[Samba] Provisioning new AD Domain Controller
Rowland Penny
rpenny at samba.org
Tue Dec 5 10:18:00 UTC 2023
On Sun, 03 Dec 2023 18:10:03 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:
> Before attempting to join domain members with my newly provisioned
> AD/DC, there are some difference between this new smb.conf and the
> one from the current DC running Samba 4.8.2. Please advise if I need
> any of these:
>
> [global]
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl,winbind, ntp_signd, kcc, dnsupdate
As you are now using the internal dns server, that 'server services'
line is no longer required.
> ntlm auth = yes
Are you still using SMBv1 anywhere ?
If not then you do not need that line either.
> winbind use default domain = yes
You never needed that line on a Samba AD DC, mainly because it doesn't
work on a Samba AD DC.
> template shell = /bin/bash
> log level = 2 passdb:5 auth:10 winbind:2 lanman:10
What you get Samba to log is up to you, but I am fairly sure that you
do not need 'lanman'
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
Those four lines stop printing from working on the machine via Samba,
so, unless you need printing, I would add them.
>
> [Users]
> path = /redirectedFolders/Users
> comment = user folders for redirection
> read only = No
>
> [share]
> path = /var/lib/samba/share
> comment = Shared folder
> read only = No
You really shouldn't use a DC as a fileserver, but if you are, then you
are going to have to configure them.
>
> I don't know what [share] was used for and perhaps that is not needed.
>
> My entire current samba-tool provision generated smb.conf is:
>
> [global]
> dns forwarder = 209.18.47.61
> netbios name = DC1
> realm = HPRS.LOCL
> server role = active directory domain controller
> workgroup = HPRS
> idmap_ldb:use rfc2307 = yes
> interfaces = lo, eth1
> bind interfaces only = Yes
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/hprs.locl/scripts
> read only = No
You didn't show 'sysvol' and 'netlogon' as shares in your original
smb.conf, but they are required on a Samba AD DC.
Rowland
More information about the samba
mailing list