[Samba] Server Mandatory SMB Signing Not Working
rpenny at samba.org
Sun Nov 14 16:43:50 UTC 2021
On Sun, 2021-11-14 at 11:39 -0500, Philip Cunio wrote:
> Yes, winbindd is running.
What about the rest of my comments ???
> On Sun, Nov 14, 2021 at 10:51 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> > On Sun, 2021-11-14 at 10:17 -0500, Philip Cunio via samba wrote:
> > > We have just made the required changes to implement SMB Signing.
> > We
> > > are
> > > now using LDAP/Kerberos to authenticate users.
> > You might be, but I doubt Samba is, is winbind running ?
> > > We joined the SAMBA server to the domain via net ads join ....
> > > command.
> > > Everything works except that the add user script feature doesn't
> > seem
> > > to
> > > work consistently.
> > I am surprised it works at all, that is really meant for the older
> > NT4-
> > style domains.
> > > I can manually add users to the local AIX machine
> > Ah, but you shouldn't be, all your users should be in AD and not in
> > /etc/passwd
> > > with the same script and the user can then map their drives.
> > However,
> > > SAMBA
> > > does not do it automatically per design. Below is the Global
> > section
> > > from
> > > my smb.conf. Any assistance would be
> > > greatly appreciated. I have obfuscated portions for security
> > >
> > > [global]
> > > workgroup = INM
> > > realm = INMAR.COM
> > > interfaces = 99.999.999.999
> > > netbios name = AAAAAA
> > > netbios aliases = BBBBBB
> > You do not use 'netbios aliases' with AD, you use a CNAME in dns
> > instead.
> > > security = ADS
> > > add user script = /usr/sbin/smbusradd -g usr -G usr %u
> > > log file = /var/samba/log/log.%m
> > > log level = 3 passdb:5 auth:5
> > > wins server = xxxxxxx.inmar.com
> > Sorry, but you do not use 'wins' with AD, you use dns instead.
> > > password server = xxxxxxx.inmar.com
> > Do not set that, allow Samba to find the best DC to use.
> > > socket address = 99.999.999.999
> > Try reading 'man smb.conf', that parameter is a synonym for a
> > deprecated parameter.
> > > server min protocol = SMB2
> > > server signing = mandatory
> > > create mask = 0666
> > You are missing the 'idmap config' lines, without which, nothing is
> > going to work correctly, try reading this:
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > Rowland
More information about the samba