[Samba] Provisioning new AD Domain Controller

Rowland Penny rpenny at samba.org
Tue Dec 5 10:18:00 UTC 2023


On Sun, 03 Dec 2023 18:10:03 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:

> Before attempting to join domain members with my newly provisioned
> AD/DC, there are some difference between this new smb.conf and the
> one from the current DC running Samba 4.8.2. Please advise if I need
> any of these:
> 
> [global]
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl,winbind, ntp_signd, kcc, dnsupdate

As you are now using the internal dns server, that 'server services'
line is no longer required.

> ntlm auth = yes

Are you still using SMBv1 anywhere ?
If not then you do not need that line either.

> winbind use default domain = yes

You never needed that line on a Samba AD DC, mainly because it doesn't
work on a Samba AD DC.

> template shell = /bin/bash
> log level = 2 passdb:5 auth:10 winbind:2 lanman:10

What you get Samba to log is up to you, but I am fairly sure that you
do not need 'lanman'

> 
>     load printers = no
>     printing = bsd   
>     printcap name = /dev/null
>     disable spoolss = yes

Those four lines stop printing from working on the machine via Samba,
so, unless you need printing, I would add them.

> 
> [Users]
>     path = /redirectedFolders/Users
>     comment = user folders for redirection
>     read only = No
> 
> [share]
>     path = /var/lib/samba/share
>     comment = Shared folder
>     read only = No

You really shouldn't use a DC as a fileserver, but if you are, then you
are going to have to configure them.

> 
> I don't know what [share] was used for and perhaps that is not needed.
> 
> My entire current samba-tool provision generated smb.conf is:
> 
> [global]
>         dns forwarder = 209.18.47.61
>         netbios name = DC1
>         realm = HPRS.LOCL
>         server role = active directory domain controller
>         workgroup = HPRS
>         idmap_ldb:use rfc2307 = yes
>         interfaces = lo, eth1
>         bind interfaces only = Yes
>     
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/hprs.locl/scripts
>         read only = No

You didn't show 'sysvol' and 'netlogon' as shares in your original
smb.conf, but they are required on a Samba AD DC.

Rowland




More information about the samba mailing list