[Samba] Server Mandatory SMB Signing Not Working

Rowland Penny rpenny at samba.org
Sun Nov 14 16:43:50 UTC 2021 

On Sun, 2021-11-14 at 11:39 -0500, Philip Cunio wrote:
> Yes, winbindd is running.

What about the rest of my comments ???

Rowland

> 
> 
> On Sun, Nov 14, 2021 at 10:51 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> > On Sun, 2021-11-14 at 10:17 -0500, Philip Cunio via samba wrote:
> > > We have just made the required changes to implement SMB Signing.
> > We
> > > are
> > > now using LDAP/Kerberos to authenticate users.
> > 
> > You might be, but I doubt Samba is, is winbind running ?
> > 
> > > We joined the SAMBA server to the domain via net ads join ....
> > > command.
> > > Everything works except that the add user script feature doesn't
> > seem
> > > to
> > > work consistently.
> > 
> > I am surprised it works at all, that is really meant for the older
> > NT4-
> > style domains.
> > 
> > >  I can manually add users to the local AIX machine
> > 
> > Ah, but you shouldn't be, all your users should be in AD and not in
> > /etc/passwd
> > 
> > > with the same script and the user can then map their drives.
> > However,
> > > SAMBA
> > > does not do it automatically per design. Below is the Global
> > section
> > > from
> > > my smb.conf. Any assistance would be
> > > greatly appreciated. I have obfuscated portions for security
> > > 
> > > [global]
> > >         workgroup = INM
> > >         realm = INMAR.COM
> > >         interfaces = 99.999.999.999
> > >         netbios name = AAAAAA
> > >         netbios aliases = BBBBBB
> > 
> > You do not use 'netbios aliases' with AD, you use a CNAME in dns
> > instead.
> > 
> > >         security = ADS
> > >         add user script = /usr/sbin/smbusradd -g usr -G usr %u
> > >         log file = /var/samba/log/log.%m
> > >         log level = 3  passdb:5  auth:5
> > >         wins server = xxxxxxx.inmar.com
> > 
> > Sorry, but you do not use 'wins' with AD, you use dns instead.
> > 
> > >         password server =  xxxxxxx.inmar.com
> > 
> > Do not set that, allow Samba to find the best DC to use.
> > 
> > >         socket address =  99.999.999.999
> > 
> > Try reading 'man smb.conf', that parameter is a synonym for a
> > deprecated parameter.
> > 
> > >         server min protocol = SMB2
> > >         server signing = mandatory
> > >         create mask = 0666
> > 
> > You are missing the 'idmap config' lines, without which, nothing is
> > going to work correctly, try reading this:
> > 
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > 
> > Rowland
> > 
> > 
> >

More information about the samba mailing list