[Samba] Server Mandatory SMB Signing Not Working

Rowland Penny rpenny at samba.org
Sun Nov 14 15:50:44 UTC 2021

On Sun, 2021-11-14 at 10:17 -0500, Philip Cunio via samba wrote:
> We have just made the required changes to implement SMB Signing. We
> are
> now using LDAP/Kerberos to authenticate users.

You might be, but I doubt Samba is, is winbind running ?

> We joined the SAMBA server to the domain via net ads join ....
> command.
> Everything works except that the add user script feature doesn't seem
> to
> work consistently.

I am surprised it works at all, that is really meant for the older NT4-
style domains.

>  I can manually add users to the local AIX machine

Ah, but you shouldn't be, all your users should be in AD and not in

> with the same script and the user can then map their drives. However,
> does not do it automatically per design. Below is the Global section
> from
> my smb.conf. Any assistance would be
> greatly appreciated. I have obfuscated portions for security
> [global]
>         workgroup = INM
>         realm = INMAR.COM
>         interfaces = 99.999.999.999
>         netbios name = AAAAAA
>         netbios aliases = BBBBBB

You do not use 'netbios aliases' with AD, you use a CNAME in dns

>         security = ADS
>         add user script = /usr/sbin/smbusradd -g usr -G usr %u
>         log file = /var/samba/log/log.%m
>         log level = 3  passdb:5  auth:5
>         wins server = xxxxxxx.inmar.com

Sorry, but you do not use 'wins' with AD, you use dns instead.

>         password server =  xxxxxxx.inmar.com

Do not set that, allow Samba to find the best DC to use.

>         socket address =  99.999.999.999

Try reading 'man smb.conf', that parameter is a synonym for a
deprecated parameter.

>         server min protocol = SMB2
>         server signing = mandatory
>         create mask = 0666

You are missing the 'idmap config' lines, without which, nothing is
going to work correctly, try reading this:



More information about the samba mailing list