yes nothing # ps ax | grep '[n]mdb' # Il giorno gio 26 set 2019 alle ore 17:27 Rowland penny via samba < samba at lists.samba.org> ha scritto:> On 26/09/2019 15:47, banda bassotti wrote: > > No, cut&paste! > > > > ucs# samba -V > > Version 4.10.1-Univention > > > > fs# samba -V > > Version 4.10.8-Debian > > > > > I guess Univention didn't get the memo about not using a DC as a > fileserver ;-) > > can you run this in a terminal on the UCS DC: > > ps ax | grep '[n]mdb' > > It shouldn't return anything. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 26/09/2019 17:51, banda bassotti wrote:> yes nothing > > # ps ax | grep '[n]mdb' > #Hmm, I expected you to get a result. So, why are there these lines in the DC smb.conf: ??????? server services = -dns -smb +s3fs -nbt ??????? server role check:inhibit = yes ??????? # use nmbd; to disable set samba4/service/nmb to s4 ??????? nmbd_proxy_logon:cldap_server=127.0.0.1 It looks to me (and I could be wrong) that they are turning off the 'nbt' portion of the 'samba' daemon and trying to run 'nmdb' instead, this is not allowed. Another thing that amused me was that they seem to have gone to all the trouble of creating certificates (why else put them in smb.conf) and then they turn off ldaps with 'ldap server require strong auth = no' They also seem to add numerous default lines and lines that I would never add, for instance: ??????? idmap config * : range = 300000-400000 That will do nothing on a DC. Are you sure that you haven't added anything to the DC smb.conf ? I am loathe to tell you to remove any lines, because something in UCS may depend on them (it shouldn't) and it may actually just put them back. There is nothing intrinsically wrong with your smb.conf on the 'member server', I think you just need to add a cifs SPN to the computers object in AD, something like this, run on the DC: samba-tool spn add cifs/fs1 fs1$ This should add the SPN to the computer, you will need to create a keytab and copy it to fs1 and merge it with any existing keytab. You will also need to make whatever is mounting whatever you are mounting aware of the new SPN. Rowland
ciao, adding the lines below kerberos method = dedicated keytab dedicated keytab file = /etc/samba/fs.keytab and the spn for the old machine authentication works correctly. thanks for support. Il giorno gio 26 set 2019 alle ore 20:07 Rowland penny via samba < samba at lists.samba.org> ha scritto:> On 26/09/2019 17:51, banda bassotti wrote: > > yes nothing > > > > # ps ax | grep '[n]mdb' > > # > > Hmm, I expected you to get a result. > > So, why are there these lines in the DC smb.conf: > > server services = -dns -smb +s3fs -nbt > > server role check:inhibit = yes > # use nmbd; to disable set samba4/service/nmb to s4 > nmbd_proxy_logon:cldap_server=127.0.0.1 > > It looks to me (and I could be wrong) that they are turning off the > 'nbt' portion of the 'samba' daemon and trying to run 'nmdb' instead, > this is not allowed. > > Another thing that amused me was that they seem to have gone to all the > trouble of creating certificates (why else put them in smb.conf) and > then they turn off ldaps with 'ldap server require strong auth = no' > > They also seem to add numerous default lines and lines that I would > never add, for instance: > > idmap config * : range = 300000-400000 > > That will do nothing on a DC. > > Are you sure that you haven't added anything to the DC smb.conf ? > > I am loathe to tell you to remove any lines, because something in UCS > may depend on them (it shouldn't) and it may actually just put them back. > > There is nothing intrinsically wrong with your smb.conf on the 'member > server', I think you just need to add a cifs SPN to the computers object > in AD, something like this, run on the DC: > > samba-tool spn add cifs/fs1 fs1$ > > This should add the SPN to the computer, you will need to create a > keytab and copy it to fs1 and merge it with any existing keytab. > > You will also need to make whatever is mounting whatever you are > mounting aware of the new SPN. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >