samba - Dec 2023 - Provisioning new AD Domain Controller

On Sun, 03 Dec 2023 18:10:03 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:
> Before attempting to join domain members with my newly provisioned
> AD/DC, there are some difference between this new smb.conf and the
> one from the current DC running Samba 4.8.2. Please advise if I need
> any of these:
> 
> [global]
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl,winbind, ntp_signd, kcc, dnsupdate
As you are now using the internal dns server, that 'server services'
line is no longer required.
> ntlm auth = yes
Are you still using SMBv1 anywhere ?
If not then you do not need that line either.
> winbind use default domain = yes
You never needed that line on a Samba AD DC, mainly because it doesn't
work on a Samba AD DC.
> template shell = /bin/bash
> log level = 2 passdb:5 auth:10 winbind:2 lanman:10
What you get Samba to log is up to you, but I am fairly sure that you
do not need 'lanman'
> 
>     load printers = no
>     printing = bsd   
>     printcap name = /dev/null
>     disable spoolss = yes
Those four lines stop printing from working on the machine via Samba,
so, unless you need printing, I would add them.
> 
> [Users]
>     path = /redirectedFolders/Users
>     comment = user folders for redirection
>     read only = No
> 
> [share]
>     path = /var/lib/samba/share
>     comment = Shared folder
>     read only = No
You really shouldn't use a DC as a fileserver, but if you are, then you
are going to have to configure them.
> 
> I don't know what [share] was used for and perhaps that is not needed.
> 
> My entire current samba-tool provision generated smb.conf is:
> 
> [global]
>         dns forwarder = 209.18.47.61
>         netbios name = DC1
>         realm = HPRS.LOCL
>         server role = active directory domain controller
>         workgroup = HPRS
>         idmap_ldb:use rfc2307 = yes
>         interfaces = lo, eth1
>         bind interfaces only = Yes
>     
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/hprs.locl/scripts
>         read only = No
You didn't show 'sysvol' and 'netlogon' as shares in your
original
smb.conf, but they are required on a Samba AD DC.

Rowland

On Tue Dec  5 05:18:37 2023 Rowland Penny via samba <samba at
lists.samba.org> wrote:
>
> On Sun, 03 Dec 2023 18:10:03 -0500
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > Before attempting to join domain members with my newly provisioned
> > AD/DC, there are some difference between this new smb.conf and the
> > one from the current DC running Samba 4.8.2. Please advise if I need
> > any of these:
> > 
> > [global]
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > drepl,winbind, ntp_signd, kcc, dnsupdate
>
> As you are now using the internal dns server, that 'server
services'
> line is no longer required.
>
> > ntlm auth = yes
>
> Are you still using SMBv1 anywhere ?
> If not then you do not need that line either.
>
> > winbind use default domain = yes
>
> You never needed that line on a Samba AD DC, mainly because it doesn't
> work on a Samba AD DC.
>
> > template shell = /bin/bash
> > log level = 2 passdb:5 auth:10 winbind:2 lanman:10
>
> What you get Samba to log is up to you, but I am fairly sure that you
> do not need 'lanman'
>
> > 
> >     load printers = no
> >     printing = bsd   
> >     printcap name = /dev/null
> >     disable spoolss = yes
>
> Those four lines stop printing from working on the machine via Samba,
> so, unless you need printing, I would add them.
>
> > 
> > [Users]
> >     path = /redirectedFolders/Users
> >     comment = user folders for redirection
> >     read only = No
> > 
> > [share]
> >     path = /var/lib/samba/share
> >     comment = Shared folder
> >     read only = No
>
> You really shouldn't use a DC as a fileserver, but if you are, then you
> are going to have to configure them.
>
> > 
> > I don't know what [share] was used for and perhaps that is not
needed.
> > 
> > My entire current samba-tool provision generated smb.conf is:
> > 
> > [global]
> >         dns forwarder = 209.18.47.61
> >         netbios name = DC1
> >         realm = HPRS.LOCL
> >         server role = active directory domain controller
> >         workgroup = HPRS
> >         idmap_ldb:use rfc2307 = yes
> >         interfaces = lo, eth1
> >         bind interfaces only = Yes
> >     
> >     load printers = no
> >     printing = bsd
> >     printcap name = /dev/null
> >     disable spoolss = yes
> > 
> > [sysvol]
> >         path = /var/lib/samba/sysvol
> >         read only = No
> > 
> > [netlogon]
> >         path = /var/lib/samba/sysvol/hprs.locl/scripts
> >         read only = No
>
> You didn't show 'sysvol' and 'netlogon' as shares in
your original
> smb.conf, but they are required on a Samba AD DC.
>
> Rowland
OK! I think you've answered my questions. No, I didn't include
'sysvol' or
'netlogin' in my posting of the old/current DC's smb.conf. I only
included those
directives that were in the old DC, but not in the new one. They are there in
the old DC.

'Redirected Folders' is useful, especially if a Windows workstation has
a drive
crash, so I'll experiment with that.

I'll leave out the 'ntlm auth' for now unless it proves needful for
some reason in
which case I'll first try 'ntlm auth = ntlmv2-only'.

Thanks! --Mark