>
> First, can you please keep this onlist.
>
> On Thu, 28 Dec 2017 20:36:19 -0500
> Matt Savin <
[hidden email]> wrote:
>
> > Rowland,
> >
> > Thank you for your reply. Below is a global part of the smb.conf file:
> >
> > [global]
> > workgroup = DOMAINNAME
> > security = ads
> > realm = DOMAINNAME.LOCAL
> > kerberos method = secrets and keytab
> > kerberos encryption types = all
> > dedicated keytab file = /etc/krb5.keytab
> >
> > nt pipe support = no
> >
> > netbios name = HOSTNAME
> > disable netbios = yes
> > local master = no
> > smb ports = 445
> > dns proxy = no
> >
> > encrypt passwords = yes
> > ldap server require strong auth = no
> > client ldap sasl wrapping = plain
> >
> > idmap config * : range = 16777216-33554431
> > idmap config *:backend = tdb
> > idmap config *:range = 70001-80000
> > idmap config DOMAINNAME:backend = ad
> > idmap config DOMAINNAME:schema_mode = rfc2307
> > idmap config DOMAINNAME:range = 80001-3100000
> > idmap config DOMAINNAME:unix_primary_group = yes
> > idmap config DOMAINNAME:unix_nss_info = yes
> >
> > winbind refresh tickets = Yes
> > winbind use default domain = true
> > winbind trusted domains only = no
> > winbind offline logon = false
> > winbind nss info = rfc2307
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind expand groups = 1
> > allow trusted domains = no
> >
> > inherit permissions = yes
> > acl allow execute always = yes
> > follow symlinks = yes
> > wide links = yes
> > unix extensions = no
> > hide dot files = no
> > map archive = no
> >
> > load printers = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> >
> > log level = 3
> >
> > Please let me know if you have any questions.
> >
> > Thank you,
> > Matt
> >
> >
>
> You might as well remove these, they are either default
> settings,duplicates or plain shouldn't be there.
>
> encrypt passwords = yes
> ldap server require strong auth = no
> client ldap sasl wrapping = plain
> idmap config * : range = 16777216-33554431
> winbind trusted domains only = no
> winbind offline logon = false
> winbind nss info = rfc2307
> winbind enum users = yes
> winbind enum groups = yes
> follow symlinks = yes
>
>
> These, whilst valid, should really be in shares.
>
> inherit permissions = yes
> acl allow execute always = yes
> wide links = yes
> hide dot files = no
> map archive = no
>
> Other than that, there doesn't seem to be anything else wrong, as long
> as you have given your users a uidNumber containing a unique id inside
> the 80001-3100000 range, you have also given them a gidNumber attribute
> containing a number inside the same range. This gidNumber must be the
> gidNumber of a group and this group will be used as the users primary
> group instead of Domain Users.
>
> If everything is correct, then you need to search AD for the two names
> and see what you get.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:
https://lists.samba.org/mailman/options/samba>