[Samba] Replacing SSSD with just WINBIND for NFSv4

Rowland Penny rpenny at samba.org
Tue Aug 31 18:29:21 UTC 2021 

On Tue, 2021-08-31 at 13:53 -0400, Luc Lalonde wrote:
> I forgot to sanitize all the lines ;-)
> 
> [global]
>      workgroup = EXAMPLE
>      realm = EXAMPLE.COM
>      netbios name = FS1
>      security = ADS
>      idmap config *:backend = tdb
>      idmap config *:range = 200-999
>      idmap config EXAMPLE:backend = ad
> 
> Yes, you're correct... I migrated this NT4-Style quite a long time
> ago, 
> when Samba-4.x first came out stable.
> 
> Here's my setup:
> 
> DC1:  CentoOS Stream 8 (Samba 4.12.5), DC2, DC3:  Windows2012R2
> 
> Clients:  Fedora 34, Windows 10
> 
> I know I'm late with the Samba version...  I will update soon ;-)
> 

The choice of distro is yours, but it isn't half easier to update Samba
if you use Debian or Ubuntu with Louis's repo.

Try this smb.conf:

[global]
    workgroup = EXAMPLE
    realm = EXAMPLE.COM
    security = ADS

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    winbind use default domain = yes
    winbind expand groups = 2
    winbind refresh tickets = Yes

    idmap config *:backend = tdb
    idmap config *:range = 2000000-2001000
    idmap config EXAMPLE:backend = ad
    idmap config EXAMPLE:schema_mode = rfc2307
    idmap config EXAMPLE:unix_nss_info = yes
    idmap config EXAMPLE:range = 1100-999999

    # user Administrator workaround, without it you are unable to set
privileges
    username map = /etc/samba/user.map

    vfs objects = acl_xattr
    map acl inherit = Yes

    veto files = /Temporary Items/Network Trash
Folder/.AppleDB/.AppleDouble/.AppleDesktop/.AppleDB/.DS_Store/
    delete veto files = Yes
    hide files = /Desktop.ini/RECYCLER/$RECYCLE.BIN/lost+found/
    host msdfs = Yes
    printing = cups
    client signing = yes
    log file = /var/log/samba/%m.log
    kernel oplocks = yes
    strict locking = No
    deadtime = 15
    acl allow execute always = True

    # I see no real use for wide links, so if you really must use wide
links,
    # Uncomment the next two lines
    #wide links = yes
    #allow insecure wide links = yes

[homes]
    comment = homes
    browseable = No
    read only = No
    create mask = 0700
    directory mask = 0700
    valid users = %S

[profiles]
    comment = Users Profile Directories
    path = /store/profiles
    browseable = no
    read only = no
    force create mode = 0600
    force directory mode = 0700
    csc policy = disable

Create the /etc/samba/user.map containing just one line:

!root = EXAMPLE\Administrator

I would also suggest you read this:
https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

Setting up the profiles and managing from Windows is a better way to
manage profiles (if there is such a thing as a good way to use
profiles)

As for NFS, well Louis is your man there, I do not use it.

Rowland

More information about the samba mailing list