Web lists-archives.com

Re: [Samba] Upgrading samba from jessie (4.2) to stretch (4.5) in AD mode...




On Wed, 21 Jun 2017 18:06:45 +0200
Marco Gaiarin via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > He did not post smb.conf ;-) 
> 
> It is full of comment, now, because i'm moving some settings from my
> old 'NT' domain...
> 
> 
> [From other thread...]
> 
> > If he has added 'security = user' to his smb.conf, he needs to
> > remove it, you do not use this on a DC.
> 
> Clearly, i've removed that; i've added exclusively to finish the
> post-installation task of debian package.
> Sorry if iwas not clear.
> 
> 
> > It looks like he got hit by the 'winbind package not installed on
> > debian unless you ask for it' error.
> 
> ?!
> 
> 
> > The rest is shown because he used testparm not samba-tool testparm 

Well, you learn something new every day, I never use 'testparm', I
always use 'samba-tool testparm' and I thought they would give the same
output, obviously not ;-)

> 
> I don't know about that. ;-)
> 
>  root@lupus:~# samba-tool testparm 
>  Press enter to see a dump of your service definitions
>  # Global parameters
>  [global]
> 	bind interfaces only = Yes
> 	interfaces = lo eth0.17
> 	netbios aliases = CUPS FILE MEDIA TIME
> 	netbios name = LUPUS
> 	realm = AD.CORSI.SV.LNF.IT
> 	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = SVCORSI
> 	ldap server require strong auth = allow_sasl_over_tls
> 	logon drive = p:
> 	logon home = \\LUPUS\%U
> 	logon path = \\LUPUS\profiles\%U
> 	logon script = startup.bat
> 	load printers = Yes
> 	printcap name = cups
> 	server role = active directory domain controller
> 	winbind enum groups = Yes
> 	winbind enum users = Yes
> 	winbind nss info = rfc2307
> 	idmap config svcorsi : schema_mode = rfc2307
> 	idmap config svcorsi : backend = ad
> 	idmap_ldb:use rfc2307 = yes
> 	dsdb:schema update allowed = true
> 	comment = 
> 	printing = cups
> 
> effectively it is simpler. 

No it isn't, you should definitely remove the 'idmap config' lines.

> I've added surely 'ldap server require
> strong auth = allow_sasl_over_tls' to make exim work, and
> 'dsdb:schema update allowed = true' to modify schema.

You should only have the 'dsdb' line active in smb.conf when you need to
modify the schema, you should turn it off when not required.

> Clearly i've added 'logon *' options bacause i need it. ;)

No you don't ;-)
Read up on the Windows and RFC2307 attributes you now have at your
disposal
 
> 
> Other things probably added to make windbind NSS and PAM providers
> work, but finally i've switched to SSSD.

Your decision, but everything that sssd can do, winbind can do and
using sssd is not supported by Samba.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba