[Samba] samba+winbindd problem joining Ubuntu 20+ to windows 2000 domain

Rowland Penny rpenny at samba.org
Wed May 31 16:16:00 UTC 2023 


On 31/05/2023 16:44, Ivan Lopez via samba wrote:
> Hi, Rowland. Thanks for your answer. There is the result of testparm -s 
> in Ubuntu 20. I've send the result of testparm -v because I thought that 
> some default could have changed between versions.

There may have been changes between versions, but it is what you are 
running now that counts, your very long smb.conf was off putting to say 
the least.

> 
> #sudo testparm -s
> Load smb config files from /etc/samba/smb.conf
> lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
> Loaded services file OK.
> Weak crypto is allowed
> 
> Server role: ROLE_DOMAIN_MEMBER
> 
> # Global parameters
> [global]
>      client ipc min protocol = NT1
> 
>      client min protocol = NT1
> 
>      client max protocol = NT1
>      dns proxy = No
>      log file = /var/log/samba/log.%m
>      map to guest = Bad User
>      max log size = 1000
>      obey pam restrictions = Yes
>      pam password change = Yes
>      panic action = /usr/share/samba/panic-action %d
>      passwd chat = *Enter\snew\s*\spassword:* %n\n 
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>      passwd program = /usr/bin/passwd %u
>      realm = OUR.REALM
>      security = ADS
>      server role = standalone server

I would remove that, it isn't a standalone server.

>      server string = %h server (Samba, Ubuntu)
>      syslog = 0
>      template shell = /bin/bash
>      unix password sync = Yes

You do need to remove that, you do not sync local users to domain users, 
you map domain users to be Unix users.

>      usershare allow guests = Yes
>      winbind use default domain = Yes
>      workgroup = OUR
>      idmap config our : range = 16777220-33554431
>      idmap config our : backend = rid
>      idmap config * : range = 5000-16777200
>      idmap config * : backend = tdb

Why do use such a large range for the default '*' domain, over 16 
million for something that is meant for the Well Known SID's (there are 
less than 200 of them) and anything outside the 'OUR' domain (there will 
be very few, if any of those).

between 4.7.0 and 4.15.0 a few parameters changed defaults, these may be 
relevant, these are the defaults on 4.15.x:

lanman auth = no
client plaintext auth = no
client NTLMv2 auth = yes
client lanman auth = no

You may need to add these, with the value set to the opposite i.e. 
'lanman auth = yes'

Rowland

More information about the samba mailing list