Re: [Samba] WinbinD no longer available in Samba 4.7.6
- Date: Wed, 05 Dec 2018 09:57:56 +0700
- From: Konstantin Boyandin via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] WinbinD no longer available in Samba 4.7.6
Rowland Penny via samba писал 2018-12-04 17:17:
On Tue, 04 Dec 2018 16:45:43 +0700
Konstantin Boyandin via samba <samba@xxxxxxxxxxxxxxx> wrote:
Are there possibly missing some winbind settings (the smb.conf has
been generated by domain upgrade process).
Sorry, but I do not believe that is true:
True. The configuration works. I assume that parameters that aren't
applicable to AD DC role, are just ignored, even if mentioned.
winbind enum users = yes
winbind enum groups = yes
The lines above should only be used for testing purposes, they serve no
According to the 'man smb.conf', "On large installations using
winbindd(8) it may be necessary to suppress enumeration...". Orus isn't
large installations (number of users and computers taken together is
winbind nss info = rfc2307
The above line is only any use on a Unix domain member and then, only
before Samba 4.6.0
That makes sense, set it explicitle to 'template'.
dns proxy = no
Really, on a DC that relies on DNS ?
Again, makes sense, set to 'yes'.
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
tls verify peer = no_check
acl:search = no
They are default settings
Yes, with the mentioned certificate files taken from real-life
certificate for the real-life domain name we use.
passdb backend = tdbsam
Big mistake, you have turned off the correct password database.
I assume you are talking about ldapsam. Again, our installation isn't
huge to feel the impact of the passwords backend.
Also, I might get somewhat confused by the 'classic upgrade'
description, where old ldapsam was explicitly disabled in favor of
switching to tdbsam.
obey pam restrictions = yes
Useless on a DC
unix password sync = yes
Extremely useless on a DC, you cannot have Unix users in /etc/passwd
Reasonable, set both to default.
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
pam password change = yes
map to guest = bad user
usershare allow guests = yes
Only of real use on a Unix domain member
Thanks, set to default.
comment = Users profiles
path = /srv/samba/profiles/
browseable = No
read only = No
force create mode = 0600
force directory mode = 0700
csc policy = disable
store dos attributes = yes
vfs objects = acl_xattr
The above is a cut & paste from here:
The only problem is, it also tells you, just above that block on the
page, that it doesn't work on an AD DC.
Actually, I used the 'above block' to set the permissions from Windows
Question is, do the above settings actually conflict (I noticed no
problems so far), if I do not attempt to change whatever after the
mentioned permissions change has been performed?
I really appreciate your comments. Pity there are no 'typical' smb.conf
examples for typical roles, such as AD DC.
To unsubscribe from this list go to the following URL and read the