using testparm of 4.6.0rc2 against the smb.conf of a production server (the
production
server is not using rc2, dont worry) produces the error:
[root at fwborda1 samba-460rc2]# testparm /root/smb.conf
Load smb config files from /root/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
bind interfaces only = Yes
interfaces = 127.0.0.1 172.22.2.27
netbios name = paladine
realm = dragonlance.org
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd,
ntp_signd, kcc, dnsupdate
workgroup = E-TRUST
allow dns updates = nonsecure and secure
log file = /var/log/samba/%M.log
disable spoolss = Yes
load printers = No
printcap name = /dev/null
passdb backend = samba_dsdb
restrict anonymous = 2
server role = active directory domain controller
template homedir = /home/%U
template shell = /bin/bash
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind use default domain = Yes
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
printing = bsd
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path = /var/lib/samba/sysvol/dragonlance.org/scripts
browseable = No
read only = No
[sysvol]
path = /var/lib/samba/sysvol
browseable = No
read only = No
The original smb.conf does not have idmap set up. Is it supposed to? Here's
the original
file (yes, I'm omiting domain name and ip addresses):
# Global parameters
[global]
netbios name = paladine
realm = dragonlance.org
workgroup = dragonlance
#dns forwarder = 172.22.2.12
server role = active directory domain controller
interfaces = 127.0.0.1 172.22.2.27
bind interfaces only = yes
server services = -dns
#Use settings from AD for login shell and home directory
idmap_ldb:use rfc2307 = yes
#Winbind Configuration
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
winbind nss info = rfc2307
template shell = /bin/bash
template homedir = /home/%U
#Disable CUPS
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
#remove vulnerability
#"26920 - Microsoft Windows SMB NULL Session Authentication"
restrict anonymous = 2
allow dns updates = nonsecure
#allow dns updates = nonsecure and secure
#allow dns updates = secure only
nsupdate command = /usr/bin/nsupdate -g
#idmap config *:backend = ad
#idmap config *:range = 2000-9999
#idmap config for domain E-TRUST
#idmap config DRAGONLANCE:backend = ad
#idmap config DRAGONLANCE:schema_mode = rfc2307
#idmap config DRAGONLANCE:range = 10000-40000
#idmap cache time = 1
#idmap negative cache time = 1
#winbind cache time = 1
#log level=3
#log level = 1 auth:3
log file=/var/log/samba/%M.log
[netlogon]
path = /var/lib/samba/sysvol/dragonlance.org/scripts
read only = No
browseable = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
browseable = No
--
Vinicius Silva
SOC
BRA: + 55 51 2117.1000 | 55 11 5521.2021
USA: + 1 888 259.5801
vbs at e-trust.com.br
skype: vinicius.bones.silva
Smiley face
www.e-trust.com.br <http://www.e-trust.com.br/>
Esta mensagem pode conter informações confidenciais ou privilegiadas. Se você
recebeu esta
mensagem por engano, você não deve usar, copiar, divulgar ou tomar qualquer
atitude com
base nestas informações. Solicitamos que você apague a mensagem imediatamente e
avise a
E-TRUST, enviando um e-mail para suporte at e-trust.com.br. Opiniões, conclusões
ou
informações contidas nesta mensagem não necessariamente refletem a posição
oficial da
E-TRUST. Caso assinada digitalmente, a autenticidade desta mensagem pode ser
confirmada
pela Autoridade Certificadora Privada E-TRUST, disponível em www.e-trust.com.br.
This message may contain privileged and confidential information for the use of
the
intended recipients only. If you are not an intended recipient then you should
not
disseminate, copy, or take any action based on its contents. If you have
received this
message in error then please notify E-TRUST by sending an e-mail message to
suporte at e-trust.com.br immediately. Views and opinions expressed in this
message do not
necessarily reflect the position of E-TRUST. If this message is digitally
signed, its
authenticity can be confirmed by E-TRUST Private Certificate Authority,
available at
www.e-trust.com.br.