[Samba] Printserver after latest MS updates
L.P.H. van Belle
belle at bazuin.nl
Tue Oct 19 14:27:31 UTC 2021
Hai,
I've re-checked my logs also and i dont seen any of these NTLMv2 messages in my logs.
I see some messages, but no show stoppers, same as normal (for me then).
We run windows 10 2004 upto windows 11 now.
Samba with Cups setup. This is running on debian 10, samba 4.14.8
2 settings you dont see there, but do show up for me with samba-tool testparm -vv |grep -i ntlm
client NTLMv2 auth = Yes
ntlm auth = ntlmv2-only
I do have ntlm auth = ntlmv2-only on all my AD-DC's due other things i use, which need NTLMv2.
Maybe it helps someone.
My config.
[global]
log level = 1
workgroup = ADDOM
security = ADS
realm = INTERNAL.DOMAIN.TLD
netbios name = PRINT1
preferred master = no
domain master = no
host msdfs = no
interfaces = 192.168.1.5 127.0.0.1
bind interfaces only = yes
dns proxy = yes
# Add and Update TLS Key
tls enabled = yes
tls keyfile = /etc/ssl/local/private/xxxxxx.key.pem
tls certfile = /etc/ssl/local/certs/xxxxxxx.cert.pem
tls cafile = /etc/ssl/certs/xxxxxxCA.pem
## map id's outside to domain to tdb files.
idmap config * :backend = tdb
idmap config * :range = 2000-9999
## map ids from the domain the range may not overlap !
idmap config ADDOM: backend = ad
idmap config ADDOM: schema_mode = rfc2307
idmap config ADDOM: range = 10000-3999999
idmap config ADDOM: unix_primary_group = yes
idmap config ADDOM: unix_nss_info = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# renew the kerberos ticket
winbind refresh tickets = yes
# show domain prefix
# set to no, dont use the default domain, output shows: DOMAIN\user
# set to yes, use the default domain, output shows: user
winbind use default domain = yes
# show users with getent passwd
winbind enum users = no
winbind enum groups = no
# enable offline logins
winbind offline logon = yes
# check depth of nested groups, ! slows down you samba, if to much groups depth
winbind expand groups = 1
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping
# disable usershares creating, when set empty no error log messages.
usershare path =
# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Share Setting Globally
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
##### PRINT SERVER PART #######
#enable asu support = yes
## Enabling spoolssd
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
spoolss:architecture = Windows x64
spoolssd:prefork_min_children = 5 # Minimum number of child processes
spoolssd:prefork_max_children = 25 # Maximum number of child processes
spoolssd:prefork_spawn_rate = 5 # Start (fork) x new childs if one connection comes in (up to prefork_max_children)
spoolssd:prefork_max_allowed_clients = 100 # Number of clients, a child process should be responsible for
spoolssd:prefork_child_min_life = 60 # Minimum lifetime of a child process (60 seconds
# is the minimum, even a lower value has been configured)
load printers = yes
# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /home/samba/printing/drivers
acl_xattr:ignore system acl = yes
browseable = yes
writable = yes
guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
write list = root, administrator, @"Domain Admins", @lpadmin, @"Print Operators"
[printers]
comment = All Printers
path = /home/samba/printing/spool
acl_xattr:ignore system acl = yes
browseable = yes
printable = yes
printing = CUPS
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> cn--- via samba
> Verzonden: dinsdag 19 oktober 2021 16:09
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Printserver after latest MS updates
>
> Am 19.10.21 um 16:02 schrieb Ingo Asche via samba:
> > Same here...
> >
> > Have set up one of my DCs new with the packages from Louis.
> This DC is
> > also my print server. Thought at first I made an error but
> yesterday I
> > found this:
> >
> https://www.bleepingcomputer.com/news/microsoft/new-windows-10
> -kb5006670-update-breaks-network-printing/
> >
> >
> > Taht's excatly the error I'm getting. But I couldn't check
> this with
> > uninstallting the last Windows patch until now.
>
> As said. For us everything works. I was just wondering why
> only NTLMv2
> and not Kerberos is used and why only since last friday ...
>
> I also did not have a chance to investigate if the removal of
> the patch
> fixes the problem.
>
> Regards
>
> --
> Dr. Christian Naumer
> Vice President
> Unit Head Bioprocess Development
>
> BRAIN Biotech AG
> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
> phone +49-6251-9331-30 / fax +49-6251-9331-11
>
> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> Registergericht AG Darmstadt, HRB 24758
> Vorstand: Adriaan Moelker (Vorstandsvorsitzender),
> Lukas Linnig
> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list