[Samba] Joining a 2022-schema Active Directory

Rowland Penny rpenny at samba.org
Thu Oct 3 15:20:38 UTC 2024


On Thu, 3 Oct 2024 16:56:48 +0200
Emmanuel Florac <eflorac at intellique.com> wrote:

> Le Thu, 3 Oct 2024 15:21:07 +0100
> Rowland Penny via samba <samba at lists.samba.org> écrivait:
> 
> > From the above, it sounds like you are joining Samba as a Unix
> > domain member (security = ads)
> > 
> 
> Yes absolutely.
> 
> > 
> > If this is a Unix domain member, then the schema is only used on the
> > Windows DC, the Samba Unix domain member never sees it directly.
> > 
> > This sounds like a SMBv1 problem (partially at least), where,
> > because NetBIOS isn't being used, Network Browsing no longer works,
> > but smbclient connecting to a share should.
> > 
> 
> "smbclient" on Linux connects to the share just fine using domain user
> credentials. Only domain members can't...

When you say 'domain members', do you mean users on a Windows machine or
something else ?

> 
> 
> I don't have access to the machine right now but the config is
> straightforward :
> 
> /etc/samba/smb.conf
> 
> [global]
>     workgroup = example
>     security = ADS
>     realm = EXAMPLE.LAN
> 
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>     server string = Data %h
> 
>     winbind use default domain = yes
>     winbind expand groups = 4
>     winbind nss info = rfc2307
>     winbind refresh tickets = Yes
>     winbind offline logon = yes
>     winbind normalize names = Yes
> 
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>     idmap config EXAMPLE : backend = rid
>     idmap config EXAMPLE : range = 10000-999999
>     template shell = /bin/bash
>     template homedir = /home/EXAMPLE/%U
> 
>     domain master = no
>     local master = no
>     preferred master = no
>     os level = 20
>     map to guest = bad user
>     host msdfs = no
> 
>     # user Administrator workaround, without it you are unable to set
>     privileges username map = /etc/samba/user.map
> 
>     # For ACL support on domain member
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
> 
>     # Share Setting Globally
>     unix extensions = no
>     reset on zero vc = yes
>     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>     hide unreadable = yes
> 
>     # disable printing completely
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
> 
> That's a generic configuration I've been using on different domains,
> but never with an AD running higher than WS2016 I guess.
> 

There is nothing there that should stop Samba from working, but it
doesn't use SMBv1, so if your Windows clients are using SMBv1 then it
will not work.

Rowland





More information about the samba mailing list