Projet

Général

Profil

smb-ad.conf

Gilles Grandgérard, 09/09/2016 15:36

Télécharger (2,15 ko)

 
1
# Global parameters
2
[global]
3
  realm = %%ad_realm.upper()
4
  workgroup = %%ad_domain.upper()
5
  netbios name = %%nom_machine.upper()
6

    
7
  # disable netbios legacy protocol, only port 445 !
8
  #disable netbios = yes
9
  smb ports = 445
10

    
11
  vfs objects = acl_xattr
12
  map acl inherit = Yes
13
  store dos attributes = Yes
14

    
15
%if %%ad_server_role == 'controleur de domaine'
16
  server role = active directory domain controller
17
  #server services = +smb
18
#  server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, smb
19
#  dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc
20
#  allow dns updates = signed
21
  dns forwarder = %%adresse_ip_dns[0]
22
  idmap_ldb:use rfc2307 = yes
23
  winbind separator = /
24

    
25
  # active TLS (pour LDAPS et la maj des mot de passe !
26
  tls enabled = yes
27
  tls keyfile = /var/lib/samba/private/tls/key.pem
28
  tls certfile = /var/lib/samba/private/tls/cert.pem
29
  tls cafile = /var/lib/samba/private/tls/ca.pem
30

    
31
[netlogon]
32
  comment = Network Logon Service
33
  path = /var/lib/samba/sysvol/%%ad_realm/scripts
34
  read only = No
35
  guest ok = yes
36

    
37
[sysvol]
38
  comment = Sysvol Service
39
  path = /var/lib/samba/sysvol
40
  read only = No
41
  guest ok = yes
42

    
43
[profiles]
44
  comment = Profiles
45
  path = /var/lib/samba/profiles
46
  read only = No
47

    
48
%elif %%ad_server_role == 'membre'
49
  # pas de server role !
50
  security = ADS
51
  #dedicated keytab file = /etc/krb5.keytab
52
  #kerberos method = secrets and keytab
53
  server services = +smb
54

    
55
  idmap config *:backend = tdb
56
  idmap config *:range = 2000-9999
57
  idmap config %%ad_domain.upper():backend = ad
58
  idmap config %%ad_domain.upper():schema_mode = rfc2307
59
  idmap config %%ad_domain.upper():range = 10000-99999
60

    
61
  winbind nss info = rfc2307
62
  winbind trusted domains only = no
63
  winbind use default domain = yes
64
  winbind enum users  = yes
65
  winbind enum groups = yes
66
  winbind refresh tickets = Yes
67

    
68
%end if
69

    
70
%if %%activer_ad_share == 'oui'
71
[home]
72
  path = %%ad_home_share_path
73
  readonly = No
74
%else
75
# le home est obligatoire sur un DC pour le compte 'admin' !
76
[home]
77
  path = /home/%u
78
  readonly = No
79
%end if