Before attempting to join domain members with my newly provisioned AD/DC, there
are some difference between this new smb.conf and the one from the current DC
running Samba 4.8.2. Please advise if I need any of these:
[global]
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,winbind,
ntp_signd, kcc, dnsupdate
ntlm auth = yes
winbind use default domain = yes
template shell = /bin/bash
log level = 2 passdb:5 auth:10 winbind:2 lanman:10
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[Users]
path = /redirectedFolders/Users
comment = user folders for redirection
read only = No
[share]
path = /var/lib/samba/share
comment = Shared folder
read only = No
Note that the old/current DC was provisioned with BIND9_FLATFILE whereas the new
one uses Samba Internal DNS backend.
The old/current DC utilized redirected folders as a Windows Group Policy which
kept certain workstation folders (Desktop, Documents, Picutures, Favorites,
etc.)
on the DC, not on the Workstation. I expect to be able to do the same with the
new version Samba DC (4.18.8).
I don't know if passdb, auth, windbind, lanman logging works with the new
DC,
and maybe I don't need any of these unless there is a problem.
The 'load printers' bit was just to disable printing from the DC.
I don't know what [share] was used for and perhaps that is not needed.
My entire current samba-tool provision generated smb.conf is:
[global]
dns forwarder = 209.18.47.61
netbios name = DC1
realm = HPRS.LOCL
server role = active directory domain controller
workgroup = HPRS
idmap_ldb:use rfc2307 = yes
interfaces = lo, eth1
bind interfaces only = Yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/hprs.locl/scripts
read only = No
As mentioned, I plan on adding [Users]
Thought?
--Thanks Mark
On Sun, 03 Dec 2023 18:10:03 -0500 Mark Foley via samba <samba at lists.samba.org> wrote:> Before attempting to join domain members with my newly provisioned > AD/DC, there are some difference between this new smb.conf and the > one from the current DC running Samba 4.8.2. Please advise if I need > any of these: > > [global] > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl,winbind, ntp_signd, kcc, dnsupdateAs you are now using the internal dns server, that 'server services' line is no longer required.> ntlm auth = yesAre you still using SMBv1 anywhere ? If not then you do not need that line either.> winbind use default domain = yesYou never needed that line on a Samba AD DC, mainly because it doesn't work on a Samba AD DC.> template shell = /bin/bash > log level = 2 passdb:5 auth:10 winbind:2 lanman:10What you get Samba to log is up to you, but I am fairly sure that you do not need 'lanman'> > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yesThose four lines stop printing from working on the machine via Samba, so, unless you need printing, I would add them.> > [Users] > path = /redirectedFolders/Users > comment = user folders for redirection > read only = No > > [share] > path = /var/lib/samba/share > comment = Shared folder > read only = NoYou really shouldn't use a DC as a fileserver, but if you are, then you are going to have to configure them.> > I don't know what [share] was used for and perhaps that is not needed. > > My entire current samba-tool provision generated smb.conf is: > > [global] > dns forwarder = 209.18.47.61 > netbios name = DC1 > realm = HPRS.LOCL > server role = active directory domain controller > workgroup = HPRS > idmap_ldb:use rfc2307 = yes > interfaces = lo, eth1 > bind interfaces only = Yes > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [netlogon] > path = /var/lib/samba/sysvol/hprs.locl/scripts > read only = NoYou didn't show 'sysvol' and 'netlogon' as shares in your original smb.conf, but they are required on a Samba AD DC. Rowland