samba - Apr 2016 - Winbind idmap question

All DC are running same Samba version : 4.4.2. All DC are hosted on same
Centos 7.

On broken server(s):
wbinfo -i mdufresne
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user mdufresne

On working servers:
wbinfo -i mdufresne
AD.DOMAIN\mdufresne:*:12104:100:Mathias Dufresne
(TEMP):/home/AD.DGFIP/mdufresne:/bin/false

The smb.conf is:
---------------------------------------------------------------------
# Global parameters
[global]
        workgroup = AD.DOMAIN
        realm = AD.DOMAIN.TLD
        netbios name = DNS20
        server role = active directory domain controller

        server services = -dns
        idmap_ldb:use rfc2307 = yes

        acl_xattr:ignore system acls = yes
        winbind nss info = rfc2307

[netlogon]
        path = /var/lib/samba/sysvol/ad.domain.tld/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
---------------------------------------------------------------------

krb5.conf is:
---------------------------------------------------------------------
[libdefaults]
        default_realm = AD.DOMAIN.TLD
        dns_lookup_realm = false
        dns_lookup_kdc = true
---------------------------------------------------------------------

nsswitch.conf winbind related is:
---------------------------------------------------------------------
passwd:     files winbind
shadow:     files winbind
group:      files winbind
---------------------------------------------------------------------

And finally PAM configuration (only winbind related stuffs):
---------------------------------------------------------------------
/etc/pam.d/fingerprint-auth:account     [default=bad success=ok
user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/fingerprint-auth:session     optional      pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/fingerprint-auth-ac:account     [default=bad success=ok
user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/fingerprint-auth-ac:session     optional      pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/password-auth:auth        sufficient    pam_winbind.so krb5_auth
krb5_ccache_type=KEYRING use_first_pass
/etc/pam.d/password-auth:account     [default=bad success=ok
user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/password-auth:password    sufficient    pam_winbind.so krb5_auth
krb5_ccache_type=KEYRING use_authtok
/etc/pam.d/password-auth:session     optional      pam_winbind.so krb5_auth
krb5_ccache_type=KEYRING
/etc/pam.d/password-auth-ac:auth        sufficient    pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING use_first_pass
/etc/pam.d/password-auth-ac:account     [default=bad success=ok
user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/password-auth-ac:password    sufficient    pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING use_authtok
/etc/pam.d/password-auth-ac:session     optional      pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/smartcard-auth:account     [default=bad success=ok
user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/smartcard-auth:session     optional      pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/smartcard-auth-ac:account     [default=bad success=ok
user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/smartcard-auth-ac:session     optional      pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/system-auth-ac:auth        sufficient    pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING use_first_pass
/etc/pam.d/system-auth-ac:account     [default=bad success=ok
user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
/etc/pam.d/system-auth-ac:password    sufficient    pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING use_authtok
/etc/pam.d/system-auth-ac:session     optional      pam_winbind.so
krb5_auth krb5_ccache_type=KEYRING
---------------------------------------------------------------------

This PAM configuration was obtained using RH authconfig tool:
authconfig --enablewinbindkrb5 --enablewinbindauth --update



2016-04-21 12:25 GMT+02:00 Jonathan Hunter <jmhunter1 at gmail.com>:
> Hi,
>
> Does "wbinfo -i <user>" work, and return the same results,
on all the DCs?
>
> Are the DCs running the distribution & versions (e.g. CentOS, Debian,
> whatever) or are there differences there, also?
>
> On 21 April 2016 at 11:16, mathias dufresne <infractory at gmail.com>
wrote:
>
> > Hi Jonathan,
> >
> > Thank you for that, that solved the issue.
> >
> > Unfortunately I get another issue: on one DC id <user> gives
"no such
> > user".
> > Adding domain (id ad.domain\\<user>) does not help.
> > Adding the whole domain (id ad.domain.tld\\<user>) does not help
more.
> >
> > I did checked PAM, NSS and Samba configurations, this server is using
> same
> > configurations as the two working DC. I'm puzzled.
> >
> > 2016-04-21 11:52 GMT+02:00 Jonathan Hunter <jmhunter1 at
gmail.com>:
> >
> >> You can try "net cache flush" (if you want to inspect
the cache, use
> "net
> >> cache list")
> >>
> >> On 21 April 2016 at 10:40, mathias dufresne <infractory at
gmail.com>
> wrote:
> >>
> >> > Hi all,
> >> >
> >> > Back on playing winbind I first configure PAM and NSS then
tried id
> >> > <my_user_name> without setting for that user uidNumber.
> >> >
> >> > This user get UID from idmap.
> >> >
> >> > I set up uidNumber into LDAP tree for that user but this user
still
> get
> >> uid
> >> > from idmap rather than from uidNumber attribute.
> >> >
> >> > I set up another user with uidNumber into LDAP tree and after
doing
> >> that I
> >> > tried "id <my_second_user>". Here id returns
the content of uidNumber
> >> LDAP
> >> > attribute as user UID.
> >> >
> >> > Question: how to make the first user to get rid of idmaped
UID?
> >> > --
> >> > To unsubscribe from this list go to the following URL and
read the
> >> > instructions:  https://lists.samba.org/mailman/options/samba
> >> >
> >>
> >>
> >>
> >> --
> >> "If we knew what it was we were doing, it would not be called
research,
> >> would it?"
> >>       - Albert Einstein
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >
> >
>
>
> --
> "If we knew what it was we were doing, it would not be called
research,
> would it?"
>       - Albert Einstein
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

And why do I want to get rid of id mapping?

Because starting my tests this morning, checking id of the same user on 3
DC I get 3 different UIDs for the same user. That's why we would prefer to
rely on uidNumber.

2016-04-21 12:40 GMT+02:00 mathias dufresne <infractory at gmail.com>:
> All DC are running same Samba version : 4.4.2. All DC are hosted on same
> Centos 7.
>
> On broken server(s):
> wbinfo -i mdufresne
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user mdufresne
>
> On working servers:
> wbinfo -i mdufresne
> AD.DOMAIN\mdufresne:*:12104:100:Mathias Dufresne
> (TEMP):/home/AD.DGFIP/mdufresne:/bin/false
>
> The smb.conf is:
> ---------------------------------------------------------------------
> # Global parameters
> [global]
>         workgroup = AD.DOMAIN
>         realm = AD.DOMAIN.TLD
>         netbios name = DNS20
>         server role = active directory domain controller
>
>         server services = -dns
>         idmap_ldb:use rfc2307 = yes
>
>         acl_xattr:ignore system acls = yes
>         winbind nss info = rfc2307
>
> [netlogon]
>         path = /var/lib/samba/sysvol/ad.domain.tld/scripts
>         read only = No
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> ---------------------------------------------------------------------
>
> krb5.conf is:
> ---------------------------------------------------------------------
> [libdefaults]
>         default_realm = AD.DOMAIN.TLD
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> ---------------------------------------------------------------------
>
> nsswitch.conf winbind related is:
> ---------------------------------------------------------------------
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
> ---------------------------------------------------------------------
>
> And finally PAM configuration (only winbind related stuffs):
> ---------------------------------------------------------------------
> /etc/pam.d/fingerprint-auth:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
> /etc/pam.d/fingerprint-auth:session     optional      pam_winbind.so
> krb5_auth krb5_ccache_type=KEYRING
> /etc/pam.d/fingerprint-auth-ac:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
> /etc/pam.d/fingerprint-auth-ac:session     optional      pam_winbind.so
> krb5_auth krb5_ccache_type=KEYRING
> /etc/pam.d/password-auth:auth        sufficient    pam_winbind.so
> krb5_auth krb5_ccache_type=KEYRING use_first_pass
> /etc/pam.d/password-auth:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
> /etc/pam.d/password-auth:password    sufficient    pam_winbind.so
> krb5_auth krb5_ccache_type=KEYRING use_authtok
> /etc/pam.d/password-auth:session     optional      pam_winbind.so
> krb5_auth krb5_ccache_type=KEYRING
> /etc/pam.d/password-auth-ac:auth        sufficient    pam_winbind.so
> krb5_auth krb5_ccache_type=KEYRING use_first_pass
> /etc/pam.d/password-auth-ac:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
> /etc/pam.d/password-auth-ac:password    sufficient    pam_winbind.so
> krb5_auth krb5_ccache_type=KEYRING use_authtok
> /etc/pam.d/password-auth-ac:session     optional      pam_winbind.so
> krb5_auth krb5_ccache_type=KEYRING
> /etc/pam.d/smartcard-auth:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
> /etc/pam.d/smartcard-auth:session     optional      pam_winbind.so
> krb5_auth krb5_ccache_type=KEYRING
> /etc/pam.d/smartcard-auth-ac:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
> /etc/pam.d/smartcard-auth-ac:session     optional      pam_winbind.so
> krb5_auth krb5_ccache_type=KEYRING
> /etc/pam.d/system-auth-ac:auth        sufficient    pam_winbind.so
> krb5_auth krb5_ccache_type=KEYRING use_first_pass
> /etc/pam.d/system-auth-ac:account     [default=bad success=ok
> user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
> /etc/pam.d/system-auth-ac:password    sufficient    pam_winbind.so
> krb5_auth krb5_ccache_type=KEYRING use_authtok
> /etc/pam.d/system-auth-ac:session     optional      pam_winbind.so
> krb5_auth krb5_ccache_type=KEYRING
> ---------------------------------------------------------------------
>
> This PAM configuration was obtained using RH authconfig tool:
> authconfig --enablewinbindkrb5 --enablewinbindauth --update
>
>
>
> 2016-04-21 12:25 GMT+02:00 Jonathan Hunter <jmhunter1 at gmail.com>:
>
>> Hi,
>>
>> Does "wbinfo -i <user>" work, and return the same
results, on all the DCs?
>>
>> Are the DCs running the distribution & versions (e.g. CentOS,
Debian,
>> whatever) or are there differences there, also?
>>
>> On 21 April 2016 at 11:16, mathias dufresne <infractory at
gmail.com> wrote:
>>
>> > Hi Jonathan,
>> >
>> > Thank you for that, that solved the issue.
>> >
>> > Unfortunately I get another issue: on one DC id <user> gives
"no such
>> > user".
>> > Adding domain (id ad.domain\\<user>) does not help.
>> > Adding the whole domain (id ad.domain.tld\\<user>) does not
help more.
>> >
>> > I did checked PAM, NSS and Samba configurations, this server is
using
>> same
>> > configurations as the two working DC. I'm puzzled.
>> >
>> > 2016-04-21 11:52 GMT+02:00 Jonathan Hunter <jmhunter1 at
gmail.com>:
>> >
>> >> You can try "net cache flush" (if you want to
inspect the cache, use
>> "net
>> >> cache list")
>> >>
>> >> On 21 April 2016 at 10:40, mathias dufresne <infractory at
gmail.com>
>> wrote:
>> >>
>> >> > Hi all,
>> >> >
>> >> > Back on playing winbind I first configure PAM and NSS
then tried id
>> >> > <my_user_name> without setting for that user
uidNumber.
>> >> >
>> >> > This user get UID from idmap.
>> >> >
>> >> > I set up uidNumber into LDAP tree for that user but this
user still
>> get
>> >> uid
>> >> > from idmap rather than from uidNumber attribute.
>> >> >
>> >> > I set up another user with uidNumber into LDAP tree and
after doing
>> >> that I
>> >> > tried "id <my_second_user>". Here id
returns the content of uidNumber
>> >> LDAP
>> >> > attribute as user UID.
>> >> >
>> >> > Question: how to make the first user to get rid of
idmaped UID?
>> >> > --
>> >> > To unsubscribe from this list go to the following URL and
read the
>> >> > instructions: 
https://lists.samba.org/mailman/options/samba
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> "If we knew what it was we were doing, it would not be
called research,
>> >> would it?"
>> >>       - Albert Einstein
>> >> --
>> >> To unsubscribe from this list go to the following URL and read
the
>> >> instructions:  https://lists.samba.org/mailman/options/samba
>> >>
>> >
>> >
>>
>>
>> --
>> "If we knew what it was we were doing, it would not be called
research,
>> would it?"
>>       - Albert Einstein
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

Solved!

The issue:
---------------------------------------------------------------
wbinfo -i <username>
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user <username>
---------------------------------------------------------------
and
---------------------------------------------------------------
id <username>
id: <username>: no such user
---------------------------------------------------------------

When these both commands (with same user) were working on any other DC.

Solution:
Samba was stopped. I took files from some working DC to push them on the
broken one. Samba was started, issue solved.

Copied files list:
private/idmap.ldb
private/hklm.ldb
private/schannel_store.tdb
private/secrets.*
private/share.ldb
registry.tdb
share_info.tdb
winbindd_cache.tdb
account_policy.tdb

This seems to me an issue from Samba itself.

A small note: when the issue was existing processing to wbinfo -i
<username> was filling net cache with the right information about the user
but for some reason I don't understand at all wbinfo was hanging. So did
"id".

"net cache flush" was the solution to get rid of auto-generated UIDs
(for
users get their own UID from uidNumber in AD LDAP tree).

mathias


2016-04-21 13:36 GMT+02:00 mathias dufresne <infractory at gmail.com>:
> And why do I want to get rid of id mapping?
>
> Because starting my tests this morning, checking id of the same user on 3
> DC I get 3 different UIDs for the same user. That's why we would prefer
to
> rely on uidNumber.
>
> 2016-04-21 12:40 GMT+02:00 mathias dufresne <infractory at
gmail.com>:
>
>> All DC are running same Samba version : 4.4.2. All DC are hosted on
same
>> Centos 7.
>>
>> On broken server(s):
>> wbinfo -i mdufresne
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user mdufresne
>>
>> On working servers:
>> wbinfo -i mdufresne
>> AD.DOMAIN\mdufresne:*:12104:100:Mathias Dufresne
>> (TEMP):/home/AD.DGFIP/mdufresne:/bin/false
>>
>> The smb.conf is:
>> ---------------------------------------------------------------------
>> # Global parameters
>> [global]
>>         workgroup = AD.DOMAIN
>>         realm = AD.DOMAIN.TLD
>>         netbios name = DNS20
>>         server role = active directory domain controller
>>
>>         server services = -dns
>>         idmap_ldb:use rfc2307 = yes
>>
>>         acl_xattr:ignore system acls = yes
>>         winbind nss info = rfc2307
>>
>> [netlogon]
>>         path = /var/lib/samba/sysvol/ad.domain.tld/scripts
>>         read only = No
>>
>> [sysvol]
>>         path = /var/lib/samba/sysvol
>>         read only = No
>> ---------------------------------------------------------------------
>>
>> krb5.conf is:
>> ---------------------------------------------------------------------
>> [libdefaults]
>>         default_realm = AD.DOMAIN.TLD
>>         dns_lookup_realm = false
>>         dns_lookup_kdc = true
>> ---------------------------------------------------------------------
>>
>> nsswitch.conf winbind related is:
>> ---------------------------------------------------------------------
>> passwd:     files winbind
>> shadow:     files winbind
>> group:      files winbind
>> ---------------------------------------------------------------------
>>
>> And finally PAM configuration (only winbind related stuffs):
>> ---------------------------------------------------------------------
>> /etc/pam.d/fingerprint-auth:account     [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
>> /etc/pam.d/fingerprint-auth:session     optional      pam_winbind.so
>> krb5_auth krb5_ccache_type=KEYRING
>> /etc/pam.d/fingerprint-auth-ac:account     [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
>> /etc/pam.d/fingerprint-auth-ac:session     optional      pam_winbind.so
>> krb5_auth krb5_ccache_type=KEYRING
>> /etc/pam.d/password-auth:auth        sufficient    pam_winbind.so
>> krb5_auth krb5_ccache_type=KEYRING use_first_pass
>> /etc/pam.d/password-auth:account     [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
>> /etc/pam.d/password-auth:password    sufficient    pam_winbind.so
>> krb5_auth krb5_ccache_type=KEYRING use_authtok
>> /etc/pam.d/password-auth:session     optional      pam_winbind.so
>> krb5_auth krb5_ccache_type=KEYRING
>> /etc/pam.d/password-auth-ac:auth        sufficient    pam_winbind.so
>> krb5_auth krb5_ccache_type=KEYRING use_first_pass
>> /etc/pam.d/password-auth-ac:account     [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
>> /etc/pam.d/password-auth-ac:password    sufficient    pam_winbind.so
>> krb5_auth krb5_ccache_type=KEYRING use_authtok
>> /etc/pam.d/password-auth-ac:session     optional      pam_winbind.so
>> krb5_auth krb5_ccache_type=KEYRING
>> /etc/pam.d/smartcard-auth:account     [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
>> /etc/pam.d/smartcard-auth:session     optional      pam_winbind.so
>> krb5_auth krb5_ccache_type=KEYRING
>> /etc/pam.d/smartcard-auth-ac:account     [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
>> /etc/pam.d/smartcard-auth-ac:session     optional      pam_winbind.so
>> krb5_auth krb5_ccache_type=KEYRING
>> /etc/pam.d/system-auth-ac:auth        sufficient    pam_winbind.so
>> krb5_auth krb5_ccache_type=KEYRING use_first_pass
>> /etc/pam.d/system-auth-ac:account     [default=bad success=ok
>> user_unknown=ignore] pam_winbind.so krb5_auth krb5_ccache_type=KEYRING
>> /etc/pam.d/system-auth-ac:password    sufficient    pam_winbind.so
>> krb5_auth krb5_ccache_type=KEYRING use_authtok
>> /etc/pam.d/system-auth-ac:session     optional      pam_winbind.so
>> krb5_auth krb5_ccache_type=KEYRING
>> ---------------------------------------------------------------------
>>
>> This PAM configuration was obtained using RH authconfig tool:
>> authconfig --enablewinbindkrb5 --enablewinbindauth --update
>>
>>
>>
>> 2016-04-21 12:25 GMT+02:00 Jonathan Hunter <jmhunter1 at
gmail.com>:
>>
>>> Hi,
>>>
>>> Does "wbinfo -i <user>" work, and return the same
results, on all the
>>> DCs?
>>>
>>> Are the DCs running the distribution & versions (e.g. CentOS,
Debian,
>>> whatever) or are there differences there, also?
>>>
>>> On 21 April 2016 at 11:16, mathias dufresne <infractory at
gmail.com>
>>> wrote:
>>>
>>> > Hi Jonathan,
>>> >
>>> > Thank you for that, that solved the issue.
>>> >
>>> > Unfortunately I get another issue: on one DC id <user>
gives "no such
>>> > user".
>>> > Adding domain (id ad.domain\\<user>) does not help.
>>> > Adding the whole domain (id ad.domain.tld\\<user>) does
not help more.
>>> >
>>> > I did checked PAM, NSS and Samba configurations, this server
is using
>>> same
>>> > configurations as the two working DC. I'm puzzled.
>>> >
>>> > 2016-04-21 11:52 GMT+02:00 Jonathan Hunter <jmhunter1 at
gmail.com>:
>>> >
>>> >> You can try "net cache flush" (if you want to
inspect the cache, use
>>> "net
>>> >> cache list")
>>> >>
>>> >> On 21 April 2016 at 10:40, mathias dufresne <infractory
at gmail.com>
>>> wrote:
>>> >>
>>> >> > Hi all,
>>> >> >
>>> >> > Back on playing winbind I first configure PAM and NSS
then tried id
>>> >> > <my_user_name> without setting for that user
uidNumber.
>>> >> >
>>> >> > This user get UID from idmap.
>>> >> >
>>> >> > I set up uidNumber into LDAP tree for that user but
this user still
>>> get
>>> >> uid
>>> >> > from idmap rather than from uidNumber attribute.
>>> >> >
>>> >> > I set up another user with uidNumber into LDAP tree
and after doing
>>> >> that I
>>> >> > tried "id <my_second_user>". Here id
returns the content of
>>> uidNumber
>>> >> LDAP
>>> >> > attribute as user UID.
>>> >> >
>>> >> > Question: how to make the first user to get rid of
idmaped UID?
>>> >> > --
>>> >> > To unsubscribe from this list go to the following URL
and read the
>>> >> > instructions: 
https://lists.samba.org/mailman/options/samba
>>> >> >
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> "If we knew what it was we were doing, it would not
be called
>>> research,
>>> >> would it?"
>>> >>       - Albert Einstein
>>> >> --
>>> >> To unsubscribe from this list go to the following URL and
read the
>>> >> instructions: 
https://lists.samba.org/mailman/options/samba
>>> >>
>>> >
>>> >
>>>
>>>
>>> --
>>> "If we knew what it was we were doing, it would not be called
research,
>>> would it?"
>>>       - Albert Einstein
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>