[Samba] netlogon does not run

Rowland Penny rpenny at samba.org
Wed Jul 5 07:24:57 UTC 2023 

Please see inline notes:

On 05/07/2023 06:03, Edson Wolf via samba wrote:
> 
> smb.conf
> 
> # Global parameters
> [global]
>      netbios name = DC0
>      dns forwarder = 192.168.2.4
>      realm = GRANMARMO.INTRANET
>      server role = active directory domain controller
>      workgroup = GRANMARMO
>      ntlm auth = mschapv2-and-ntlmv2-only
>      password hash userPassword schemes = CryptSHA256 CryptSHA512

I take it you are syncing passwords to an external ldap server.

>      rpc server dynamic port range = 50000-55000

Can I ask why you are not using the default ports ?

>      loglevel = 30 auth:5 winbind:5 passdb:5
>      time server = yes

'time server' is an nmbd thing and is not used on an AD DC.

>      security = user

I would never set 'security = user' on an AD DC, you should rely on the 
default 'security = auto', which will then force Samba to consult the 
'server role' parameter.

> 
> ###Numero maximo dec conexões no winbind
>      winbind max domain connections = 10

'winbind max domain connections' should not really be used on an AD DC.

> 
> ###Habilitar autenticação offline
>      winbind offline logon = yes

I do not see the point of running this on an AD DC, if it goes offline, 
what is going to connect to it ? It also turns off the 'winbind max 
domain connections' line above.

> 
>      os level = 34

'os level' is another nmbd thing that should not be used on an AD DC.

>      logon script = netlogon.bat

'logon script' is not used on an AD DC, your Windows clients should find 
netlogon via ldap (see the 'scriptPath' attribute), or better still, via 
a GPO.

> 
> [netlogon]
>      path = /var/lib/samba/sysvol/granmarmo.intranet/scripts
>      read only = Yes
>      guest ok = Yes
>      browseable = No
> 
> chmod 700 /var/lib/samba/sysvol/granmarmo.intranet/scripts

Sorry, but you have just broken the permissions on Sysvol, I suggest you 
run 'samba-tool ntacl sysvolreset'

Speaking of Sysvol, what has happened to the '[sysvol]' share ?

> 
> netlogon.bat
> 
> @echo on
> cls
> echo Sincronizando a hora ...
> net time \\dc0 /set /yes
> 
> echo Mapeando a rede ...
> net use * /delete /yes
> net use p: \\arquivos\Publico
> 
> 

Is that in DOS format ?

> \\dc0\netlogon\netlogon.bat
> 
> If I double click on netlogon.bat it executes
> 


It looks like you are trying to run a Samba AD DC as if it is an old 
NT4-style PDC. Sorry, but this will not work, you need to run it has an 
AD DC.

Rowland

More information about the samba mailing list