Web lists-archives.com

Re: [Samba] Shares not accessible when using FQDN

On Wed, 30 Aug 2017 12:20:04 +0200 (CEST)
Gaetan SLONGO <gslongo@xxxxxxxxxxxxx> wrote:

> Hi Rowland My test SMB have several test lines and is dirty, for sure
> not correct :-) Could you share your setup to achieve this ? 

This is my working smb.conf (note: I use Samba 4.6.x)

    workgroup = SAMDOM
    security = ADS

    # Uncomment the next two lines if you require a keytab for dovecot etc
    #dedicated keytab file = /etc/krb5.keytab
    #kerberos method = secrets and keytab
    server string = Samba 4 Client %h

    winbind use default domain = yes
    winbind expand groups = 4
    winbind refresh tickets = Yes
    winbind offline logon = yes

    ## map ids outside of domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config SAMDOM : backend = ad
    idmap config SAMDOM : schema_mode = rfc2307
    idmap config SAMDOM : unix_nss_info = yes
    idmap config SAMDOM : range = 10000-999999
    # uncomment next two lines if not storing shell & unixhomedir in AD
    #template shell = /bin/bash
    #template homedir = /home/%U

    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/user.map

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    # disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    # logging
    log level = 0

If you using a version of Samba before 4.6.0, you should remove:

    idmap config SAMDOM : unix_nss_info = yes

and replace it with:

    winbind nss info = rfc2307

For this to work, all my users have a uidNumber attribute containing a
unique number inside the 'SAMDOM' range set in smb.conf (10000-999999)
and 'Domain Users' has a gidNumber inside the same range (note: you can
start the uidNumbers & gidNumbers at the same number, there is no need
to use different start numbers)

I also have a user.map, which contains this:

!root = SAMDOM\Administrator SAMDOM\administrator Administrator

NOTE 'SAMDOM' is my workgroup name and 'SAMDOM.EXAMPLE.COM' is my realm
name, you should replace them with yours.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba