[Samba] Unable to contact RPC server on a new DC

Andrey Repin anrdaemon at yandex.ru
Tue Nov 7 18:52:56 UTC 2023 

Greetings, Rowland Penny via samba!

> I would remove these from the DC smb.conf, they are either defauts, not
> required or flat out doing nothing on a DC:
>                                 
>         auto services = homes
>         client ldap sasl wrapping = sign
>         tls enabled = Yes

Without "tls enabled" ldaps:// access does not work.

>         winbind enum groups = Yes
>         winbind enum users = Yes
>         winbind nss info = rfc2307
>         winbind use default domain = Yes
>         idmap config darkdragon : unix_nss_info = yes
>         idmap config darkdragon : unix_primary_group = yes
>         idmap config darkdragon : range = 2048-131071
>         idmap config darkdragon : schema_mode = rfc2307
>         idmap config darkdragon : backend = ad
>         idmap config * : range = 1024-2047
>         idmap config * : schema_mode = rfc2307
>         idmap config * : backend = tdb
>         store dos attributes = Yes
>         vfs objects = dfs_samba4 acl_xattr      

I agree that most of these either defaults or irrelevant for a DC. I mostly
keep them for self-reference.

> Andrey, sorry but words fail me about that Unix domain member smb.conf,
> it appears to be most of an NT4-style BDC grafted onto the smb.conf for
> an AD domain member. most (if not all) of the NT4-style parameters
> should be removed, they aren't really doing anything anyway, the DC
> isn't doing SMBv1 and they rely on it.

Here's a (hopefully) saner member config. Still not usable.

# Global parameters
[global]
        dos charset = CP866
        workgroup = DARKDRAGON
        realm = ADS.DARKDRAGON.LAN
        interfaces = lo eth0
        security = ADS
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        log level = 1
        client ldap sasl wrapping = sign
        printcap name = /dev/null
        preload = homes
        auto services = homes
        panic action = /usr/share/samba/panic-action %d
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        winbind offline logon = Yes
        idmap config darkdragon : range = 2048-131071
        idmap config darkdragon : schema_mode = rfc2307
        idmap config darkdragon : backend = ad
        idmap config * : range = 1024-2047
        idmap config * : backend = tdb
        map acl inherit = Yes
        store dos attributes = Yes
        vfs objects = acl_xattr

[homes]
        comment = Home Directory
        path = /home/%S
        valid users = %S
        read only = No
        browseable = No
        csc policy = disable
        follow symlinks = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No
        csc policy = disable

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers

[wwwroot]
        path = /home
        read only = No
        mangled names = No
        csc policy = disable
        follow symlinks = No

What about errors I see on the DC? Can we first try to fix these? Internet
results only telling that "cleaning up the DB helps" without much of any
useful info.


-- 
With best regards,
Andrey Repin
Tuesday, November 7, 2023 21:43:48

Sorry for my terrible english...

More information about the samba mailing list