for the reason you think. You
> need to upgrade Samba and to do this, you will probably need to
> upgrade your OS (Debian Stretch ?) as well.
I'd rather keep that for later if possible :)
>
> Before you do upgrade, post your smb.conf
[global]
workgroup = SOMEDOMAIN
security = ADS
realm = SOMEDOMAIN.LOCAL
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Data %h
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes
## map ids outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the ranges may not overlap !
idmap config SOMEDOMAIN : backend = rid
idmap config SOMEDOMAIN : range = 10000-999999
template shell = /bin/bash
template homedir = /home/SOMEDOMAIN/%U
domain master = no
local master = no
preferred master = no
os level = 20
map to guest = bad user
host msdfs = no
# user Administrator workaround, without it you are unable to set
privileges username map = /etc/samba/user.map
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# Share Setting Globally
unix extensions = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
# disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
Cheers
--
------------------------------------------------------------------------
Emmanuel Florac | Direction technique
| Intellique
| <eflorac at intellique.com>
| +33 1 78 94 84 02
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: Signature digitale OpenPGP
URL: <http://lists.samba.org/pipermail/samba/attachments/20210421/0137db3f/attachment.sig>
More information about the samba
mailing list