Before attempting to join domain members with my newly provisioned AD/DC, there are some difference between this new smb.conf and the one from the current DC running Samba 4.8.2. Please advise if I need any of these: [global] server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,winbind, ntp_signd, kcc, dnsupdate ntlm auth = yes winbind use default domain = yes template shell = /bin/bash log level = 2 passdb:5 auth:10 winbind:2 lanman:10 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes [Users] path = /redirectedFolders/Users comment = user folders for redirection read only = No [share] path = /var/lib/samba/share comment = Shared folder read only = No Note that the old/current DC was provisioned with BIND9_FLATFILE whereas the new one uses Samba Internal DNS backend. The old/current DC utilized redirected folders as a Windows Group Policy which kept certain workstation folders (Desktop, Documents, Picutures, Favorites, etc.) on the DC, not on the Workstation. I expect to be able to do the same with the new version Samba DC (4.18.8). I don't know if passdb, auth, windbind, lanman logging works with the new DC, and maybe I don't need any of these unless there is a problem. The 'load printers' bit was just to disable printing from the DC. I don't know what [share] was used for and perhaps that is not needed. My entire current samba-tool provision generated smb.conf is: [global] dns forwarder = 209.18.47.61 netbios name = DC1 realm = HPRS.LOCL server role = active directory domain controller workgroup = HPRS idmap_ldb:use rfc2307 = yes interfaces = lo, eth1 bind interfaces only = Yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes [sysvol] path = /var/lib/samba/sysvol read only = No [netlogon] path = /var/lib/samba/sysvol/hprs.locl/scripts read only = No As mentioned, I plan on adding [Users] Thought? --Thanks Mark
On Sun, 03 Dec 2023 18:10:03 -0500 Mark Foley via samba <samba at lists.samba.org> wrote:> Before attempting to join domain members with my newly provisioned > AD/DC, there are some difference between this new smb.conf and the > one from the current DC running Samba 4.8.2. Please advise if I need > any of these: > > [global] > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl,winbind, ntp_signd, kcc, dnsupdateAs you are now using the internal dns server, that 'server services' line is no longer required.> ntlm auth = yesAre you still using SMBv1 anywhere ? If not then you do not need that line either.> winbind use default domain = yesYou never needed that line on a Samba AD DC, mainly because it doesn't work on a Samba AD DC.> template shell = /bin/bash > log level = 2 passdb:5 auth:10 winbind:2 lanman:10What you get Samba to log is up to you, but I am fairly sure that you do not need 'lanman'> > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yesThose four lines stop printing from working on the machine via Samba, so, unless you need printing, I would add them.> > [Users] > path = /redirectedFolders/Users > comment = user folders for redirection > read only = No > > [share] > path = /var/lib/samba/share > comment = Shared folder > read only = NoYou really shouldn't use a DC as a fileserver, but if you are, then you are going to have to configure them.> > I don't know what [share] was used for and perhaps that is not needed. > > My entire current samba-tool provision generated smb.conf is: > > [global] > dns forwarder = 209.18.47.61 > netbios name = DC1 > realm = HPRS.LOCL > server role = active directory domain controller > workgroup = HPRS > idmap_ldb:use rfc2307 = yes > interfaces = lo, eth1 > bind interfaces only = Yes > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [netlogon] > path = /var/lib/samba/sysvol/hprs.locl/scripts > read only = NoYou didn't show 'sysvol' and 'netlogon' as shares in your original smb.conf, but they are required on a Samba AD DC. Rowland