On Sat, 2018-09-15 at 13:57 +0100, Rowland Penny wrote:> On Sat, 15 Sep 2018 05:39:02 -0700 > Andrew Bartlett <abartlet at samba.org> wrote: > > > > > On Sat, 2018-09-15 at 10:37 +0100, Rowland Penny via samba wrote: > > > > > > On Sat, 15 Sep 2018 04:02:29 -0500 > > > "David C. Rankin via samba" <samba at lists.samba.org> wrote: > > > > > > > > > > > > > > > On 09/15/2018 03:40 AM, Rowland Penny via samba wrote: > > > > > > > > > > > > > > > > > > > > It is undoubtedly for a 'standalone server', so why does it > > > > > also > > > > > have the line 'domain master = Yes' ?? > > > > > It cannot be both, I would suggest removing this line. > > > > > > > > > > Rowland > > > > > > > > > > > > > > Rowland, > > > > > > > > domain master=yes used to be standard for stand-alone to > > > > cause > > > > nmbd > > > > claim a special domain specific NetBIOS name as a domain master > > > > browser (based on the os level/preferred master election rules) > > > > > > > > man smb.conf does not mention any discontinuation for use in > > > > stand-alone mode. Should it not be used any longer in that > > > > role, > > > > or is it a matter of network scale? > > > > > > > Things have changed, you should allow the domain/workgroup to set > > > its own master especially if there is a PDC or DC in the mix. > > Rowland, > > > > The purpose of the 'domain master' parameter is as David describes, > > to > > configure exactly this mode. > > > > It is not in conflict with 'server role = standalone server', the > > parameters are intended to allow this, which is why the default for > > 'domain master' is 'auto'. > > > > I hope this clarifies things, > > > > Andrew Bartlett > Not really, if you examine man smb.conf, you will find this: > > > domain master (G) > > Tell smbd(8) to enable WAN-wide browse list collation. > Setting this > option causes nmbd to claim a special domain specific > NetBIOS name > that identifies it as a domain master browser for its > given > workgroup. Local master browsers in the same workgroup on > broadcast-isolated subnets will give this nmbd their local > browse > lists, and then ask smbd(8) for a complete copy of the > browse list > for the whole wide area network. Browser clients will then > contact > their local master browser, and will receive the domain- > wide browse > list, instead of just the list for their broadcast- > isolated subnet....> So, from my reading, you should only set 'domain master' (be it 'yes' > or 'no') on a PDC or a BDC, on anything else it shouldn't be set at > all > and allow the default, which is auto.No, there is that third mode, being a domain master browser alone. That is what the first paragraph above refers.> Also, doesn't network browsing need SMBv1 and isn't it now turned off > by default ?Yes it uses SMBv1, but no it is still very popular. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Sat, 15 Sep 2018 06:05:33 -0700 Andrew Bartlett <abartlet at samba.org> wrote:> On Sat, 2018-09-15 at 13:57 +0100, Rowland Penny wrote: > > On Sat, 15 Sep 2018 05:39:02 -0700 > > Andrew Bartlett <abartlet at samba.org> wrote: > > > > > > > > On Sat, 2018-09-15 at 10:37 +0100, Rowland Penny via samba wrote: > > > > > > > > On Sat, 15 Sep 2018 04:02:29 -0500 > > > > "David C. Rankin via samba" <samba at lists.samba.org> wrote: > > > > > > > > > > > > > > > > > > > On 09/15/2018 03:40 AM, Rowland Penny via samba wrote: > > > > > > > > > > > > > > > > > > > > > > > > It is undoubtedly for a 'standalone server', so why does it > > > > > > also > > > > > > have the line 'domain master = Yes' ?? > > > > > > It cannot be both, I would suggest removing this line. > > > > > > > > > > > > Rowland > > > > > > > > > > > > > > > > > Rowland, > > > > > > > > > > domain master=yes used to be standard for stand-alone to > > > > > cause > > > > > nmbd > > > > > claim a special domain specific NetBIOS name as a domain > > > > > master browser (based on the os level/preferred master > > > > > election rules) > > > > > > > > > > man smb.conf does not mention any discontinuation for use in > > > > > stand-alone mode. Should it not be used any longer in that > > > > > role, > > > > > or is it a matter of network scale? > > > > > > > > > Things have changed, you should allow the domain/workgroup to > > > > set its own master especially if there is a PDC or DC in the > > > > mix. > > > Rowland, > > > > > > The purpose of the 'domain master' parameter is as David > > > describes, to > > > configure exactly this mode. > > > > > > It is not in conflict with 'server role = standalone server', the > > > parameters are intended to allow this, which is why the default > > > for 'domain master' is 'auto'. > > > > > > I hope this clarifies things, > > > > > > Andrew Bartlett > > Not really, if you examine man smb.conf, you will find this: > > > > > > domain master (G) > > > > Tell smbd(8) to enable WAN-wide browse list collation. > > Setting this > > option causes nmbd to claim a special domain specific > > NetBIOS name > > that identifies it as a domain master browser for its > > given > > workgroup. Local master browsers in the same workgroup on > > broadcast-isolated subnets will give this nmbd their > > local browse > > lists, and then ask smbd(8) for a complete copy of the > > browse list > > for the whole wide area network. Browser clients will > > then contact > > their local master browser, and will receive the domain- > > wide browse > > list, instead of just the list for their broadcast- > > isolated subnet. > > ... > > > So, from my reading, you should only set 'domain master' (be it > > 'yes' or 'no') on a PDC or a BDC, on anything else it shouldn't be > > set at all > > and allow the default, which is auto. > > No, there is that third mode, being a domain master browser alone. > > That is what the first paragraph above refers. > > > Also, doesn't network browsing need SMBv1 and isn't it now turned > > off by default ? > > Yes it uses SMBv1, but no it is still very popular. >I wasn't talking about how popular it is, I was talking about 'ntlm auth' not being set in the OP's smb.conf, so it is using the default NTLMv2, so browsing will not work. I personally think we are both right here, you for the bug and myself for saying you shouldn't set 'domain master' on a standalone server. Rowland
On Sat, 2018-09-15 at 14:18 +0100, Rowland Penny wrote:> > > > I wasn't talking about how popular it is, I was talking about 'ntlm > auth' not being set in the OP's smb.conf, so it is using the default > NTLMv2, so browsing will not work.I'm not aware of any connection between NTLM authentication versions and browsing, which is typically anonymous anyway. What makes you say browsing would not work?> I personally think we are both right here, you for the bug and myself > for saying you shouldn't set 'domain master' on a standalone server.Until we deprecate it, it is a supported configuration. Given the way nmbd operates, the same would happen on a 'classic' DC. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba