Greetings, Rowland Penny via samba!> I would remove these from the DC smb.conf, they are either defauts, not > required or flat out doing nothing on a DC: > > auto services = homes > client ldap sasl wrapping = sign > tls enabled = YesWithout "tls enabled" ldaps:// access does not work.> winbind enum groups = Yes > winbind enum users = Yes > winbind nss info = rfc2307 > winbind use default domain = Yes > idmap config darkdragon : unix_nss_info = yes > idmap config darkdragon : unix_primary_group = yes > idmap config darkdragon : range = 2048-131071 > idmap config darkdragon : schema_mode = rfc2307 > idmap config darkdragon : backend = ad > idmap config * : range = 1024-2047 > idmap config * : schema_mode = rfc2307 > idmap config * : backend = tdb > store dos attributes = Yes > vfs objects = dfs_samba4 acl_xattrI agree that most of these either defaults or irrelevant for a DC. I mostly keep them for self-reference.> Andrey, sorry but words fail me about that Unix domain member smb.conf, > it appears to be most of an NT4-style BDC grafted onto the smb.conf for > an AD domain member. most (if not all) of the NT4-style parameters > should be removed, they aren't really doing anything anyway, the DC > isn't doing SMBv1 and they rely on it.Here's a (hopefully) saner member config. Still not usable. # Global parameters [global] dos charset = CP866 workgroup = DARKDRAGON realm = ADS.DARKDRAGON.LAN interfaces = lo eth0 security = ADS dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab log level = 1 client ldap sasl wrapping = sign printcap name = /dev/null preload = homes auto services = homes panic action = /usr/share/samba/panic-action %d winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 winbind refresh tickets = Yes winbind offline logon = Yes idmap config darkdragon : range = 2048-131071 idmap config darkdragon : schema_mode = rfc2307 idmap config darkdragon : backend = ad idmap config * : range = 1024-2047 idmap config * : backend = tdb map acl inherit = Yes store dos attributes = Yes vfs objects = acl_xattr [homes] comment = Home Directory path = /home/%S valid users = %S read only = No browseable = No csc policy = disable follow symlinks = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No csc policy = disable [print$] comment = Printer Drivers path = /var/lib/samba/printers [wwwroot] path = /home read only = No mangled names = No csc policy = disable follow symlinks = No What about errors I see on the DC? Can we first try to fix these? Internet results only telling that "cleaning up the DB helps" without much of any useful info. -- With best regards, Andrey Repin Tuesday, November 7, 2023 21:43:48 Sorry for my terrible english...
On Tue, 7 Nov 2023 21:52:56 +0300 Andrey Repin via samba <samba at lists.samba.org> wrote:> Greetings, Rowland Penny via samba! > > > I would remove these from the DC smb.conf, they are either defauts, > > not required or flat out doing nothing on a DC: > > > > auto services = homes > > client ldap sasl wrapping = sign > > tls enabled = Yes > > Without "tls enabled" ldaps:// access does not work.Then you a problem elsewhere, 'tls enabled = yes' has been the default since it was introduced at Samba 4.0.0> > > winbind enum groups = Yes > > winbind enum users = Yes > > winbind nss info = rfc2307 > > winbind use default domain = Yes > > idmap config darkdragon : unix_nss_info = yes > > idmap config darkdragon : unix_primary_group = yes > > idmap config darkdragon : range = 2048-131071 > > idmap config darkdragon : schema_mode = rfc2307 > > idmap config darkdragon : backend = ad > > idmap config * : range = 1024-2047 > > idmap config * : schema_mode = rfc2307 > > idmap config * : backend = tdb > > store dos attributes = Yes > > vfs objects = dfs_samba4 acl_xattr > > I agree that most of these either defaults or irrelevant for a DC. I > mostly keep them for self-reference.Then I suggest you just comment them out, you definitely shouldn't have the 'idmap config' lines in a DC smb.conf> > > Andrey, sorry but words fail me about that Unix domain member > > smb.conf, it appears to be most of an NT4-style BDC grafted onto > > the smb.conf for an AD domain member. most (if not all) of the > > NT4-style parameters should be removed, they aren't really doing > > anything anyway, the DC isn't doing SMBv1 and they rely on it. > > Here's a (hopefully) saner member config. Still not usable. > > # Global parameters > [global] > dos charset = CP866 > workgroup = DARKDRAGON > realm = ADS.DARKDRAGON.LAN > interfaces = lo eth0 > security = ADS > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > log level = 1 > client ldap sasl wrapping = sign > printcap name = /dev/null > preload = homes > auto services = homes > panic action = /usr/share/samba/panic-action %d > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind nss info = rfc2307 > winbind refresh tickets = Yes > winbind offline logon = Yes > idmap config darkdragon : range = 2048-131071 > idmap config darkdragon : schema_mode = rfc2307 > idmap config darkdragon : backend = ad > idmap config * : range = 1024-2047 > idmap config * : backend = tdb > map acl inherit = Yes > store dos attributes = Yes > vfs objects = acl_xattr > > [homes] > comment = Home Directory > path = /home/%S > valid users = %S > read only = No > browseable = No > csc policy = disable > follow symlinks = No > > [printers] > comment = All Printers > path = /var/spool/samba > printable = Yes > browseable = No > csc policy = disable > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > > [wwwroot] > path = /home > read only = No > mangled names = No > csc policy = disable > follow symlinks = No >That's better :-)> What about errors I see on the DC? Can we first try to fix these? > Internet results only telling that "cleaning up the DB helps" without > much of any useful info. > >Get rid of the extraneous parameters in your DC smb.conf and your problems may just go away. Rowland