[Samba] Unable to contact RPC server on a new DC
Rowland Penny
rpenny at samba.org
Tue Nov 7 19:22:44 UTC 2023
On Tue, 7 Nov 2023 21:52:56 +0300
Andrey Repin via samba <samba at lists.samba.org> wrote:
> Greetings, Rowland Penny via samba!
>
> > I would remove these from the DC smb.conf, they are either defauts,
> > not required or flat out doing nothing on a DC:
> >
> > auto services = homes
> > client ldap sasl wrapping = sign
> > tls enabled = Yes
>
> Without "tls enabled" ldaps:// access does not work.
Then you a problem elsewhere, 'tls enabled = yes' has been the default
since it was introduced at Samba 4.0.0
>
> > winbind enum groups = Yes
> > winbind enum users = Yes
> > winbind nss info = rfc2307
> > winbind use default domain = Yes
> > idmap config darkdragon : unix_nss_info = yes
> > idmap config darkdragon : unix_primary_group = yes
> > idmap config darkdragon : range = 2048-131071
> > idmap config darkdragon : schema_mode = rfc2307
> > idmap config darkdragon : backend = ad
> > idmap config * : range = 1024-2047
> > idmap config * : schema_mode = rfc2307
> > idmap config * : backend = tdb
> > store dos attributes = Yes
> > vfs objects = dfs_samba4 acl_xattr
>
> I agree that most of these either defaults or irrelevant for a DC. I
> mostly keep them for self-reference.
Then I suggest you just comment them out, you definitely shouldn't have
the 'idmap config' lines in a DC smb.conf
>
> > Andrey, sorry but words fail me about that Unix domain member
> > smb.conf, it appears to be most of an NT4-style BDC grafted onto
> > the smb.conf for an AD domain member. most (if not all) of the
> > NT4-style parameters should be removed, they aren't really doing
> > anything anyway, the DC isn't doing SMBv1 and they rely on it.
>
> Here's a (hopefully) saner member config. Still not usable.
>
> # Global parameters
> [global]
> dos charset = CP866
> workgroup = DARKDRAGON
> realm = ADS.DARKDRAGON.LAN
> interfaces = lo eth0
> security = ADS
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> log level = 1
> client ldap sasl wrapping = sign
> printcap name = /dev/null
> preload = homes
> auto services = homes
> panic action = /usr/share/samba/panic-action %d
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind offline logon = Yes
> idmap config darkdragon : range = 2048-131071
> idmap config darkdragon : schema_mode = rfc2307
> idmap config darkdragon : backend = ad
> idmap config * : range = 1024-2047
> idmap config * : backend = tdb
> map acl inherit = Yes
> store dos attributes = Yes
> vfs objects = acl_xattr
>
> [homes]
> comment = Home Directory
> path = /home/%S
> valid users = %S
> read only = No
> browseable = No
> csc policy = disable
> follow symlinks = No
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> printable = Yes
> browseable = No
> csc policy = disable
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
>
> [wwwroot]
> path = /home
> read only = No
> mangled names = No
> csc policy = disable
> follow symlinks = No
>
That's better :-)
> What about errors I see on the DC? Can we first try to fix these?
> Internet results only telling that "cleaning up the DB helps" without
> much of any useful info.
>
>
Get rid of the extraneous parameters in your DC smb.conf and your
problems may just go away.
Rowland
More information about the samba
mailing list