[Samba] samba+winbindd problem joining Ubuntu 20+ to windows 2000 domain
Rowland Penny
rpenny at samba.org
Wed May 31 16:16:00 UTC 2023
On 31/05/2023 16:44, Ivan Lopez via samba wrote:
> Hi, Rowland. Thanks for your answer. There is the result of testparm -s
> in Ubuntu 20. I've send the result of testparm -v because I thought that
> some default could have changed between versions.
There may have been changes between versions, but it is what you are
running now that counts, your very long smb.conf was off putting to say
the least.
>
> #sudo testparm -s
> Load smb config files from /etc/samba/smb.conf
> lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
> Loaded services file OK.
> Weak crypto is allowed
>
> Server role: ROLE_DOMAIN_MEMBER
>
> # Global parameters
> [global]
> client ipc min protocol = NT1
>
> client min protocol = NT1
>
> client max protocol = NT1
> dns proxy = No
> log file = /var/log/samba/log.%m
> map to guest = Bad User
> max log size = 1000
> obey pam restrictions = Yes
> pam password change = Yes
> panic action = /usr/share/samba/panic-action %d
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> passwd program = /usr/bin/passwd %u
> realm = OUR.REALM
> security = ADS
> server role = standalone server
I would remove that, it isn't a standalone server.
> server string = %h server (Samba, Ubuntu)
> syslog = 0
> template shell = /bin/bash
> unix password sync = Yes
You do need to remove that, you do not sync local users to domain users,
you map domain users to be Unix users.
> usershare allow guests = Yes
> winbind use default domain = Yes
> workgroup = OUR
> idmap config our : range = 16777220-33554431
> idmap config our : backend = rid
> idmap config * : range = 5000-16777200
> idmap config * : backend = tdb
Why do use such a large range for the default '*' domain, over 16
million for something that is meant for the Well Known SID's (there are
less than 200 of them) and anything outside the 'OUR' domain (there will
be very few, if any of those).
between 4.7.0 and 4.15.0 a few parameters changed defaults, these may be
relevant, these are the defaults on 4.15.x:
lanman auth = no
client plaintext auth = no
client NTLMv2 auth = yes
client lanman auth = no
You may need to add these, with the value set to the opposite i.e.
'lanman auth = yes'
Rowland
More information about the samba
mailing list