samba - Oct 2024 - Joining a 2022-schema Active Directory

Le Thu, 3 Oct 2024 15:21:07 +0100
Rowland Penny via samba <samba at lists.samba.org> ?crivait:
> From the above, it sounds like you are joining Samba as a Unix domain
> member (security = ads)
> 
Yes absolutely.
> 
> If this is a Unix domain member, then the schema is only used on the
> Windows DC, the Samba Unix domain member never sees it directly.
> 
> This sounds like a SMBv1 problem (partially at least), where, because
> NetBIOS isn't being used, Network Browsing no longer works, but
> smbclient connecting to a share should.
> 
"smbclient" on Linux connects to the share just fine using domain user
credentials. Only domain members can't...
> While Samba 4.13.13 is old (and you really should update to a much
> newer version), it should work as a Unix domain member.
> 
> If it is a Unix domain member, please can you post the output of
> 'testparm -s', if it isn't, can you please explain in a bit
more
> detail just how you have set up Samba.
I don't have access to the machine right now but the config is
straightforward :

/etc/samba/smb.conf

[global]
    workgroup = example
    security = ADS
    realm = EXAMPLE.LAN

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    server string = Data %h

    winbind use default domain = yes
    winbind expand groups = 4
    winbind nss info = rfc2307
    winbind refresh tickets = Yes
    winbind offline logon = yes
    winbind normalize names = Yes

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    idmap config EXAMPLE : backend = rid
    idmap config EXAMPLE : range = 10000-999999
    template shell = /bin/bash
    template homedir = /home/EXAMPLE/%U

    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no

    # user Administrator workaround, without it you are unable to set
    privileges username map = /etc/samba/user.map

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    # disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

That's a generic configuration I've been using on different domains,
but never with an AD running higher than WS2016 I guess.

-- 
------------------------------------------------------------------------
   Emmanuel Florac     |   Direction technique
------------------------------------------------------------------------
   https://intellique.com
   +33 6 16 30 15 95
------------------------------------------------------------------------
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: Signature digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20241003/23441712/attachment.sig>

On Thu, 3 Oct 2024 16:56:48 +0200
Emmanuel Florac <eflorac at intellique.com> wrote:
> Le Thu, 3 Oct 2024 15:21:07 +0100
> Rowland Penny via samba <samba at lists.samba.org> ?crivait:
> 
> > From the above, it sounds like you are joining Samba as a Unix
> > domain member (security = ads)
> > 
> 
> Yes absolutely.
> 
> > 
> > If this is a Unix domain member, then the schema is only used on the
> > Windows DC, the Samba Unix domain member never sees it directly.
> > 
> > This sounds like a SMBv1 problem (partially at least), where,
> > because NetBIOS isn't being used, Network Browsing no longer
works,
> > but smbclient connecting to a share should.
> > 
> 
> "smbclient" on Linux connects to the share just fine using domain
user
> credentials. Only domain members can't...
When you say 'domain members', do you mean users on a Windows machine or
something else ?
> 
> 
> I don't have access to the machine right now but the config is
> straightforward :
> 
> /etc/samba/smb.conf
> 
> [global]
>     workgroup = example
>     security = ADS
>     realm = EXAMPLE.LAN
> 
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>     server string = Data %h
> 
>     winbind use default domain = yes
>     winbind expand groups = 4
>     winbind nss info = rfc2307
>     winbind refresh tickets = Yes
>     winbind offline logon = yes
>     winbind normalize names = Yes
> 
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>     idmap config EXAMPLE : backend = rid
>     idmap config EXAMPLE : range = 10000-999999
>     template shell = /bin/bash
>     template homedir = /home/EXAMPLE/%U
> 
>     domain master = no
>     local master = no
>     preferred master = no
>     os level = 20
>     map to guest = bad user
>     host msdfs = no
> 
>     # user Administrator workaround, without it you are unable to set
>     privileges username map = /etc/samba/user.map
> 
>     # For ACL support on domain member
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
> 
>     # Share Setting Globally
>     unix extensions = no
>     reset on zero vc = yes
>     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>     hide unreadable = yes
> 
>     # disable printing completely
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
> 
> That's a generic configuration I've been using on different
domains,
> but never with an AD running higher than WS2016 I guess.
> 
There is nothing there that should stop Samba from working, but it
doesn't use SMBv1, so if your Windows clients are using SMBv1 then it
will not work.

Rowland