[Samba] Samba acting as a domain member + netbios

Vincent DROUIN vdrouin at chapsvision.com
Fri Jan 26 08:44:13 UTC 2024


Active Directory running on Windows Server 2019
Samba 4.15.8 (built from buildroot, using heimdal & libgssapi_krb5)
Samba is running on a custom Unix distribution, all ports are open for the tests

Testparm -s result :

# Global parameters
[global]
        bind interfaces only = Yes
        disable spoolss = Yes
        idmap cache time = 300
        idmap negative cache time = 0
        interfaces = 127.0.0.0/8 enp0s8
        load printers = No
        machine password timeout = 0
        name cache timeout = 0
        realm = BERTINIT.TEST
        security = ADS
        server string = VDMACHINE File Server
        smb ports = 445
        template homedir = /data/cifs/%%U
        winbind cache time = 0
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind use default domain = Yes
        workgroup = BERTINIT
        idmap config bertinit : range = 3000-999999
        idmap config bertinit : backend = rid
        idmap config * : range = 1000-2999
        idmap config * : backend = tdb


[homes]
        comment = LDAP only
        force create mode = 0775
        force directory mode = 0775
        force group = trans
        force user = %%U
        path = /data/cifs/%%U
        read only = No
        root preexec = /bin/hush /var/lib/samba/scripts/mkhomedir.sh %%U
        valid users = %%U
        vfs objects = full_audit
        full_audit:syslog = false
        full_audit:success = fntimes
        full_audit:prefix = %%u|%%I

-----Message d'origine-----
De : samba <samba-bounces at lists.samba.org> De la part de Rowland Penny via samba
Envoyé : jeudi 25 janvier 2024 18:35
À : samba at lists.samba.org
Cc : Rowland Penny <rpenny at samba.org>
Objet : Re: [Samba] Samba acting as a domain member + netbios

[You don't often get email from samba at lists.samba.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

On Thu, 25 Jan 2024 16:28:57 +0000
Vincent DROUIN <vdrouin at chapsvision.com> wrote:

> Thanks for the advice about the security line, I won't use domain type
> anymore then.
>
> I know name_status_find is using NetBios, what I don't know is why
> this function is called when using 'security = ads', and as a result
> of the fail my domain is added to the failed connection cache.

Whilst name_status_find is meant for netbios, if you look at the code, there is this near the top of the function:

        if (lp_disable_netbios()) {
                DEBUG(5,("name_status_find(%s#%02x): netbios is disabled\n",
                                        q_name, q_type));
                return False;
        }

Which to myself, means that if 'disable netbios = yes' is set in smb.conf , then return false and log a message if the log level is 5 or greater.

If 'disable netbios = yes' is set in smb.conf, then netbios shouldn't be used by Samba and you shouldn't be having problems with it.

I think you need to give us a bit more detail:

What version of Windows server ?
What version of Samba are you using ?
What OS is Samba running on ?
Please post the output of 'testparm -s'

At the moment, all I can say is that it all works for myself, but I am using Samba (with netbios turned off and nmbd not running) against a Samba AD DC (again with netbios turned off and nbt turned off).

Rowland

>
> Then, every action that needs to have a look into the cache results in
> failing, and wbinfo -P returns "WBC_ERR_DOMAIN_NOT_FOUND"
>
> I've got the following error message :
> wbd_ping_dc_done: dcerpc_wbint_PingDc_recv failed for domain:
> BERTINIT - NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list