[Samba] [EXTERNAL] Re: Server Mandatory SMB Signing Not Working
Philip Cunio
phil.cunio at inmar.com
Sun Nov 14 19:14:03 UTC 2021
Yes, working on those. We need local accounts created as we have issues
using uid ranges out of AD. Does the idmap replace the add user script
functionality? That's why the add user script is useful for us - when it
works. Does the idmap replace the add user script functionality? Also,
does having winbindd running override the add user script?
Thanks,
Phil
On Sun, Nov 14, 2021 at 11:44 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sun, 2021-11-14 at 11:39 -0500, Philip Cunio wrote:
> > Yes, winbindd is running.
>
> What about the rest of my comments ???
>
> Rowland
>
> >
> >
> > On Sun, Nov 14, 2021 at 10:51 AM Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> > > On Sun, 2021-11-14 at 10:17 -0500, Philip Cunio via samba wrote:
> > > > We have just made the required changes to implement SMB Signing.
> > > We
> > > > are
> > > > now using LDAP/Kerberos to authenticate users.
> > >
> > > You might be, but I doubt Samba is, is winbind running ?
> > >
> > > > We joined the SAMBA server to the domain via net ads join ....
> > > > command.
> > > > Everything works except that the add user script feature doesn't
> > > seem
> > > > to
> > > > work consistently.
> > >
> > > I am surprised it works at all, that is really meant for the older
> > > NT4-
> > > style domains.
> > >
> > > > I can manually add users to the local AIX machine
> > >
> > > Ah, but you shouldn't be, all your users should be in AD and not in
> > > /etc/passwd
> > >
> > > > with the same script and the user can then map their drives.
> > > However,
> > > > SAMBA
> > > > does not do it automatically per design. Below is the Global
> > > section
> > > > from
> > > > my smb.conf. Any assistance would be
> > > > greatly appreciated. I have obfuscated portions for security
> > > >
> > > > [global]
> > > > workgroup = INM
> > > > realm = INMAR.COM
> > > > interfaces = 99.999.999.999
> > > > netbios name = AAAAAA
> > > > netbios aliases = BBBBBB
> > >
> > > You do not use 'netbios aliases' with AD, you use a CNAME in dns
> > > instead.
> > >
> > > > security = ADS
> > > > add user script = /usr/sbin/smbusradd -g usr -G usr %u
> > > > log file = /var/samba/log/log.%m
> > > > log level = 3 passdb:5 auth:5
> > > > wins server = xxxxxxx.inmar.com
> > >
> > > Sorry, but you do not use 'wins' with AD, you use dns instead.
> > >
> > > > password server = xxxxxxx.inmar.com
> > >
> > > Do not set that, allow Samba to find the best DC to use.
> > >
> > > > socket address = 99.999.999.999
> > >
> > > Try reading 'man smb.conf', that parameter is a synonym for a
> > > deprecated parameter.
> > >
> > > > server min protocol = SMB2
> > > > server signing = mandatory
> > > > create mask = 0666
> > >
> > > You are missing the 'idmap config' lines, without which, nothing is
> > > going to work correctly, try reading this:
> > >
> > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > >
> > > Rowland
> > >
> > >
> > >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
********************************************
*Inmar Confidentiality
Note*: This e-mail and any attachments are confidential and intended to be
viewed and used solely by the intended recipient. If you are not the
intended recipient, be aware that any disclosure, dissemination,
distribution, copying or use of this e-mail or any attachment is
prohibited. If you received this e-mail in error, please notify us
immediately by returning it to the sender and delete this copy and all
attachments from your system and destroy any printed copies. Thank you for
your cooperation.
*Notice of Protected Rights*: The removal of any
copyright, trademark, or proprietary legend contained in this e-mail or any
attachment is prohibited without the express, written permission of Inmar,
Inc. Furthermore, the intended recipient must maintain all copyright
notices, trademarks, and proprietary legends within this e-mail and any
attachments in their original form and location if the e-mail or any
attachments are reproduced, printed or distributed.
********************************************
More information about the samba
mailing list