samba - Oct 2024 - Joining a 2022-schema Active Directory

On Thu, 3 Oct 2024 16:56:48 +0200
Emmanuel Florac <eflorac at intellique.com> wrote:
> Le Thu, 3 Oct 2024 15:21:07 +0100
> Rowland Penny via samba <samba at lists.samba.org> ?crivait:
> 
> > From the above, it sounds like you are joining Samba as a Unix
> > domain member (security = ads)
> > 
> 
> Yes absolutely.
> 
> > 
> > If this is a Unix domain member, then the schema is only used on the
> > Windows DC, the Samba Unix domain member never sees it directly.
> > 
> > This sounds like a SMBv1 problem (partially at least), where,
> > because NetBIOS isn't being used, Network Browsing no longer
works,
> > but smbclient connecting to a share should.
> > 
> 
> "smbclient" on Linux connects to the share just fine using domain
user
> credentials. Only domain members can't...
When you say 'domain members', do you mean users on a Windows machine or
something else ?
> 
> 
> I don't have access to the machine right now but the config is
> straightforward :
> 
> /etc/samba/smb.conf
> 
> [global]
>     workgroup = example
>     security = ADS
>     realm = EXAMPLE.LAN
> 
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>     server string = Data %h
> 
>     winbind use default domain = yes
>     winbind expand groups = 4
>     winbind nss info = rfc2307
>     winbind refresh tickets = Yes
>     winbind offline logon = yes
>     winbind normalize names = Yes
> 
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>     idmap config EXAMPLE : backend = rid
>     idmap config EXAMPLE : range = 10000-999999
>     template shell = /bin/bash
>     template homedir = /home/EXAMPLE/%U
> 
>     domain master = no
>     local master = no
>     preferred master = no
>     os level = 20
>     map to guest = bad user
>     host msdfs = no
> 
>     # user Administrator workaround, without it you are unable to set
>     privileges username map = /etc/samba/user.map
> 
>     # For ACL support on domain member
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
> 
>     # Share Setting Globally
>     unix extensions = no
>     reset on zero vc = yes
>     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>     hide unreadable = yes
> 
>     # disable printing completely
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
> 
> That's a generic configuration I've been using on different
domains,
> but never with an AD running higher than WS2016 I guess.
> 
There is nothing there that should stop Samba from working, but it
doesn't use SMBv1, so if your Windows clients are using SMBv1 then it
will not work.

Rowland

Le Thu, 3 Oct 2024 16:20:38 +0100
Rowland Penny via samba <samba at lists.samba.org> ?crivait:
> > 
> > "smbclient" on Linux connects to the share just fine using
domain
> > user credentials. Only domain members can't...  
> 
> When you say 'domain members', do you mean users on a Windows
machine
> or something else ?
> 
Yes, I mean Windows 11 or WIndows Server 2022 machines that are
registered into the AD. A Win11 PC which isn't AD-connected (but in the
same IP network) can connect just fine using the server IP address and
credentials from one of the domain user accounts.

  
> 
> There is nothing there that should stop Samba from working, but it
> doesn't use SMBv1, so if your Windows clients are using SMBv1 then it
> will not work.
SMBv1 is naturally disabled on all machines. However Windows
machines which are domain members appear in the "Network" tree of
other
domain members. I don't know what protocol it's using (something like
bonjour maybe? network printers and some phones are also visible there).

The best error message I had is when trying to connect a network drive
to \\server\share : I've got a "bad network name" error -- though
the
server name resolves properly in the DNS, and appears both in Domain
memebrs, and DNS entries (the DNS server is the AD controller).

-- 
------------------------------------------------------------------------
   Emmanuel Florac     |   Direction technique
------------------------------------------------------------------------
   https://intellique.com
------------------------------------------------------------------------
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: Signature digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20241003/2e3b7bd1/attachment.sig>