Web lists-archives.com

Re: [Samba] WinbinD no longer available in Samba 4.7.6

On Tue, 04 Dec 2018 16:45:43 +0700
Konstantin Boyandin via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Are there possibly missing some winbind settings (the smb.conf has
> been generated by domain upgrade process).

Sorry, but I do not believe that is true:

         winbind enum users = yes
         winbind enum groups = yes

The lines above should only be used for testing purposes, they serve no
other purpose.

         winbind nss info = rfc2307

The above line is only any use on a Unix domain member and then, only
before Samba 4.6.0

         dns proxy = no

Really, on a DC that relies on DNS ?

         tls enabled  = yes
         tls keyfile  = tls/key.pem
         tls certfile = tls/cert.pem
         tls cafile   = tls/ca.pem
         tls verify peer = no_check
         acl:search = no

They are default settings

         passdb backend = tdbsam

Big mistake, you have turned off the correct password database.

         obey pam restrictions = yes

Useless on a DC

         unix password sync = yes

Extremely useless on a DC, you cannot have Unix users in /etc/passwd
and AD

         passwd program = /usr/bin/passwd %u
         passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:
         pam password change = yes
         map to guest = bad user
         usershare allow guests = yes

Only of real use on a Unix domain member

         comment = Users profiles
         path = /srv/samba/profiles/
         browseable = No
         read only = No
         force create mode = 0600
         force directory mode = 0700
         csc policy = disable
         store dos attributes = yes
         vfs objects = acl_xattr

The above is a cut & paste from here:


The only problem is, it also tells you, just above that block on the
page, that it doesn't work on an AD DC.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba