[Samba] GPO on a DC

Rowland Penny rpenny at samba.org
Fri Jun 24 12:18:33 UTC 2022 

On Fri, 2022-06-24 at 11:01 +0000, samba-ml-en via samba wrote:
> Hello Louis,
> 
> $host tristsnpa43.ad2.domain.eu
> tristsnpa43.ad2.domain.eu has address 10.10.20.43
> $dig tristsnpa43.ad2.domain.eu +short
> 10.10.20.43
> 
> $host 10.10.20.43
> 43.20.10.10.in-addr.arpa domain name pointer
> tristsnpa43.ad2.domain.eu.
> $dig -x 10.10.20.43 +short
> tristsnpa43.ad2.domain.eu.
> 
> $resolvectl
> Global
>        Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
> resolv.conf mode: stub
> 
> Link 2 (vlan10)
>     Current Scopes: DNS
>          Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS
> DNSSEC=yes/supported
> Current DNS Server: 10.10.10.9
>        DNS Servers: 10.10.10.9
>         DNS Domain: ~inf.domain.eu
> 
> Link 3 (vlan20)
>     Current Scopes: DNS
>          Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS
> DNSSEC=yes/supported
> Current DNS Server: 127.0.0.1
>        DNS Servers: 127.0.0.1
>         DNS Domain: ad2.domain.eu ~.
> 
> 
> For named, I have
> systemctl edit named.service<<EOF
> [Service]
> ExecReload=
> ExecReload=/usr/bin/systemctl restart named.service
> ExecStartPost=/bin/sleep 10
> [Unit]
> After=
> After=network.target network-online.target
> EOF
> }
> 
> For samba-ad-dc, I have
> systemctl edit samba-ad-dc.service<<EOF
> [Unit]
> After=
> After=network.target network-online.target named.service
> EOF
> }
> 

There are a number of parameters set in your DC's smb.conf that I
wouldn't set, for a number of reasons.
Let's go through them:

domain master = Yes
That is an NT4-style domain term and has no place in a DC smb.conf

winbind enum groups = Yes
winbind enum users = Yes
You do not need those, nsswitch will work without them, they can just
slow things down.

name resolve order = host lmhosts wins bcast
Another NT4-style term, you use DNS instead.

template homedir = /home/%D/%U
That is a default setting.

disable netbios = Yes
That is not how you turn off netbios on a DC, you need to either remove
'nbt' from the 'server services' line or have a 'server services' line
with '-nbt' (at least) in it.

winbind rpc only = Yes
With this set, you are not allowing winbindd to retrieve information
from AD with ldap. It might be your problem.

Rowland

More information about the samba mailing list