[Samba] Replacing SSSD with just WINBIND for NFSv4
Rowland Penny
rpenny at samba.org
Tue Aug 31 18:29:21 UTC 2021
On Tue, 2021-08-31 at 13:53 -0400, Luc Lalonde wrote:
> I forgot to sanitize all the lines ;-)
>
> [global]
> workgroup = EXAMPLE
> realm = EXAMPLE.COM
> netbios name = FS1
> security = ADS
> idmap config *:backend = tdb
> idmap config *:range = 200-999
> idmap config EXAMPLE:backend = ad
>
> Yes, you're correct... I migrated this NT4-Style quite a long time
> ago,
> when Samba-4.x first came out stable.
>
> Here's my setup:
>
> DC1: CentoOS Stream 8 (Samba 4.12.5), DC2, DC3: Windows2012R2
>
> Clients: Fedora 34, Windows 10
>
> I know I'm late with the Samba version... I will update soon ;-)
>
The choice of distro is yours, but it isn't half easier to update Samba
if you use Debian or Ubuntu with Louis's repo.
Try this smb.conf:
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
security = ADS
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
idmap config *:backend = tdb
idmap config *:range = 2000000-2001000
idmap config EXAMPLE:backend = ad
idmap config EXAMPLE:schema_mode = rfc2307
idmap config EXAMPLE:unix_nss_info = yes
idmap config EXAMPLE:range = 1100-999999
# user Administrator workaround, without it you are unable to set
privileges
username map = /etc/samba/user.map
vfs objects = acl_xattr
map acl inherit = Yes
veto files = /Temporary Items/Network Trash
Folder/.AppleDB/.AppleDouble/.AppleDesktop/.AppleDB/.DS_Store/
delete veto files = Yes
hide files = /Desktop.ini/RECYCLER/$RECYCLE.BIN/lost+found/
host msdfs = Yes
printing = cups
client signing = yes
log file = /var/log/samba/%m.log
kernel oplocks = yes
strict locking = No
deadtime = 15
acl allow execute always = True
# I see no real use for wide links, so if you really must use wide
links,
# Uncomment the next two lines
#wide links = yes
#allow insecure wide links = yes
[homes]
comment = homes
browseable = No
read only = No
create mask = 0700
directory mask = 0700
valid users = %S
[profiles]
comment = Users Profile Directories
path = /store/profiles
browseable = no
read only = no
force create mode = 0600
force directory mode = 0700
csc policy = disable
Create the /etc/samba/user.map containing just one line:
!root = EXAMPLE\Administrator
I would also suggest you read this:
https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
Setting up the profiles and managing from Windows is a better way to
manage profiles (if there is such a thing as a good way to use
profiles)
As for NFS, well Louis is your man there, I do not use it.
Rowland
More information about the samba
mailing list