Web lists-archives.com

Re: [Samba] use spnego question - samba 47 to samba48 migration




Thanks everyone who replied to this thread.
I will try the new settings ASAP!

Thanks once again!

Fabricio.


-----Original Message-----
From: samba <samba-bounces@xxxxxxxxxxxxxxx> On Behalf Of Rowland Penny via samba
Sent: Saturday, June 23, 2018 8:13 AM
To: samba@xxxxxxxxxxxxxxx
Subject: Re: [Samba] use spnego question - samba 47 to samba48 migration

On Fri, 22 Jun 2018 19:25:11 -0300
Kontrol-Suporte via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello Everyone,
> 
> Good evening!
> 
>  
> 
> Here a Background:
> 
> I am moving from samba47 to samba48 - I am keeping my existing scripts 
> and config files.
> 
> The messages below are now appearing while executing some tasks in
> samba48 only - samba47 is not showing it:
> 
>  
> 
> #Unknown parameter encountered: "use spnego"
> 
> #Ignoring unknown parameter "use spnego"
> 
> #Unknown parameter encountered: "use spnego"
> 
> #Ignoring unknown parameter "use spnego"
> 
>  
> 
> Question:  is the "use spnego" deprecated for samba48? If so, what is 
> replacing it?
> 
>  
> 
> Here my smb4.conf file:
> 
> ###############################
> 
>  
> 
> [global]
> 
> workgroup = MYDOMAIN
> 
> map to guest = never
> 
> logon path = \\%L\profiles\.msprofile
> 
> logon home = \\%L\%U\.9xprofile
> 
> logon drive = P:
> 
> usershare allow guests = no
> 
> client NTLMv2 auth = yes
> 
> client lanman auth = no
> 
> client plaintext auth = no
> 
> use spnego = yes
> 
> client use spnego = yes
> 
> min protocol = LANMAN2
> 
> idmap gid = 10000-20000
> 
> idmap uid = 10000-20000
> 
> realm  = MYDOMAIN.CORP
> 
> security = ads
> 
> template homedir = /home/%D/%U
> 
> template shell = /bin/bash
> 
> winbind offline logon = yes
> 
> winbind refresh tickets = yes
> 
> winbind enum users = yes
> 
> winbind enum groups = yes
> 
> winbind nested groups = yes
> 
> winbind use default domain = yes
> 
> encrypt passwords = yes
> 
> socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
> 
> log level = 3 passdb:5 winbind:3
> 
> usershare allow guests = no
> 
> printcap name = /dev/null
> 
> load printers = no
> 
> printing = bsd
> 
> local master = no
> 
> kerberos method = secrets and keytab
> 
> winbind refresh tickets = yes
> 
>  
> 
>  
> 
> [homes]
> 
> comment = Home Directories
> 
> valid users = %s, %D%W%S
> 
> browseable = no
> 
> read only = no
> 
> inherit acls = yes
> 
>  
> 
> ###############################
> 
> Thanks Much!
> 
>  
> 
> Fabricio.
> 

OK, you multiple default lines in your smb.conf, these are:

map to guest = never
usershare allow guests = no
client NTLMv2 auth = yes
client lanman auth = no
client plaintext auth = no
client use spnego = yes
template homedir = /home/%D/%U
winbind nested groups = yes
encrypt passwords = yes
usershare allow guests = no

You might as well remove them.

The following lines are not much use in a Unix domain member smb.conf, they don't work with AD:

logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:

So you might as well remove them as well,

These two lines slow things down and are not actually needed:

winbind enum users = yes
winbind enum groups = yes

You might as well remove them as well.

'use spnego' was remove at 4.8.0, so you must remove this line

You should also remove the 'socket options' line, you should let your kernal sort this for you.

Finally 'idmap gid' and 'idmap uid' have been deprecated for quite some time and have been replaced by 'idmap config' lines, so with all the removals etc, can I suggest you try this smb.conf:

[global]
    workgroup = MYDOMAIN
    realm  = MYDOMAIN.CORP
    security = ads

    min protocol = LANMAN2 # Do really need this ?

    idmap config * : backend = tdb
    idmap config * : range = 2000-9999
    idmap config MYDOMAIN : backend = rid
    idmap config MYDOMAIN : range = 10000-20000
    template shell = /bin/bash
    winbind offline logon = yes
    winbind refresh tickets = yes
    winbind use default domain = yes 
    log level = 3 passdb:5 winbind:3
    printcap name = /dev/null
    load printers = no
    printing = bsd
    local master = no
    kerberos method = secrets and keytab

[homes]
    comment = Home Directories
    valid users = %s, %D%W%S
    browseable = no
    read only = no
    inherit acls = yes

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba