[Samba] netlogon does not run
Edson Wolf
edsonwolf at vivaldi.net
Mon Jul 10 13:06:23 UTC 2023
Em 05/07/2023 03:24 AM, Rowland Penny via samba escreveu:
> Please see inline notes:
>
> On 05/07/2023 06:03, Edson Wolf via samba wrote:
>>
>> smb.conf
>>
>> # Global parameters
>> [global]
>> netbios name = DC0
>> dns forwarder = 192.168.2.4
>> realm = GRANMARMO.INTRANET
>> server role = active directory domain controller
>> workgroup = GRANMARMO
>> ntlm auth = mschapv2-and-ntlmv2-only
>> password hash userPassword schemes = CryptSHA256 CryptSHA512
>
> I take it you are syncing passwords to an external ldap server.
No. Withdrawn
>
>> rpc server dynamic port range = 50000-55000
>
> Can I ask why you are not using the default ports ?
Withdrawn
>
>> loglevel = 30 auth:5 winbind:5 passdb:5
>> time server = yes
>
> 'time server' is an nmbd thing and is not used on an AD DC.
Withdrawn
>
>> security = user
>
> I would never set 'security = user' on an AD DC, you should rely on the
> default 'security = auto', which will then force Samba to consult the
> 'server role' parameter.
Done
>
>>
>> ###Numero maximo dec conexões no winbind
>> winbind max domain connections = 10
>
> 'winbind max domain connections' should not really be used on an AD DC.
Done
>
>>
>> ###Habilitar autenticação offline
>> winbind offline logon = yes
>
> I do not see the point of running this on an AD DC, if it goes offline,
> what is going to connect to it ? It also turns off the 'winbind max
> domain connections' line above.
Withdrawn
>
>>
>> os level = 34
>
> 'os level' is another nmbd thing that should not be used on an AD DC.
Withdrawn
>
>> logon script = netlogon.bat
>
> 'logon script' is not used on an AD DC, your Windows clients should
> find netlogon via ldap (see the 'scriptPath' attribute), or better
> still, via a GPO.
Withdrawn
>
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/granmarmo.intranet/scripts
>> read only = Yes
>> guest ok = Yes
>> browseable = No
>>
>> chmod 700 /var/lib/samba/sysvol/granmarmo.intranet/scripts
>
> Sorry, but you have just broken the permissions on Sysvol, I suggest
> you run 'samba-tool ntacl sysvolreset'
Done
>
> Speaking of Sysvol, what has happened to the '[sysvol]' share ?
I didn't put it here but it's in smb.conf
thanks for all the tips
>
>>
>> netlogon.bat
>>
>> @echo on
>> cls
>> echo Sincronizando a hora ...
>> net time \\dc0 /set /yes
>>
>> echo Mapeando a rede ...
>> net use * /delete /yes
>> net use p: \\arquivos\Publico
>>
>>
>
> Is that in DOS format ?
Yes
>
>> \\dc0\netlogon\netlogon.bat
>>
>> If I double click on netlogon.bat it executes
>>
>
>
> It looks like you are trying to run a Samba AD DC as if it is an old
> NT4-style PDC. Sorry, but this will not work, you need to run it has an
> AD DC.
Done
>
> Rowland
I thought it was possible to use samba without having to use a windows
station to create the rules. As I will only use access control groups, I
thought it was possible. Would use everything in logonscript.bat.
Now it's running ok
Thank's
--
A persistência é o caminho do êxito.
Charles Chaplin
More information about the samba
mailing list