centos workstation: smb.conf >>
[global]
workgroup = LAB
realm = LAB.LOCAL
security = ads
idmap config * : range = 16777216-33554431
template homedir = /home/LAB/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
Samba Domain Server : smb.conf>>
[global]
idmap cache time = 604800
idmap negative cache time = 120
idmap config LAB : range = 2000000-9999999
idmap config LAB : default = yes
idmap config LAB : backend = ad
idmap config LAB : readonly = no
idmap config LAB : schema_mode = rfc2307
idmap config LAB : cache time = 3600
idmap config * : default = yes
idmap config * : readonly = no
idmap config * : schema_mode = rfc2307
idmap config * : backend = tdb
idmap config * : range = 2000000-9999999
idmap_ldb:use rfc2307 = yes
idmap config all : readonly = yes
idmap config all : default = yes
idmap config all : backend = tdb
ntlm auth = Yes
lanman auth = Yes
raw NTLMv2 auth = Yes
client NTLMv2 auth = Yes
client lanman auth = Yes
server max protocol = SMB3
server min protocol = LANMAN1
server multi channel support = No
client max protocol = default
client min protocol = CORE
restrict anonymous = 0
security = USER
bind interfaces only = Yes
interfaces = lo ens192
auth methods server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,
winbindd, ntp_signd, kcc, dnsupdate
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon,
lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, remote,
dnsserver
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
winbind max clients = 500
winbindd:use external pipes = true
winbind cache time = 300
winbind reconnect delay = 30
winbind request timeout = 60
winbind max domain connections = 1
winbindd socket directory = /usr/local/samba/var/run/winbindd
winbindd privileged socket directory
/usr/local/samba/var/lib/winbindd_privileged
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind trusted domains only = No
winbind nested groups = Yes
winbind expand groups = 10
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = Yes
winbind normalize names = Yes
winbind sealed pipes = Yes
winbind rpc only = Yes
wins proxy = Yes
wins support = Yes
obey pam restrictions = No
ldap server require strong auth = no
dos charset = CP850
unix charset = UTF-8
workgroup = LAB
realm = LAB.LOCAL
netbios name = LAB
netbios scope server string = LAB Samba Server
hosts allow = ALL 127.0.0.1
guest ok = No
server role = active directory domain controller
server role check:inhibit = yes
log level = 3 passdb:3 auth:10 winbind:2
log file = /var/log/samba/log.%m
rndc command = /usr/sbin/rndc
max log size = 0
set primary group script logging = file
allow dns updates = nonsecure and secure
dns update command = /usr/local/samba/sbin/samba_dnsupdate
pam password change = Yes
smb ports = 445 139
nbt port = 137
kpasswd port = 464
krb5 port = 88
web port = 901
nbt port = 137
dgram port = 138
cldap port = 389
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
domain logons = Yes
os level = 255
preferred master = Yes
local master = Yes
domain master = Yes
load printers = No
use client driver = No
show add printer wizard = Yes
printcap cache time = 0
printcap name = cups
cups encrypt = No
cups connection timeout = 60
disable spoolss = No
min print space = 0
max reported print jobs = 0
max print jobs = 1000
print notify backchannel = No
printing = cups
cups options = raw
default devmode = Yes
force printername = Yes
printjob username = %U
lpq cache time = 30
spoolss: architecture = Windows x64
debug timestamp = Yes
debug prefix timestamp = No
debug hires timestamp = Yes
debug pid = No
debug uid = No
debug class = No
timestamp logs = Yes
require strong key = Yes
allow dcerpc auth level connect = No
client ipc signing = default
client ipc max protocol = default
client ipc min protocol = default
nsupdate command = /usr/bin/nsupdate -g
dns proxy = No
allow trusted domains = Yes
guest account = nobody
map to guest = Bad User
guest only = No
config backend = file
encrypt passwords = Yes
smb passwd file = /usr/local/samba/private/smbpasswd
private dir = /usr/local/samba/private
algorithmic rid base = 1000
passdb expand explicit = No
passdb backend = tdbsam
passwd chat debug = No
passwd chat timeout = 2
passwd program = /usr/local/samba/bin/smbpasswd %u
passwd chat = *New*password* %n\n *ReType*new*password*
%n\n*passwd:*all*authentication*tokens*updated*successfully*
password server = LAB.LAB.local
old password allowed period = 120
unix password sync = Yes
client plaintext auth = No
map untrusted to domain = Yes
enable core files = Yes
large readwrite = Yes
unicode = Yes
read raw = Yes
write raw = Yes
disable netbios = No
reset on zero vc = No
log writeable files on exit = No
defer sharing violations = Yes
nt pipe support = Yes
nt status support = Yes
max mux = 50
max xmit = 32768
name resolve order = lmhosts wins host bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
min receivefile size = 16384
time server = Yes
time server = No
unix extensions = Yes
server signing = mandatory
client signing = mandatory
client schannel = Auto
server schannel = Auto
client use spnego = Yes
client ldap sasl wrapping = sign
enable asu support = No
rpc big endian = No
deadtime = 0
getwd cache = Yes
keepalive = 300
smbd profiling level = off
spotlight = No
max smbd processes = 0
max disk size = 0
max open files = 65535
use mmap = Yes
hostname lookups = No
name cache timeout = 3600
clustering = No
ctdb timeout = 0
ctdb locktime warn threshold = 0
smb2 max read = 8388608
smb2 max write = 8388608
smb2 max trans = 8388608
smb2 max credits = 8192
mangling method = hash2
mangle prefix = 1
max stat cache size = 256
stat cache = Yes
machine password timeout = 604800
username map cache time = 0
username level = 0
init logon delay = 100
lm announce = Auto
lm interval = 60
browse list = Yes
enhanced browsing = Yes
smb2 leases = Yes
ldap admin dn ldap connection timeout = 2
ldap delete dn = No
ldap deref = auto
ldap follow referral = Auto
ldap group suffix ldap idmap suffix ldap machine suffix ldap
page size = 1000
ldap passwd sync = no
ldap replication sleep = 1000
ldap server require strong auth = No
ldap ssl = start tls
ldap ssl ads = No
ldap suffix ldap timeout = 15
ldap user suffix ldap debug level = 0
ldap debug threshold = 10
lock directory = /usr/local/samba/var/lock
state directory = /usr/local/samba/var/locks
cache directory = /usr/local/samba/var/cache
pid directory = /usr/local/samba/var/run
ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd
utmp = No
nmbd bind explicit broadcast = Yes
homedir map = auto.home
afs token lifetime = 604800
afs share = No
NIS homedir = No
registry shares = No
usershare allow guests = No
usershare max shares = 0
usershare owner only = Yes
usershare path = /usr/local/samba/var/locks/usershares
async smb echo handler = No
template homedir = /home/%D/%U
template shell = /bin/bash
create krb5 conf = Yes
ncalrpc dir = /usr/local/samba/var/run/ncalrpc
neutralize nt4 emulation = No
reject md5 servers = No
reject md5 clients = No
set quota command multicast dns register = Yes
samba kcc command = /usr/local/samba/sbin/samba_kcc
spn update command = /usr/local/samba/sbin/samba_spnupdate
share backend = classic
allow nt4 crypto = No
tls enabled = Yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
tls crlfile tls dh params file tls verify peer =
as_strict_as_possible
tls priority = NORMAL:-VERS-SSL3.0
rpc_server:tcpip = no
rpc_daemon:spoolssd = fork
rpc_server:default = external
rpc_server:spoolss = external
rpc_server:svcctl = embedded
rpc_server:srvsvc = embedded
rpc_server:eventlog = embedded
rpc_server:ntsvcs = embedded
rpc_server:winreg = embedded
spoolssd:prefork_child_min_life = 60
spoolssd:prefork_max_allowed_clients = 200
spoolssd:prefork_spawn_rate = 5
spoolssd:prefork_max_children = 75#
spoolssd:prefork_min_children = 5
acl group control = No
acl map full control = Yes
acl allow execute always = No
force unknown acl user = No
inherit permissions = No
inherit acls = No
inherit owner = No
map acl inherit = No
nt acl support = Yes
profile acls = No
administrative share = No
allocation roundup size = 1048576
aio read size = 16384
aio write size = 16384
aio max threads = 100
ea support = No
smb encrypt = default
durable handles = Yes
block size = 1024
change notify = Yes
directory name cache size = 100
kernel change notify = Yes
max connections = 0
strict allocate = No
strict rename = No
strict sync = No
sync always = No
use sendfile = No
write cache size = 0
default case = lower
case sensitive = Auto
preserve case = Yes
short preserve case = Yes
mangling char = ~
hide dot files = Yes
hide special files = No
hide unreadable = No
hide unwriteable files = No
delete veto files = No
map archive = No
map hidden = No
map system = No
map readonly = No
mangled names = Yes
mangling char = ~
store dos attributes = Yes
dmapi support = No
browseable = Yes
access based share enum = No
blocking locks = Yes
csc policy = manual
lock spin time = 200
oplock break wait time = 0
fake oplocks = No
kernel oplocks = No
kernel share modes = Yes
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = Auto
dfree cache time = 0
preexec close = No
root preexec close = No
available = Yes
fstype = NTFS
wide links = No
allow insecure wide links = No
follow symlinks = Yes
delete readonly = No
dos filemode = No
dos filetimes = Yes
dos filetime resolution = No
fake directory create times = No
host msdfs = Yes
msdfs root = No
msdfs shuffle referrals = No
ntvfs handler = unixuid, default
vfs objects = dfs_samba4 acl_xattr full_audit
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:failure = connect disconnect
full_audit:success = connect disconnect opendir mkdir rmdir closedir
open close read pread write pwrite sendfile rename unlink chmod fchmod
chown fchown chdir ftruncate lock symlink readlink link mknod
full_audit:LAB = local5
full_audit:priority = notice
[homes]
comment = Home Directories
path = /mnt/storage/homes/%U
browseable = No
hide files = /Recycle Bin/
veto files = /*.encrypted/*.ecc/*.ccc/
admin users = "@Domain Admins"
create mask = 0644
force create mode = 0660
force directory mode = 0770
read only = No
valid users = "@Domain Users"
vfs objects = acl_xattr full_audit recycle
recycle:repository = Recycle Bin
recycle:keeptree = yes
recycle:minsize = 0
recycle:maxsize = 0
recycle:touch = yes
recycle:touch_mtime = yes
recycle:versions = yes
recycle:exclude
*.tmp|*.temp|*.o|*.obj|~$*|*.??|*.log|*.trace|*.TMP|*.ASV|*.$$$|*.asv
recycle:excludedir = /Recycle Bin
recycle:noversions = *.tmp|*.temp|*.dat|*.ini
recycle:mode = KEEP_DIRECTORIES|VERSION|TOUCH
[profiles]
comment = Network Profiles Share
path = /mnt/storage/profiles
profile acls = Yes
browseable = No
create mask = 0644
force create mode = 0660
force directory mode = 0770
read only = No
[netlogon]
comment = Network Netlogon Share
path = /usr/local/samba/var/locks/sysvol/LAB.local/scripts
browseable = No
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
browseable = No
read only = No
2016-08-24 16:49 GMT+03:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Wed, 24 Aug 2016 16:03:05 +0300
> barış tombul <bbtombul at gmail.com> wrote:
>
>
> > > Strange, have you given 'FACILITY\btombul' the ID number
> > > '16777216' ?
> > >
> > > Can you post the smb.conf from the Samba AD DC and the Centos
> > > machine (please post what is actually there, not the output of
> > > 'samba-tool testparm -v')
> > >
> > > Rowland
> > >
> > >
> > >
> > >
>
>
> So I said 'not the output of 'samba-tool testparm -v'
> and what do I get LOL
>
> In English, putting 'not' in front of something, means 'do not
do this'
>
> Please post the output of 'cat /path/to/smb.conf' from BOTH
machines.
>
> Replacing '/path/to/smb.conf' with the path to your smb.conf
> i.e. /etc/samba/smb.conf
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
On Wed, 24 Aug 2016 20:42:35 +0300 barış tombul <bbtombul at gmail.com> wrote:> centos workstation: smb.conf >> > > [global] > workgroup = LAB > realm = LAB.LOCAL > security = ads > idmap config * : range = 16777216-33554431 > template homedir = /home/LAB/%U > template shell = /bin/bash > winbind use default domain = true > winbind offline logon = false > > > Samba Domain Server : smb.conf>> > > [global] > idmap cache time = 604800 > idmap negative cache time = 120 > idmap config LAB : range = 2000000-9999999 > idmap config LAB : default = yes > idmap config LAB : backend = ad > idmap config LAB : readonly = no > idmap config LAB : schema_mode = rfc2307 > idmap config LAB : cache time = 3600 > idmap config * : default = yes > idmap config * : readonly = no > idmap config * : schema_mode = rfc2307 > idmap config * : backend = tdb > idmap config * : range = 2000000-9999999 > idmap_ldb:use rfc2307 = yes > idmap config all : readonly = yes > idmap config all : default = yes > idmap config all : backend = tdb > ntlm auth = Yes > lanman auth = Yes > raw NTLMv2 auth = Yes > client NTLMv2 auth = Yes > client lanman auth = Yes > server max protocol = SMB3 > server min protocol = LANMAN1 > server multi channel support = No > client max protocol = default > client min protocol = CORE > restrict anonymous = 0 > security = USER > bind interfaces only = Yes > interfaces = lo ens192 > auth methods > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, > netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, > backupkey, remote, dnsserver > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.keytab > winbind max clients = 500 > winbindd:use external pipes = true > winbind cache time = 300 > winbind reconnect delay = 30 > winbind request timeout = 60 > winbind max domain connections = 1 > winbindd socket directory = /usr/local/samba/var/run/winbindd > winbindd privileged socket directory > /usr/local/samba/var/lib/winbindd_privileged > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind trusted domains only = No > winbind nested groups = Yes > winbind expand groups = 10 > winbind nss info = rfc2307 > winbind refresh tickets = Yes > winbind offline logon = Yes > winbind normalize names = Yes > winbind sealed pipes = Yes > winbind rpc only = Yes > wins proxy = Yes > wins support = Yes > obey pam restrictions = No > ldap server require strong auth = no > dos charset = CP850 > unix charset = UTF-8 > workgroup = LAB > realm = LAB.LOCAL > netbios name = LAB > netbios scope > server string = LAB Samba Server > hosts allow = ALL 127.0.0.1 > guest ok = No > server role = active directory domain controller > server role check:inhibit = yes > log level = 3 passdb:3 auth:10 winbind:2 > log file = /var/log/samba/log.%m > rndc command = /usr/sbin/rndc > max log size = 0 > set primary group script > logging = file > allow dns updates = nonsecure and secure > dns update command = /usr/local/samba/sbin/samba_dnsupdate > pam password change = Yes > smb ports = 445 139 > nbt port = 137 > kpasswd port = 464 > krb5 port = 88 > web port = 901 > nbt port = 137 > dgram port = 138 > cldap port = 389 > socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE > domain logons = Yes > os level = 255 > preferred master = Yes > local master = Yes > domain master = Yes > load printers = No > use client driver = No > show add printer wizard = Yes > printcap cache time = 0 > printcap name = cups > cups encrypt = No > cups connection timeout = 60 > disable spoolss = No > min print space = 0 > max reported print jobs = 0 > max print jobs = 1000 > print notify backchannel = No > printing = cups > cups options = raw > default devmode = Yes > force printername = Yes > printjob username = %U > lpq cache time = 30 > spoolss: architecture = Windows x64 > debug timestamp = Yes > debug prefix timestamp = No > debug hires timestamp = Yes > debug pid = No > debug uid = No > debug class = No > timestamp logs = Yes > require strong key = Yes > allow dcerpc auth level connect = No > client ipc signing = default > client ipc max protocol = default > client ipc min protocol = default > nsupdate command = /usr/bin/nsupdate -g > dns proxy = No > allow trusted domains = Yes > guest account = nobody > map to guest = Bad User > guest only = No > config backend = file > encrypt passwords = Yes > smb passwd file = /usr/local/samba/private/smbpasswd > private dir = /usr/local/samba/private > algorithmic rid base = 1000 > passdb expand explicit = No > passdb backend = tdbsam > passwd chat debug = No > passwd chat timeout = 2 > passwd program = /usr/local/samba/bin/smbpasswd %u > passwd chat = *New*password* %n\n *ReType*new*password* > %n\n*passwd:*all*authentication*tokens*updated*successfully* > password server = LAB.LAB.local > old password allowed period = 120 > unix password sync = Yes > client plaintext auth = No > map untrusted to domain = Yes > enable core files = Yes > large readwrite = Yes > unicode = Yes > read raw = Yes > write raw = Yes > disable netbios = No > reset on zero vc = No > log writeable files on exit = No > defer sharing violations = Yes > nt pipe support = Yes > nt status support = Yes > max mux = 50 > max xmit = 32768 > name resolve order = lmhosts wins host bcast > max ttl = 259200 > max wins ttl = 518400 > min wins ttl = 21600 > min receivefile size = 16384 > time server = Yes > time server = No > unix extensions = Yes > server signing = mandatory > client signing = mandatory > client schannel = Auto > server schannel = Auto > client use spnego = Yes > client ldap sasl wrapping = sign > enable asu support = No > rpc big endian = No > deadtime = 0 > getwd cache = Yes > keepalive = 300 > smbd profiling level = off > spotlight = No > max smbd processes = 0 > max disk size = 0 > max open files = 65535 > use mmap = Yes > hostname lookups = No > name cache timeout = 3600 > clustering = No > ctdb timeout = 0 > ctdb locktime warn threshold = 0 > smb2 max read = 8388608 > smb2 max write = 8388608 > smb2 max trans = 8388608 > smb2 max credits = 8192 > mangling method = hash2 > mangle prefix = 1 > max stat cache size = 256 > stat cache = Yes > machine password timeout = 604800 > username map cache time = 0 > username level = 0 > init logon delay = 100 > lm announce = Auto > lm interval = 60 > browse list = Yes > enhanced browsing = Yes > smb2 leases = Yes > ldap admin dn > ldap connection timeout = 2 > ldap delete dn = No > ldap deref = auto > ldap follow referral = Auto > ldap group suffix > ldap idmap suffix > ldap machine suffix > ldap page size = 1000 > ldap passwd sync = no > ldap replication sleep = 1000 > ldap server require strong auth = No > ldap ssl = start tls > ldap ssl ads = No > ldap suffix > ldap timeout = 15 > ldap user suffix > ldap debug level = 0 > ldap debug threshold = 10 > lock directory = /usr/local/samba/var/lock > state directory = /usr/local/samba/var/locks > cache directory = /usr/local/samba/var/cache > pid directory = /usr/local/samba/var/run > ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd > utmp = No > nmbd bind explicit broadcast = Yes > homedir map = auto.home > afs token lifetime = 604800 > afs share = No > NIS homedir = No > registry shares = No > usershare allow guests = No > usershare max shares = 0 > usershare owner only = Yes > usershare path = /usr/local/samba/var/locks/usershares > async smb echo handler = No > template homedir = /home/%D/%U > template shell = /bin/bash > create krb5 conf = Yes > ncalrpc dir = /usr/local/samba/var/run/ncalrpc > neutralize nt4 emulation = No > reject md5 servers = No > reject md5 clients = No > set quota command > multicast dns register = Yes > samba kcc command = /usr/local/samba/sbin/samba_kcc > spn update command = /usr/local/samba/sbin/samba_spnupdate > share backend = classic > allow nt4 crypto = No > tls enabled = Yes > tls keyfile = tls/key.pem > tls certfile = tls/cert.pem > tls cafile = tls/ca.pem > tls crlfile > tls dh params file > tls verify peer = as_strict_as_possible > tls priority = NORMAL:-VERS-SSL3.0 > rpc_server:tcpip = no > rpc_daemon:spoolssd = fork > rpc_server:default = external > rpc_server:spoolss = external > rpc_server:svcctl = embedded > rpc_server:srvsvc = embedded > rpc_server:eventlog = embedded > rpc_server:ntsvcs = embedded > rpc_server:winreg = embedded > spoolssd:prefork_child_min_life = 60 > spoolssd:prefork_max_allowed_clients = 200 > spoolssd:prefork_spawn_rate = 5 > spoolssd:prefork_max_children = 75# > spoolssd:prefork_min_children = 5 > acl group control = No > acl map full control = Yes > acl allow execute always = No > force unknown acl user = No > inherit permissions = No > inherit acls = No > inherit owner = No > map acl inherit = No > nt acl support = Yes > profile acls = No > administrative share = No > allocation roundup size = 1048576 > aio read size = 16384 > aio write size = 16384 > aio max threads = 100 > ea support = No > smb encrypt = default > durable handles = Yes > block size = 1024 > change notify = Yes > directory name cache size = 100 > kernel change notify = Yes > max connections = 0 > strict allocate = No > strict rename = No > strict sync = No > sync always = No > use sendfile = No > write cache size = 0 > default case = lower > case sensitive = Auto > preserve case = Yes > short preserve case = Yes > mangling char = ~ > hide dot files = Yes > hide special files = No > hide unreadable = No > hide unwriteable files = No > delete veto files = No > map archive = No > map hidden = No > map system = No > map readonly = No > mangled names = Yes > mangling char = ~ > store dos attributes = Yes > dmapi support = No > browseable = Yes > access based share enum = No > blocking locks = Yes > csc policy = manual > lock spin time = 200 > oplock break wait time = 0 > fake oplocks = No > kernel oplocks = No > kernel share modes = Yes > locking = Yes > oplocks = Yes > level2 oplocks = Yes > oplock contention limit = 2 > posix locking = Yes > strict locking = Auto > dfree cache time = 0 > preexec close = No > root preexec close = No > available = Yes > fstype = NTFS > wide links = No > allow insecure wide links = No > follow symlinks = Yes > delete readonly = No > dos filemode = No > dos filetimes = Yes > dos filetime resolution = No > fake directory create times = No > host msdfs = Yes > msdfs root = No > msdfs shuffle referrals = No > ntvfs handler = unixuid, default > vfs objects = dfs_samba4 acl_xattr full_audit > full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S > full_audit:failure = connect disconnect > full_audit:success = connect disconnect opendir mkdir rmdir > closedir open close read pread write pwrite sendfile rename unlink > chmod fchmod chown fchown chdir ftruncate lock symlink readlink link > mknod full_audit:LAB = local5 > full_audit:priority = notice > [homes] > comment = Home Directories > path = /mnt/storage/homes/%U > browseable = No > hide files = /Recycle Bin/ > veto files = /*.encrypted/*.ecc/*.ccc/ > admin users = "@Domain Admins" > create mask = 0644 > force create mode = 0660 > force directory mode = 0770 > read only = No > valid users = "@Domain Users" > vfs objects = acl_xattr full_audit recycle > recycle:repository = Recycle Bin > recycle:keeptree = yes > recycle:minsize = 0 > recycle:maxsize = 0 > recycle:touch = yes > recycle:touch_mtime = yes > recycle:versions = yes > recycle:exclude > *.tmp|*.temp|*.o|*.obj|~$*|*.??|*.log|*.trace|*.TMP|*.ASV|*.$$$|*.asv > recycle:excludedir = /Recycle Bin > recycle:noversions = *.tmp|*.temp|*.dat|*.ini > recycle:mode = KEEP_DIRECTORIES|VERSION|TOUCH > [profiles] > comment = Network Profiles Share > path = /mnt/storage/profiles > profile acls = Yes > browseable = No > create mask = 0644 > force create mode = 0660 > force directory mode = 0770 > read only = No > [netlogon] > comment = Network Netlogon Share > path = /usr/local/samba/var/locks/sysvol/LAB.local/scripts > browseable = No > read only = No > [sysvol] > path = /usr/local/samba/var/locks/sysvol > browseable = No > read only = No > > > > > 2016-08-24 16:49 GMT+03:00 Rowland Penny via samba > <samba at lists.samba.org>: > > > On Wed, 24 Aug 2016 16:03:05 +0300 > > barış tombul <bbtombul at gmail.com> wrote: > > > > > > > > Strange, have you given 'FACILITY\btombul' the ID number > > > > '16777216' ? > > > > > > > > Can you post the smb.conf from the Samba AD DC and the Centos > > > > machine (please post what is actually there, not the output of > > > > 'samba-tool testparm -v') > > > > > > > > Rowland > > > > > > > > > > > > > > > > > > > > > > So I said 'not the output of 'samba-tool testparm -v' > > and what do I get LOL > > > > In English, putting 'not' in front of something, means 'do not do > > this' > > > > Please post the output of 'cat /path/to/smb.conf' from BOTH > > machines. > > > > Replacing '/path/to/smb.conf' with the path to your smb.conf > > i.e. /etc/samba/smb.conf > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > >OK, first question, why is the smb.conf on the DC so big ? second question, why do you expect them both to operate in the wrong way i.e. the DC has the 'idmap config' lines that should only be on a domain member, yet the domain member doesn't have these lines can I suggest you set the global part the DC smb.conf to this: [global] workgroup = LAB realm = LAB.LOCAL netbios name = LAB server role = active directory domain controller idmap_ldb:use rfc2307 = yes server string = LAB Samba Server server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate ldap server require strong auth = No winbind max clients = 500 winbind enum users = Yes winbind enum groups = Yes winbind refresh tickets = Yes winbind offline logon = Yes kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab bind interfaces only = Yes interfaces = lo ens192 allow dns updates = nonsecure and secure log level = 3 passdb:3 auth:10 winbind:2 log file = /var/log/samba/log.%m printcap cache time = 0 printcap name = cups force printername = Yes cups connection timeout = 60 cups options = raw name cache timeout = 3600 disable spoolss = No spoolss: architecture = Windows x64 rpc_daemon:spoolssd = fork spoolssd:prefork_child_min_life = 60 spoolssd:prefork_max_allowed_clients = 200 spoolssd:prefork_spawn_rate = 5 spoolssd:prefork_max_children = 75 spoolssd:prefork_min_children = 5 map to guest = Bad User passwd program = /usr/local/samba/bin/smbpasswd %u passwd chat = *New*password* %n\n *ReType*new*password* %n\n*passwd:*all*authentication*tokens*updated*successfully* old password allowed period = 120 max xmit = 32768 max open files = 65535 min receivefile size = 16384 homedir map = auto.home template shell = /bin/bash vfs objects = dfs_samba4 acl_xattr full_audit full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S full_audit:failure = connect disconnect full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod fchmod chown fchown chdir ftruncate lock symlink readlink link mknod full_audit:LAB = local5 full_audit:priority = notice aio read size = 16384 aio write size = 16384 This is yours without all the default and wrong lines, I would also point out that you could probably still remove a lot of the above lines. Go and browse the Samba wiki, this will explain how to set up the shares correctly. For the Centos domain member, see here: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member At the moment, you are mixing ALL the windows users and groups (builtin, domain admins and normal) in one range, you need two '*' & 'LAB', you have these on the DC, only problem, those lines have no affect on a DC. Rowland
I tried using the code you sent but I could not get it working. If possible could you send a smb.conf (both for client and server) file that you know that is working? 2016-08-25 0:24 GMT+03:00 Rowland Penny via samba <samba at lists.samba.org>:> On Wed, 24 Aug 2016 20:42:35 +0300 > barış tombul <bbtombul at gmail.com> wrote: > > > centos workstation: smb.conf >> > > > > [global] > > workgroup = LAB > > realm = LAB.LOCAL > > security = ads > > idmap config * : range = 16777216-33554431 > > template homedir = /home/LAB/%U > > template shell = /bin/bash > > winbind use default domain = true > > winbind offline logon = false > > > > > > Samba Domain Server : smb.conf>> > > > > [global] > > idmap cache time = 604800 > > idmap negative cache time = 120 > > idmap config LAB : range = 2000000-9999999 > > idmap config LAB : default = yes > > idmap config LAB : backend = ad > > idmap config LAB : readonly = no > > idmap config LAB : schema_mode = rfc2307 > > idmap config LAB : cache time = 3600 > > idmap config * : default = yes > > idmap config * : readonly = no > > idmap config * : schema_mode = rfc2307 > > idmap config * : backend = tdb > > idmap config * : range = 2000000-9999999 > > idmap_ldb:use rfc2307 = yes > > idmap config all : readonly = yes > > idmap config all : default = yes > > idmap config all : backend = tdb > > ntlm auth = Yes > > lanman auth = Yes > > raw NTLMv2 auth = Yes > > client NTLMv2 auth = Yes > > client lanman auth = Yes > > server max protocol = SMB3 > > server min protocol = LANMAN1 > > server multi channel support = No > > client max protocol = default > > client min protocol = CORE > > restrict anonymous = 0 > > security = USER > > bind interfaces only = Yes > > interfaces = lo ens192 > > auth methods > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > > winbindd, ntp_signd, kcc, dnsupdate > > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, > > netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, > > backupkey, remote, dnsserver > > kerberos method = secrets and keytab > > dedicated keytab file = /etc/krb5.keytab > > winbind max clients = 500 > > winbindd:use external pipes = true > > winbind cache time = 300 > > winbind reconnect delay = 30 > > winbind request timeout = 60 > > winbind max domain connections = 1 > > winbindd socket directory = /usr/local/samba/var/run/winbindd > > winbindd privileged socket directory > > /usr/local/samba/var/lib/winbindd_privileged > > winbind enum users = Yes > > winbind enum groups = Yes > > winbind use default domain = Yes > > winbind trusted domains only = No > > winbind nested groups = Yes > > winbind expand groups = 10 > > winbind nss info = rfc2307 > > winbind refresh tickets = Yes > > winbind offline logon = Yes > > winbind normalize names = Yes > > winbind sealed pipes = Yes > > winbind rpc only = Yes > > wins proxy = Yes > > wins support = Yes > > obey pam restrictions = No > > ldap server require strong auth = no > > dos charset = CP850 > > unix charset = UTF-8 > > workgroup = LAB > > realm = LAB.LOCAL > > netbios name = LAB > > netbios scope > > server string = LAB Samba Server > > hosts allow = ALL 127.0.0.1 > > guest ok = No > > server role = active directory domain controller > > server role check:inhibit = yes > > log level = 3 passdb:3 auth:10 winbind:2 > > log file = /var/log/samba/log.%m > > rndc command = /usr/sbin/rndc > > max log size = 0 > > set primary group script > > logging = file > > allow dns updates = nonsecure and secure > > dns update command = /usr/local/samba/sbin/samba_dnsupdate > > pam password change = Yes > > smb ports = 445 139 > > nbt port = 137 > > kpasswd port = 464 > > krb5 port = 88 > > web port = 901 > > nbt port = 137 > > dgram port = 138 > > cldap port = 389 > > socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE > > domain logons = Yes > > os level = 255 > > preferred master = Yes > > local master = Yes > > domain master = Yes > > load printers = No > > use client driver = No > > show add printer wizard = Yes > > printcap cache time = 0 > > printcap name = cups > > cups encrypt = No > > cups connection timeout = 60 > > disable spoolss = No > > min print space = 0 > > max reported print jobs = 0 > > max print jobs = 1000 > > print notify backchannel = No > > printing = cups > > cups options = raw > > default devmode = Yes > > force printername = Yes > > printjob username = %U > > lpq cache time = 30 > > spoolss: architecture = Windows x64 > > debug timestamp = Yes > > debug prefix timestamp = No > > debug hires timestamp = Yes > > debug pid = No > > debug uid = No > > debug class = No > > timestamp logs = Yes > > require strong key = Yes > > allow dcerpc auth level connect = No > > client ipc signing = default > > client ipc max protocol = default > > client ipc min protocol = default > > nsupdate command = /usr/bin/nsupdate -g > > dns proxy = No > > allow trusted domains = Yes > > guest account = nobody > > map to guest = Bad User > > guest only = No > > config backend = file > > encrypt passwords = Yes > > smb passwd file = /usr/local/samba/private/smbpasswd > > private dir = /usr/local/samba/private > > algorithmic rid base = 1000 > > passdb expand explicit = No > > passdb backend = tdbsam > > passwd chat debug = No > > passwd chat timeout = 2 > > passwd program = /usr/local/samba/bin/smbpasswd %u > > passwd chat = *New*password* %n\n *ReType*new*password* > > %n\n*passwd:*all*authentication*tokens*updated*successfully* > > password server = LAB.LAB.local > > old password allowed period = 120 > > unix password sync = Yes > > client plaintext auth = No > > map untrusted to domain = Yes > > enable core files = Yes > > large readwrite = Yes > > unicode = Yes > > read raw = Yes > > write raw = Yes > > disable netbios = No > > reset on zero vc = No > > log writeable files on exit = No > > defer sharing violations = Yes > > nt pipe support = Yes > > nt status support = Yes > > max mux = 50 > > max xmit = 32768 > > name resolve order = lmhosts wins host bcast > > max ttl = 259200 > > max wins ttl = 518400 > > min wins ttl = 21600 > > min receivefile size = 16384 > > time server = Yes > > time server = No > > unix extensions = Yes > > server signing = mandatory > > client signing = mandatory > > client schannel = Auto > > server schannel = Auto > > client use spnego = Yes > > client ldap sasl wrapping = sign > > enable asu support = No > > rpc big endian = No > > deadtime = 0 > > getwd cache = Yes > > keepalive = 300 > > smbd profiling level = off > > spotlight = No > > max smbd processes = 0 > > max disk size = 0 > > max open files = 65535 > > use mmap = Yes > > hostname lookups = No > > name cache timeout = 3600 > > clustering = No > > ctdb timeout = 0 > > ctdb locktime warn threshold = 0 > > smb2 max read = 8388608 > > smb2 max write = 8388608 > > smb2 max trans = 8388608 > > smb2 max credits = 8192 > > mangling method = hash2 > > mangle prefix = 1 > > max stat cache size = 256 > > stat cache = Yes > > machine password timeout = 604800 > > username map cache time = 0 > > username level = 0 > > init logon delay = 100 > > lm announce = Auto > > lm interval = 60 > > browse list = Yes > > enhanced browsing = Yes > > smb2 leases = Yes > > ldap admin dn > > ldap connection timeout = 2 > > ldap delete dn = No > > ldap deref = auto > > ldap follow referral = Auto > > ldap group suffix > > ldap idmap suffix > > ldap machine suffix > > ldap page size = 1000 > > ldap passwd sync = no > > ldap replication sleep = 1000 > > ldap server require strong auth = No > > ldap ssl = start tls > > ldap ssl ads = No > > ldap suffix > > ldap timeout = 15 > > ldap user suffix > > ldap debug level = 0 > > ldap debug threshold = 10 > > lock directory = /usr/local/samba/var/lock > > state directory = /usr/local/samba/var/locks > > cache directory = /usr/local/samba/var/cache > > pid directory = /usr/local/samba/var/run > > ntp signd socket directory = /usr/local/samba/var/lib/ntp_signd > > utmp = No > > nmbd bind explicit broadcast = Yes > > homedir map = auto.home > > afs token lifetime = 604800 > > afs share = No > > NIS homedir = No > > registry shares = No > > usershare allow guests = No > > usershare max shares = 0 > > usershare owner only = Yes > > usershare path = /usr/local/samba/var/locks/usershares > > async smb echo handler = No > > template homedir = /home/%D/%U > > template shell = /bin/bash > > create krb5 conf = Yes > > ncalrpc dir = /usr/local/samba/var/run/ncalrpc > > neutralize nt4 emulation = No > > reject md5 servers = No > > reject md5 clients = No > > set quota command > > multicast dns register = Yes > > samba kcc command = /usr/local/samba/sbin/samba_kcc > > spn update command = /usr/local/samba/sbin/samba_spnupdate > > share backend = classic > > allow nt4 crypto = No > > tls enabled = Yes > > tls keyfile = tls/key.pem > > tls certfile = tls/cert.pem > > tls cafile = tls/ca.pem > > tls crlfile > > tls dh params file > > tls verify peer = as_strict_as_possible > > tls priority = NORMAL:-VERS-SSL3.0 > > rpc_server:tcpip = no > > rpc_daemon:spoolssd = fork > > rpc_server:default = external > > rpc_server:spoolss = external > > rpc_server:svcctl = embedded > > rpc_server:srvsvc = embedded > > rpc_server:eventlog = embedded > > rpc_server:ntsvcs = embedded > > rpc_server:winreg = embedded > > spoolssd:prefork_child_min_life = 60 > > spoolssd:prefork_max_allowed_clients = 200 > > spoolssd:prefork_spawn_rate = 5 > > spoolssd:prefork_max_children = 75# > > spoolssd:prefork_min_children = 5 > > acl group control = No > > acl map full control = Yes > > acl allow execute always = No > > force unknown acl user = No > > inherit permissions = No > > inherit acls = No > > inherit owner = No > > map acl inherit = No > > nt acl support = Yes > > profile acls = No > > administrative share = No > > allocation roundup size = 1048576 > > aio read size = 16384 > > aio write size = 16384 > > aio max threads = 100 > > ea support = No > > smb encrypt = default > > durable handles = Yes > > block size = 1024 > > change notify = Yes > > directory name cache size = 100 > > kernel change notify = Yes > > max connections = 0 > > strict allocate = No > > strict rename = No > > strict sync = No > > sync always = No > > use sendfile = No > > write cache size = 0 > > default case = lower > > case sensitive = Auto > > preserve case = Yes > > short preserve case = Yes > > mangling char = ~ > > hide dot files = Yes > > hide special files = No > > hide unreadable = No > > hide unwriteable files = No > > delete veto files = No > > map archive = No > > map hidden = No > > map system = No > > map readonly = No > > mangled names = Yes > > mangling char = ~ > > store dos attributes = Yes > > dmapi support = No > > browseable = Yes > > access based share enum = No > > blocking locks = Yes > > csc policy = manual > > lock spin time = 200 > > oplock break wait time = 0 > > fake oplocks = No > > kernel oplocks = No > > kernel share modes = Yes > > locking = Yes > > oplocks = Yes > > level2 oplocks = Yes > > oplock contention limit = 2 > > posix locking = Yes > > strict locking = Auto > > dfree cache time = 0 > > preexec close = No > > root preexec close = No > > available = Yes > > fstype = NTFS > > wide links = No > > allow insecure wide links = No > > follow symlinks = Yes > > delete readonly = No > > dos filemode = No > > dos filetimes = Yes > > dos filetime resolution = No > > fake directory create times = No > > host msdfs = Yes > > msdfs root = No > > msdfs shuffle referrals = No > > ntvfs handler = unixuid, default > > vfs objects = dfs_samba4 acl_xattr full_audit > > full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S > > full_audit:failure = connect disconnect > > full_audit:success = connect disconnect opendir mkdir rmdir > > closedir open close read pread write pwrite sendfile rename unlink > > chmod fchmod chown fchown chdir ftruncate lock symlink readlink link > > mknod full_audit:LAB = local5 > > full_audit:priority = notice > > [homes] > > comment = Home Directories > > path = /mnt/storage/homes/%U > > browseable = No > > hide files = /Recycle Bin/ > > veto files = /*.encrypted/*.ecc/*.ccc/ > > admin users = "@Domain Admins" > > create mask = 0644 > > force create mode = 0660 > > force directory mode = 0770 > > read only = No > > valid users = "@Domain Users" > > vfs objects = acl_xattr full_audit recycle > > recycle:repository = Recycle Bin > > recycle:keeptree = yes > > recycle:minsize = 0 > > recycle:maxsize = 0 > > recycle:touch = yes > > recycle:touch_mtime = yes > > recycle:versions = yes > > recycle:exclude > > *.tmp|*.temp|*.o|*.obj|~$*|*.??|*.log|*.trace|*.TMP|*.ASV|*.$$$|*.asv > > recycle:excludedir = /Recycle Bin > > recycle:noversions = *.tmp|*.temp|*.dat|*.ini > > recycle:mode = KEEP_DIRECTORIES|VERSION|TOUCH > > [profiles] > > comment = Network Profiles Share > > path = /mnt/storage/profiles > > profile acls = Yes > > browseable = No > > create mask = 0644 > > force create mode = 0660 > > force directory mode = 0770 > > read only = No > > [netlogon] > > comment = Network Netlogon Share > > path = /usr/local/samba/var/locks/sysvol/LAB.local/scripts > > browseable = No > > read only = No > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > browseable = No > > read only = No > > > > > > > > > > 2016-08-24 16:49 GMT+03:00 Rowland Penny via samba > > <samba at lists.samba.org>: > > > > > On Wed, 24 Aug 2016 16:03:05 +0300 > > > barış tombul <bbtombul at gmail.com> wrote: > > > > > > > > > > > Strange, have you given 'FACILITY\btombul' the ID number > > > > > '16777216' ? > > > > > > > > > > Can you post the smb.conf from the Samba AD DC and the Centos > > > > > machine (please post what is actually there, not the output of > > > > > 'samba-tool testparm -v') > > > > > > > > > > Rowland > > > > > > > > > > > > > > > > > > > > > > > > > > > > > So I said 'not the output of 'samba-tool testparm -v' > > > and what do I get LOL > > > > > > In English, putting 'not' in front of something, means 'do not do > > > this' > > > > > > Please post the output of 'cat /path/to/smb.conf' from BOTH > > > machines. > > > > > > Replacing '/path/to/smb.conf' with the path to your smb.conf > > > i.e. /etc/samba/smb.conf > > > > > > Rowland > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > OK, first question, why is the smb.conf on the DC so big ? > second question, why do you expect them both to operate in the wrong way > i.e. the DC has the 'idmap config' lines that should only be on a domain > member, yet the domain member doesn't have these lines > > can I suggest you set the global part the DC smb.conf to this: > > [global] > workgroup = LAB > realm = LAB.LOCAL > netbios name = LAB > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > server string = LAB Samba Server > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > ldap server require strong auth = No > winbind max clients = 500 > winbind enum users = Yes > winbind enum groups = Yes > winbind refresh tickets = Yes > winbind offline logon = Yes > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.keytab > bind interfaces only = Yes > interfaces = lo ens192 > allow dns updates = nonsecure and secure > log level = 3 passdb:3 auth:10 winbind:2 > log file = /var/log/samba/log.%m > printcap cache time = 0 > printcap name = cups > force printername = Yes > cups connection timeout = 60 > cups options = raw > name cache timeout = 3600 > disable spoolss = No > spoolss: architecture = Windows x64 > rpc_daemon:spoolssd = fork > spoolssd:prefork_child_min_life = 60 > spoolssd:prefork_max_allowed_clients = 200 > spoolssd:prefork_spawn_rate = 5 > spoolssd:prefork_max_children = 75 > spoolssd:prefork_min_children = 5 > map to guest = Bad User > passwd program = /usr/local/samba/bin/smbpasswd %u > passwd chat = *New*password* %n\n *ReType*new*password* > %n\n*passwd:*all*authentication*tokens*updated*successfully* > old password allowed period = 120 > max xmit = 32768 > max open files = 65535 > min receivefile size = 16384 > homedir map = auto.home > template shell = /bin/bash > vfs objects = dfs_samba4 acl_xattr full_audit > full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S > full_audit:failure = connect disconnect > full_audit:success = connect disconnect opendir mkdir rmdir closedir > open close read pread write pwrite sendfile rename unlink chmod fchmod > chown fchown chdir ftruncate lock symlink readlink link mknod > full_audit:LAB = local5 > full_audit:priority = notice > aio read size = 16384 > aio write size = 16384 > > This is yours without all the default and wrong lines, I would also > point out that you could probably still remove a lot of the above > lines. > > Go and browse the Samba wiki, this will explain how to set up the > shares correctly. > For the Centos domain member, see here: > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > At the moment, you are mixing ALL the windows users and groups > (builtin, domain admins and normal) in one range, you need two '*' & > 'LAB', you have these on the DC, only problem, those lines have no > affect on a DC. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >