[Samba] Server Mandatory SMB Signing Not Working
Rowland Penny
rpenny at samba.org
Sun Nov 14 15:50:44 UTC 2021
On Sun, 2021-11-14 at 10:17 -0500, Philip Cunio via samba wrote:
> We have just made the required changes to implement SMB Signing. We
> are
> now using LDAP/Kerberos to authenticate users.
You might be, but I doubt Samba is, is winbind running ?
> We joined the SAMBA server to the domain via net ads join ....
> command.
> Everything works except that the add user script feature doesn't seem
> to
> work consistently.
I am surprised it works at all, that is really meant for the older NT4-
style domains.
> I can manually add users to the local AIX machine
Ah, but you shouldn't be, all your users should be in AD and not in
/etc/passwd
> with the same script and the user can then map their drives. However,
> SAMBA
> does not do it automatically per design. Below is the Global section
> from
> my smb.conf. Any assistance would be
> greatly appreciated. I have obfuscated portions for security
>
> [global]
> workgroup = INM
> realm = INMAR.COM
> interfaces = 99.999.999.999
> netbios name = AAAAAA
> netbios aliases = BBBBBB
You do not use 'netbios aliases' with AD, you use a CNAME in dns
instead.
> security = ADS
> add user script = /usr/sbin/smbusradd -g usr -G usr %u
> log file = /var/samba/log/log.%m
> log level = 3 passdb:5 auth:5
> wins server = xxxxxxx.inmar.com
Sorry, but you do not use 'wins' with AD, you use dns instead.
> password server = xxxxxxx.inmar.com
Do not set that, allow Samba to find the best DC to use.
> socket address = 99.999.999.999
Try reading 'man smb.conf', that parameter is a synonym for a
deprecated parameter.
> server min protocol = SMB2
> server signing = mandatory
> create mask = 0666
You are missing the 'idmap config' lines, without which, nothing is
going to work correctly, try reading this:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Rowland
More information about the samba
mailing list