[Samba] Domain membership

Anders Östling anders.ostling at gmail.com
Fri May 3 13:19:01 UTC 2024 

I wrote a message a couple of days ago asking about Samba and SMB protocol
levels on an old industrial robot with a pre-2010 Samba. That was resolved
successfully. I now have another question concerning the same systems (the
robots and the new Samba server, HP-SRV03).

root at hp-srv03:/
*smbclient -L localhost -U administrator*
Enter HPLTS\administrator's password:

Sharename       Type      Comment
---------       ----      -------
bock            Disk
IPC$            IPC       IPC Service (Samba 4.13.13-Debian)
Reconnecting with SMB1 for workgroup listing.

Server               Comment
---------            -------

Workgroup            Master
---------            -------
HPLTS                HP-SRV02
NUMALLIANCE          R206
WORKGROUP            HP-SRV03

What puzzles me is the last three lines. The actual domain is HPLTS to
which the member server HP-SRV03 is joined. NUMALLIANCE is the "name" of
one of the robots. No way to change or domain join these as I understand.
So why is there a WORKGROUP record with the Samba servers name as master?
Is this just a glitch due to the old samba version on the robots, or is it
caused the the NT1 protocol level?

The smb.conf looks like this (realm obfusated)

root at hp-srv03:/BOCK# cat /etc/samba/smb.conf
# Global parameters
[global]
security = ADS
workgroup = HPLTS
realm = HXXXXXXXXEN.SE
server role = member server
log file = /var/log/samba/%m.log
bind interfaces only = yes
interfaces = lo enp1s0

# Enable Group Policy application in winbind,
apply group policies = yes
client min protocol = NT1
server min protocol = NT1

#client min protocol = SMB2

# winbind config:
winbind use default domain = yes

# The following options are only useful for testing. Comment out in
production.
winbind enum users = yes
winbind enum groups = yes

# Map Administrator to root
username map = /etc/samba/user.map
min domain uid = 0

# Kerberos
winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

# Configure shares using extended access control lists (ACL)
# Needed for Linux, as it does not support NFS4 ACLs
vfs objects = acl_xattr
map acl inherit = yes
acl_xattr:ignore system acls = yes

# Default ID mapping configuration for local BUILTIN accounts
idmap config * : backend = tdb
idmap config * : range = 3000-7999

idmap config HPLTS : backend = rid
idmap config HPLTS : range = 10000-999999

-- 
------ -------------------- 8 ------------------ ------
"A *wise* man once told me - Any idiot can do backups, but it takes a
genius to successfully restore"

Anders Östling
+46 768 716 165 (Mobil)

More information about the samba mailing list