Greetings, Rowland Penny via samba!> OK, I give in, why have 4 emails from Andrey Repin, that were > apparently sent in May & June of this year, just appeared in my mail > client ?Don't worry, your sanity is not affected. My mail provider had changed submission policy without a sufficient notification, causing my transit mail server to block mail queue since last August. Anyway, here's some news on the subject: Routine server upgrade uncovered an IP address conflict in the local network. Turned out, when I was setting up DC2, I did not add its address to the infrastructure DNS zone. When I was setting up a new infra server for tests a short while later, I checked the infra zone and picked the next free address? which, unsurprisingly, was the same as the DC2 one. Having solved this, I get a stable "Domain join OK" on every domain member, but still unable to authenticate the users using winbind. Domain controller logs (notable parts) are following: log.samba: [2023/11/07 18:56:05.882689, 1] ../../source4/nbt_server/register.c:165(nbtd_register_name_handler) Error registering DARKDRAGON<1b> with 192.168.1.19 on interface 192.168.1.255 - NT_STATUS_CONFLICTING_ADDRESSES [2023/11/07 18:56:20.887545, 1] ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part) Doing a full scan on DC=ForestDnsZones,DC=ads,DC=darkdragon,DC=lan and looking for deleted objects [2023/11/07 18:56:20.890975, 1] ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part) Doing a full scan on DC=DomainDnsZones,DC=ads,DC=darkdragon,DC=lan and looking for deleted objects [2023/11/07 18:56:21.039408, 1] ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part) Doing a full scan on DC=ads,DC=darkdragon,DC=lan and looking for deleted objects [2023/11/07 18:56:21.098762, 1] ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part) Doing a full scan on CN=Configuration,DC=ads,DC=darkdragon,DC=lan and looking for deleted objects [2023/11/07 18:56:25.913081, 0] ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) dnsupdate_nameupdate_done: Failed DNS update with exit code 110 log.smbd: lots of messages like these right from the start: [2023/11/07 18:56:08.211331, 1] ../../source3/printing/printer_list.c:255(printer_list_get_last_refresh) Failed to fetch record! [2023/11/07 18:56:11.590717, 0] ../../source4/auth/unix_token.c:95(security_token_to_unix_token) Unable to convert first SID (S-1-5-21-2269650170-3990761244-2407083512-1124) in user token to a UID. Conversion was returned as type 0, full token: [2023/11/07 18:56:11.590888, 0] ../../libcli/security/security_token.c:51(security_token_debug) Security token SIDs (8): SID[ 0]: S-1-5-21-2269650170-3990761244-2407083512-1124 SID[ 1]: S-1-5-21-2269650170-3990761244-2407083512-515 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-64-10 SID[ 6]: S-1-5-32-554 SID[ 7]: S-1-5-32-545 Privileges (0x 800000): Privilege[ 0]: SeChangeNotifyPrivilege Rights (0x 400): Right[ 0]: SeRemoteInteractiveLogonRight [2023/11/07 18:56:29.811430, 0] ../../source4/auth/unix_token.c:95(security_token_to_unix_token) Unable to convert first SID (S-1-5-21-2269650170-3990761244-2407083512-1117) in user token to a UID. Conversion was returned as type 0, full token: [2023/11/07 18:56:29.812183, 0] ../../libcli/security/security_token.c:51(security_token_debug) Security token SIDs (8): SID[ 0]: S-1-5-21-2269650170-3990761244-2407083512-1117 SID[ 1]: S-1-5-21-2269650170-3990761244-2407083512-515 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-64-10 SID[ 6]: S-1-5-32-554 SID[ 7]: S-1-5-32-545 Privileges (0x 800000): Privilege[ 0]: SeChangeNotifyPrivilege Rights (0x 400): Right[ 0]: SeRemoteInteractiveLogonRight [2023/11/07 18:56:30.307255, 0] ../../source4/auth/unix_token.c:95(security_token_to_unix_token) Unable to convert first SID (S-1-5-21-2269650170-3990761244-2407083512-1106) in user token to a UID. Conversion was returned as type 0, full token: [2023/11/07 18:56:30.308127, 0] ../../libcli/security/security_token.c:51(security_token_debug) Security token SIDs (8): SID[ 0]: S-1-5-21-2269650170-3990761244-2407083512-1106 SID[ 1]: S-1-5-21-2269650170-3990761244-2407083512-515 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-64-10 SID[ 6]: S-1-5-32-554 SID[ 7]: S-1-5-32-545 Privileges (0x 800000): Privilege[ 0]: SeChangeNotifyPrivilege Rights (0x 400): Right[ 0]: SeRemoteInteractiveLogonRight AD DC configuration: # Global parameters [global] auto services = homes client ldap sasl wrapping = sign dns forwarder = 192.168.1.12 dos charset = CP866 logging = systemd log level = 1 netbios name = DC2 panic action = /usr/share/samba/panic-action %d printcap name = /dev/null realm = ADS.DARKDRAGON.LAN server role = active directory domain controller template homedir = /home/%U template shell = /bin/bash tls enabled = Yes tls priority = NORMAL:-VERS-SSL3.0:+VERS-TLS-ALL winbind enum groups = Yes winbind enum users = Yes winbind nss info = rfc2307 winbind offline logon = Yes winbind refresh tickets = Yes winbind use default domain = Yes workgroup = DARKDRAGON idmap config darkdragon : unix_nss_info = yes idmap config darkdragon : unix_primary_group = yes idmap config darkdragon : range = 2048-131071 idmap config darkdragon : schema_mode = rfc2307 idmap config darkdragon : backend = ad idmap config * : range = 1024-2047 idmap config * : schema_mode = rfc2307 idmap config * : backend = tdb idmap_ldb : use rfc2307 = Yes map acl inherit = Yes store dos attributes = Yes vfs objects = dfs_samba4 acl_xattr [netlogon] comment = Network Logon Service csc policy = disable path = /var/lib/samba/sysvol/ads.darkdragon.lan/scripts read only = No [sysvol] comment = Domain System Volume csc policy = disable path = /var/lib/samba/sysvol read only = No Member server: # Global parameters [global] dos charset = CP866 workgroup = DARKDRAGON realm = ADS.DARKDRAGON.LAN netbios name = DAEMON1 interfaces = lo mac0 bind interfaces only = Yes security = ADS dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab log level = 1 server min protocol = NT1 min protocol = NT1 client min protocol = NT1 client ldap sasl wrapping = sign printcap name = /dev/null preferred master = Yes local master = Yes domain master = Yes browse list = Yes wins server = 127.0.0.1 wins support = Yes preload = homes auto services = homes panic action = /usr/share/samba/panic-action %d winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes winbind offline logon = Yes client ipc min protocol = NT1 idmap config darkdragon : unix_nss_info = yes idmap config darkdragon : unix_primary_group = yes idmap config darkdragon : range = 2048-131071 idmap config darkdragon : schema_mode = rfc2307 idmap config darkdragon : backend = ad idmap config * : range = 1024-2047 idmap config * : backend = tdb map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr [netlogon] comment = Network Logon Service path = /home/.samba/netlogon read only = No csc policy = disable [homes] comment = Home Directory path = /home/%S valid users = %S read only = No browseable = No csc policy = disable follow symlinks = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No csc policy = disable [print$] comment = Printer Drivers path = /var/lib/samba/printers [arc] comment = Software archive path = /srv/arc read only = No browseable = No csc policy = disable And in case it is of any relevance, # samba-tool dbcheck --cross-ncs Checking 3532 objects WARNING: no target object found for GUID component for DN value msDS-NC-Replica-Locations in object CN=8bb6015d-6fa6-42c8-8227-342efcb172bb,CN=Partitions,CN=Configuration,DC=ads,DC=darkdragon,DC=lan - <GUID=6b675175-05be-4866-b529-968668e149ff>;<RMD_ADDTIME=131154335880000000>;<RMD_CHANGETIME=131154335880000000>;<RMD_FLAGS=0>;<RMD_INVOCID=05ea5d9d-5f6d-4cf6-bd9a-04567211caae>;<RMD_LOCAL_USN=3654>;<RMD_ORIGINATING_USN=3634>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=darkdragon,DC=lan WARNING: target DN is deleted for msDS-NC-Replica-Locations in object CN=8bb6015d-6fa6-42c8-8227-342efcb172bb,CN=Partitions,CN=Configuration,DC=ads,DC=darkdragon,DC=lan - <GUID=6b675175-05be-4866-b529-968668e149ff>;<RMD_ADDTIME=131154335880000000>;<RMD_CHANGETIME=131154335880000000>;<RMD_FLAGS=0>;<RMD_INVOCID=05ea5d9d-5f6d-4cf6-bd9a-04567211caae>;<RMD_LOCAL_USN=3654>;<RMD_ORIGINATING_USN=3634>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=darkdragon,DC=lan Target GUID points at deleted DN '<GUID=6b675175-05be-4866-b529-968668e149ff>;<RMD_ADDTIME=131154335880000000>;<RMD_CHANGETIME=131154335880000000>;<RMD_FLAGS=0>;<RMD_INVOCID=05ea5d9d-5f6d-4cf6-bd9a-04567211caae>;<RMD_LOCAL_USN=3654>;<RMD_ORIGINATING_USN=3634>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=darkdragon,DC=lan' Not removing WARNING: no target object found for GUID component for DN value msDS-NC-Replica-Locations in object CN=a6fed93a-b3f0-4d96-bd5e-65e0c081b127,CN=Partitions,CN=Configuration,DC=ads,DC=darkdragon,DC=lan - <GUID=6b675175-05be-4866-b529-968668e149ff>;<RMD_ADDTIME=131154335860000000>;<RMD_CHANGETIME=131154335860000000>;<RMD_FLAGS=0>;<RMD_INVOCID=05ea5d9d-5f6d-4cf6-bd9a-04567211caae>;<RMD_LOCAL_USN=3658>;<RMD_ORIGINATING_USN=3626>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=darkdragon,DC=lan WARNING: target DN is deleted for msDS-NC-Replica-Locations in object CN=a6fed93a-b3f0-4d96-bd5e-65e0c081b127,CN=Partitions,CN=Configuration,DC=ads,DC=darkdragon,DC=lan - <GUID=6b675175-05be-4866-b529-968668e149ff>;<RMD_ADDTIME=131154335860000000>;<RMD_CHANGETIME=131154335860000000>;<RMD_FLAGS=0>;<RMD_INVOCID=05ea5d9d-5f6d-4cf6-bd9a-04567211caae>;<RMD_LOCAL_USN=3658>;<RMD_ORIGINATING_USN=3626>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=darkdragon,DC=lan Target GUID points at deleted DN '<GUID=6b675175-05be-4866-b529-968668e149ff>;<RMD_ADDTIME=131154335860000000>;<RMD_CHANGETIME=131154335860000000>;<RMD_FLAGS=0>;<RMD_INVOCID=05ea5d9d-5f6d-4cf6-bd9a-04567211caae>;<RMD_LOCAL_USN=3658>;<RMD_ORIGINATING_USN=3626>;<RMD_VERSION=0>;CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ads,DC=darkdragon,DC=lan' Not removing Checked 3532 objects (0 errors) -- With best regards, Andrey Repin Monday, November 6, 2023 23:42:24 Sorry for my terrible english...
LP On Nov 7, 2023 at 18:06 +0100, Andrey Repin via samba <samba at lists.samba.org>, wrote:> > > AD DC configuration: > > # Global parameters > [global] > auto services = homes > client ldap sasl wrapping = sign > dns forwarder = 192.168.1.12 > dos charset = CP866 > logging = systemd > log level = 1 > netbios name = DC2 > panic action = /usr/share/samba/panic-action %d > printcap name = /dev/null > realm = ADS.DARKDRAGON.LAN > server role = active directory domain controller > template homedir = /home/%U > template shell = /bin/bash > tls enabled = Yes > tls priority = NORMAL:-VERS-SSL3.0:+VERS-TLS-ALL > winbind enum groups = Yes > winbind enum users = Yes > winbind nss info = rfc2307 > winbind offline logon = Yes > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = DARKDRAGON > idmap config darkdragon : unix_nss_info = yes > idmap config darkdragon : unix_primary_group = yes > idmap config darkdragon : range = 2048-131071 > idmap config darkdragon : schema_mode = rfc2307 > idmap config darkdragon : backend = ad > idmap config * : range = 1024-2047 > idmap config * : schema_mode = rfc2307 > idmap config * : backend = tdb > idmap_ldb : use rfc2307 = Yes > map acl inherit = Yes > store dos attributes = Yes > vfs objects = dfs_samba4 acl_xattr >? You should not use idmap declarations in a DC. Domain Controllers use idmap.ldb for id-mapping, which is only used on a DC. ? If using ?ad' idmap in the AD, you should only use this on the DC: idmap_ldb:use rfc2307??= yes ? You don?t need all the winbind lines neither. ? I think your workgroup name should be ADS, not DARKDRAGON. ? Your templates declarations are the default for non-ad idmapping. Login shell and Unix home directory path can be stored in the RFC2307 attributes when using ?ad? idmap. ?I?d start with a simpler configuration like this: # Global parameters [global] dns forwarder = 192.168.1.12 netbios name = DC2 realm = ADS.DARKDRAGON.LAN server role = active directory domain controller workgroup = ADS idmap_ldb:use rfc2307??= yes [sysvol] path = /var/lib/samba/sysvol read only = No [netlogon] path = /var/lib/samba/sysvol/mad.mater.int/scripts read only = No Regards, LP
On Tue, 7 Nov 2023 20:00:40 +0300 Andrey Repin via samba <samba at lists.samba.org> wrote:> Greetings, Rowland Penny via samba! > > > OK, I give in, why have 4 emails from Andrey Repin, that were > > apparently sent in May & June of this year, just appeared in my mail > > client ? > > Don't worry, your sanity is not affected. My mail provider had changed > submission policy without a sufficient notification, causing my > transit mail server to block mail queue since last August. > > Anyway, here's some news on the subject: Routine server upgrade > uncovered an IP address conflict in the local network. > > Turned out, when I was setting up DC2, I did not add its address to > the infrastructure DNS zone. > When I was setting up a new infra server for tests a short while > later, I checked the infra zone and picked the next free address? > which, unsurprisingly, was the same as the DC2 one. > Having solved this, I get a stable "Domain join OK" on every domain > member, but still unable to authenticate the users using winbind. > > Domain controller logs (notable parts) are following: > > log.samba: > > [2023/11/07 18:56:05.882689, 1] > ../../source4/nbt_server/register.c:165(nbtd_register_name_handler) > Error registering DARKDRAGON<1b> with 192.168.1.19 on interface > 192.168.1.255 - NT_STATUS_CONFLICTING_ADDRESSES [2023/11/07 > 18:56:20.887545, 1] > ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part) > Doing a full scan on DC=ForestDnsZones,DC=ads,DC=darkdragon,DC=lan > and looking for deleted objects [2023/11/07 18:56:20.890975, 1] > ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part) > Doing a full scan on DC=DomainDnsZones,DC=ads,DC=darkdragon,DC=lan > and looking for deleted objects [2023/11/07 18:56:21.039408, 1] > ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part) > Doing a full scan on DC=ads,DC=darkdragon,DC=lan and looking for > deleted objects [2023/11/07 18:56:21.098762, 1] > ../../source4/dsdb/kcc/garbage_collect_tombstones.c:67(garbage_collect_tombstones_part) > Doing a full scan on CN=Configuration,DC=ads,DC=darkdragon,DC=lan and > looking for deleted objects [2023/11/07 18:56:25.913081, 0] > ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) > dnsupdate_nameupdate_done: Failed DNS update with exit code 110 > > log.smbd: lots of messages like these right from the start: > > [2023/11/07 18:56:08.211331, 1] > ../../source3/printing/printer_list.c:255(printer_list_get_last_refresh) > Failed to fetch record! [2023/11/07 18:56:11.590717, 0] > ../../source4/auth/unix_token.c:95(security_token_to_unix_token) > Unable to convert first SID > (S-1-5-21-2269650170-3990761244-2407083512-1124) in user token to a > UID. Conversion was returned as type 0, full token: [2023/11/07 > 18:56:11.590888, 0] > ../../libcli/security/security_token.c:51(security_token_debug) > Security token SIDs (8): SID[ 0]: > S-1-5-21-2269650170-3990761244-2407083512-1124 SID[ 1]: > S-1-5-21-2269650170-3990761244-2407083512-515 SID[ 2]: S-1-1-0 SID[ > 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-64-10 SID[ 6]: > S-1-5-32-554 SID[ 7]: S-1-5-32-545 > Privileges (0x 800000): > Privilege[ 0]: SeChangeNotifyPrivilege > Rights (0x 400): > Right[ 0]: SeRemoteInteractiveLogonRight > > [2023/11/07 18:56:29.811430, 0] > ../../source4/auth/unix_token.c:95(security_token_to_unix_token) > Unable to convert first SID > (S-1-5-21-2269650170-3990761244-2407083512-1117) in user token to a > UID. Conversion was returned as type 0, full token: [2023/11/07 > 18:56:29.812183, 0] > ../../libcli/security/security_token.c:51(security_token_debug) > Security token SIDs (8): SID[ 0]: > S-1-5-21-2269650170-3990761244-2407083512-1117 SID[ 1]: > S-1-5-21-2269650170-3990761244-2407083512-515 SID[ 2]: S-1-1-0 SID[ > 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-64-10 SID[ 6]: > S-1-5-32-554 SID[ 7]: S-1-5-32-545 > Privileges (0x 800000): > Privilege[ 0]: SeChangeNotifyPrivilege > Rights (0x 400): > Right[ 0]: SeRemoteInteractiveLogonRight > [2023/11/07 18:56:30.307255, 0] > ../../source4/auth/unix_token.c:95(security_token_to_unix_token) > Unable to convert first SID > (S-1-5-21-2269650170-3990761244-2407083512-1106) in user token to a > UID. Conversion was returned as type 0, full token: [2023/11/07 > 18:56:30.308127, 0] > ../../libcli/security/security_token.c:51(security_token_debug) > Security token SIDs (8): SID[ 0]: > S-1-5-21-2269650170-3990761244-2407083512-1106 SID[ 1]: > S-1-5-21-2269650170-3990761244-2407083512-515 SID[ 2]: S-1-1-0 SID[ > 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-5-64-10 SID[ 6]: > S-1-5-32-554 SID[ 7]: S-1-5-32-545 > Privileges (0x 800000): > Privilege[ 0]: SeChangeNotifyPrivilege > Rights (0x 400): > Right[ 0]: SeRemoteInteractiveLogonRight > > AD DC configuration: > > # Global parameters > [global] > auto services = homes > client ldap sasl wrapping = sign > dns forwarder = 192.168.1.12 > dos charset = CP866 > logging = systemd > log level = 1 > netbios name = DC2 > panic action = /usr/share/samba/panic-action %d > printcap name = /dev/null > realm = ADS.DARKDRAGON.LAN > server role = active directory domain controller > template homedir = /home/%U > template shell = /bin/bash > tls enabled = Yes > tls priority = NORMAL:-VERS-SSL3.0:+VERS-TLS-ALL > winbind enum groups = Yes > winbind enum users = Yes > winbind nss info = rfc2307 > winbind offline logon = Yes > winbind refresh tickets = Yes > winbind use default domain = Yes > workgroup = DARKDRAGON > idmap config darkdragon : unix_nss_info = yes > idmap config darkdragon : unix_primary_group = yes > idmap config darkdragon : range = 2048-131071 > idmap config darkdragon : schema_mode = rfc2307 > idmap config darkdragon : backend = ad > idmap config * : range = 1024-2047 > idmap config * : schema_mode = rfc2307 > idmap config * : backend = tdb > idmap_ldb : use rfc2307 = Yes > map acl inherit = Yes > store dos attributes = Yes > vfs objects = dfs_samba4 acl_xattrI would remove these from the DC smb.conf, they are either defauts, not required or flat out doing nothing on a DC: auto services = homes client ldap sasl wrapping = sign tls enabled = Yes winbind enum groups = Yes winbind enum users = Yes winbind nss info = rfc2307 winbind use default domain = Yes idmap config darkdragon : unix_nss_info = yes idmap config darkdragon : unix_primary_group = yes idmap config darkdragon : range = 2048-131071 idmap config darkdragon : schema_mode = rfc2307 idmap config darkdragon : backend = ad idmap config * : range = 1024-2047 idmap config * : schema_mode = rfc2307 idmap config * : backend = tdb store dos attributes = Yes vfs objects = dfs_samba4 acl_xattr> > [netlogon] > comment = Network Logon Service > csc policy = disable > path = /var/lib/samba/sysvol/ads.darkdragon.lan/scripts > read only = No > > [sysvol] > comment = Domain System Volume > csc policy = disable > path = /var/lib/samba/sysvol > read only = No > > > Member server: > # Global parameters > [global] > dos charset = CP866 > workgroup = DARKDRAGON > realm = ADS.DARKDRAGON.LAN > netbios name = DAEMON1 > interfaces = lo mac0 > bind interfaces only = Yes > security = ADS > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > log level = 1 > server min protocol = NT1 > min protocol = NT1 > client min protocol = NT1 > client ldap sasl wrapping = sign > printcap name = /dev/null > preferred master = Yes > local master = Yes > domain master = Yes > browse list = Yes > wins server = 127.0.0.1 > wins support = Yes > preload = homes > auto services = homes > panic action = /usr/share/samba/panic-action %d > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind nss info = rfc2307 > winbind refresh tickets = Yes > winbind offline logon = Yes > client ipc min protocol = NT1 > idmap config darkdragon : unix_nss_info = yes > idmap config darkdragon : unix_primary_group = yes > idmap config darkdragon : range = 2048-131071 > idmap config darkdragon : schema_mode = rfc2307 > idmap config darkdragon : backend = ad > idmap config * : range = 1024-2047 > idmap config * : backend = tdb > map acl inherit = Yes > store dos attributes = Yes > vfs objects = acl_xattr > > [netlogon] > comment = Network Logon Service > path = /home/.samba/netlogon > read only = No > csc policy = disable > > [homes] > comment = Home Directory > path = /home/%S > valid users = %S > read only = No > browseable = No > csc policy = disable > follow symlinks = No > > [printers] > comment = All Printers > path = /var/spool/samba > printable = Yes > browseable = No > csc policy = disable > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > > [arc] > comment = Software archive > path = /srv/arc > read only = No > browseable = No > csc policy = disableAndrey, sorry but words fail me about that Unix domain member smb.conf, it appears to be most of an NT4-style BDC grafted onto the smb.conf for an AD domain member. most (if not all) of the NT4-style parameters should be removed, they aren't really doing anything anyway, the DC isn't doing SMBv1 and they rely on it. Rowland