[Samba] Provisioning new AD Domain Controller

Mark Foley mfoley at novatec-inc.com
Wed Dec 6 06:28:31 UTC 2023 

On Tue Dec  5 05:18:37 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> On Sun, 03 Dec 2023 18:10:03 -0500
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > Before attempting to join domain members with my newly provisioned
> > AD/DC, there are some difference between this new smb.conf and the
> > one from the current DC running Samba 4.8.2. Please advise if I need
> > any of these:
> > 
> > [global]
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > drepl,winbind, ntp_signd, kcc, dnsupdate
>
> As you are now using the internal dns server, that 'server services'
> line is no longer required.
>
> > ntlm auth = yes
>
> Are you still using SMBv1 anywhere ?
> If not then you do not need that line either.
>
> > winbind use default domain = yes
>
> You never needed that line on a Samba AD DC, mainly because it doesn't
> work on a Samba AD DC.
>
> > template shell = /bin/bash
> > log level = 2 passdb:5 auth:10 winbind:2 lanman:10
>
> What you get Samba to log is up to you, but I am fairly sure that you
> do not need 'lanman'
>
> > 
> >     load printers = no
> >     printing = bsd   
> >     printcap name = /dev/null
> >     disable spoolss = yes
>
> Those four lines stop printing from working on the machine via Samba,
> so, unless you need printing, I would add them.
>
> > 
> > [Users]
> >     path = /redirectedFolders/Users
> >     comment = user folders for redirection
> >     read only = No
> > 
> > [share]
> >     path = /var/lib/samba/share
> >     comment = Shared folder
> >     read only = No
>
> You really shouldn't use a DC as a fileserver, but if you are, then you
> are going to have to configure them.
>
> > 
> > I don't know what [share] was used for and perhaps that is not needed.
> > 
> > My entire current samba-tool provision generated smb.conf is:
> > 
> > [global]
> >         dns forwarder = 209.18.47.61
> >         netbios name = DC1
> >         realm = HPRS.LOCL
> >         server role = active directory domain controller
> >         workgroup = HPRS
> >         idmap_ldb:use rfc2307 = yes
> >         interfaces = lo, eth1
> >         bind interfaces only = Yes
> >     
> >     load printers = no
> >     printing = bsd
> >     printcap name = /dev/null
> >     disable spoolss = yes
> > 
> > [sysvol]
> >         path = /var/lib/samba/sysvol
> >         read only = No
> > 
> > [netlogon]
> >         path = /var/lib/samba/sysvol/hprs.locl/scripts
> >         read only = No
>
> You didn't show 'sysvol' and 'netlogon' as shares in your original
> smb.conf, but they are required on a Samba AD DC.
>
> Rowland

OK! I think you've answered my questions. No, I didn't include 'sysvol' or
'netlogin' in my posting of the old/current DC's smb.conf. I only included those
directives that were in the old DC, but not in the new one. They are there in
the old DC.

'Redirected Folders' is useful, especially if a Windows workstation has a drive
crash, so I'll experiment with that.

I'll leave out the 'ntlm auth' for now unless it proves needful for some reason in
which case I'll first try 'ntlm auth = ntlmv2-only'.

Thanks! --Mark

More information about the samba mailing list