[Samba] Provisioning new AD Domain Controller

Mark Foley mfoley at novatec-inc.com
Sun Dec 3 23:10:03 UTC 2023 

Before attempting to join domain members with my newly provisioned AD/DC, there
are some difference between this new smb.conf and the one from the current DC
running Samba 4.8.2. Please advise if I need any of these:

[global]
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,winbind, ntp_signd, kcc, dnsupdate
ntlm auth = yes
winbind use default domain = yes
template shell = /bin/bash
log level = 2 passdb:5 auth:10 winbind:2 lanman:10

    load printers = no
    printing = bsd   
    printcap name = /dev/null
    disable spoolss = yes

[Users]
    path = /redirectedFolders/Users
    comment = user folders for redirection
    read only = No

[share]
    path = /var/lib/samba/share
    comment = Shared folder
    read only = No

Note that the old/current DC was provisioned with BIND9_FLATFILE whereas the new
one uses Samba Internal DNS backend.

The old/current DC utilized redirected folders as a Windows Group Policy which
kept certain workstation folders (Desktop, Documents, Picutures, Favorites, etc.)
on the DC, not on the Workstation. I expect to be able to do the same with the
new version Samba DC (4.18.8).

I don't know if passdb, auth, windbind, lanman logging works with the new DC,
and maybe I don't need any of these unless there is a problem.

The 'load printers' bit was just to disable printing from the DC.

I don't know what [share] was used for and perhaps that is not needed.

My entire current samba-tool provision generated smb.conf is:

[global]
        dns forwarder = 209.18.47.61
        netbios name = DC1
        realm = HPRS.LOCL
        server role = active directory domain controller
        workgroup = HPRS
        idmap_ldb:use rfc2307 = yes
        interfaces = lo, eth1
        bind interfaces only = Yes
    
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/hprs.locl/scripts
        read only = No

As mentioned, I plan on adding [Users]

Thought?

--Thanks Mark

More information about the samba mailing list