Hi, Thanks, Well winbind enum is needed, and ntlm auth is required by some applications, seems that samba has disabled by default but windows has enabled, we have to migrate some old applications I understand taht is OK with yout comments thanks Missatge de Trenta sis <trenta.sis at gmail.com> del dia dl., 23 de set. 2019 a les 11:22:> > Hi, > > I have used testparm. > > smb.conf from dc1 4.4.5 > # Global parameters > [global] > > bind interfaces only = Yes > interfaces = lo eth0 eth0:0 > netbios name = server1 > realm = DOMAIN.COM > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = DOMAIN > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > comment > > winbind enum users = yes > winbind enum groups = yes > > tls enabled = yes > tls keyfile = tls/server1.pem.key > tls certfile = tls/server1.pem.crt > tls cafile = tls/ca.pem.crt > > > tls verify peer = ca_and_name > > ldap server require strong auth = no > > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/domain.com/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > smb.conf dc2 4.10.7 > # Global parameters > [global] > bind interfaces only = Yes > interfaces = lo eth0 eth0:0 > netbios name = server2 > realm = DOMAIN.COM > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = DOMAIN > idmap_ldb:use rfc2307 = yes > > winbind enum users = yes > winbind enum groups = yes > > tls enabled = yes > tls keyfile = tls/server2.pem.key > tls certfile = tls/server2.pem.crt > tls cafile = tls/ca.pem.crt > > > tls verify peer = ca_and_name > > ldap server require strong auth = no > > # tmp lan > ntlm auth = yes > > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/domain.com/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > It seems that samba-tool testparm doesn't show > map readonly = no > store dos attributes = Yes > > Our actual config is good? > Next step is demote and rejoin 4.4.5, and then I'll suspect that this > attributes will be removed with 4.10.7, but not sure if this can have > any impact to our infraestructure > > thanks > > > Missatge de Trenta sis <trenta.sis at gmail.com> del dia dl., 23 de set. > 2019 a les 10:46: > > > > Hi, > > > > Recently we have added 4.10.7 as additional dc, to our existing 4.4.5 > > samba AD DC, comparing output testparm I have detected that 4.4.5 has > > map readonly = no > > store dos attributes = Yes > > > > but 4.10.7 doesn't have > > > > Also compared smb.conf and both has the same configuration. > > > > Is this correct? Are required this configurations on 4.10.7? > > In a few day I want to upgrade this 4.4.5 with rejoin, but I'm not > > sure what I have to do with this two differences > > > > Thanks
On 23/09/2019 11:37, Trenta sis via samba wrote:> Hi, > > Thanks, Well winbind enum is needed, and ntlm auth is required by some > applications, seems that samba has disabled by default but windows has > enabled, we have to migrate some old applicationsWhy do you need 'winbind enum' ? 'getent' & 'id' will work without the lines, the only thing they do is make 'getent user' & 'getent group' display all users or groups, why do you need this ? I would update and fix whatever needs 'ntlm auth = yes', it is no longer the default on either Samba or Windows 10. Rowland
Thanks, ntlm auth is temporary until we have solved some issues getent is needed by filesystem acl thanks for all Missatge de Trenta sis <trenta.sis at gmail.com> del dia dl., 23 de set. 2019 a les 12:37:> > Hi, > > Thanks, Well winbind enum is needed, and ntlm auth is required by some > applications, seems that samba has disabled by default but windows has > enabled, we have to migrate some old applications > > I understand taht is OK with yout comments > > thanks > > Missatge de Trenta sis <trenta.sis at gmail.com> del dia dl., 23 de set. > 2019 a les 11:22: > > > > Hi, > > > > I have used testparm. > > > > smb.conf from dc1 4.4.5 > > # Global parameters > > [global] > > > > bind interfaces only = Yes > > interfaces = lo eth0 eth0:0 > > netbios name = server1 > > realm = DOMAIN.COM > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > > drepl, winbindd, ntp_signd, kcc, dnsupdate > > workgroup = DOMAIN > > server role = active directory domain controller > > idmap_ldb:use rfc2307 = yes > > comment > > > > winbind enum users = yes > > winbind enum groups = yes > > > > tls enabled = yes > > tls keyfile = tls/server1.pem.key > > tls certfile = tls/server1.pem.crt > > tls cafile = tls/ca.pem.crt > > > > > > tls verify peer = ca_and_name > > > > ldap server require strong auth = no > > > > > > [netlogon] > > path = /usr/local/samba/var/locks/sysvol/domain.com/scripts > > read only = No > > > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > > > > > smb.conf dc2 4.10.7 > > # Global parameters > > [global] > > bind interfaces only = Yes > > interfaces = lo eth0 eth0:0 > > netbios name = server2 > > realm = DOMAIN.COM > > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > > drepl, winbindd, ntp_signd, kcc, dnsupdate > > workgroup = DOMAIN > > idmap_ldb:use rfc2307 = yes > > > > winbind enum users = yes > > winbind enum groups = yes > > > > tls enabled = yes > > tls keyfile = tls/server2.pem.key > > tls certfile = tls/server2.pem.crt > > tls cafile = tls/ca.pem.crt > > > > > > tls verify peer = ca_and_name > > > > ldap server require strong auth = no > > > > # tmp lan > > ntlm auth = yes > > > > > > [netlogon] > > path = /usr/local/samba/var/locks/sysvol/domain.com/scripts > > read only = No > > > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > > > It seems that samba-tool testparm doesn't show > > map readonly = no > > store dos attributes = Yes > > > > Our actual config is good? > > Next step is demote and rejoin 4.4.5, and then I'll suspect that this > > attributes will be removed with 4.10.7, but not sure if this can have > > any impact to our infraestructure > > > > thanks > > > > > > Missatge de Trenta sis <trenta.sis at gmail.com> del dia dl., 23 de set. > > 2019 a les 10:46: > > > > > > Hi, > > > > > > Recently we have added 4.10.7 as additional dc, to our existing 4.4.5 > > > samba AD DC, comparing output testparm I have detected that 4.4.5 has > > > map readonly = no > > > store dos attributes = Yes > > > > > > but 4.10.7 doesn't have > > > > > > Also compared smb.conf and both has the same configuration. > > > > > > Is this correct? Are required this configurations on 4.10.7? > > > In a few day I want to upgrade this 4.4.5 with rejoin, but I'm not > > > sure what I have to do with this two differences > > > > > > Thanks
On 23/09/2019 13:42, Trenta sis via samba wrote:> Thanks, ntlm auth is temporary until we have solved some issues > getent is needed by filesystem acl >If you think you need the 'winbind enum' lines so that 'getent' works, then think again ;-) If you do not have the 'winbind enum 'lines 'getent passwd username' will still work. 'getent passwd' will only display local users, but, 'getent passwd rowland' displays this: rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash I repeat (louder this time): NO ONE NEEDS THE 'WINBIND ENUM' LINES IN SMB.CONF Rowland