# Global parameters [global] realm = %%ad_realm.upper() workgroup = %%ad_domain.upper() netbios name = %%nom_machine.upper() # disable netbios legacy protocol, only port 445 ! #disable netbios = yes smb ports = 445 vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes %if %%ad_server_role == 'controleur de domaine' server role = active directory domain controller #server services = +smb # server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns, smb # dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc # allow dns updates = signed dns forwarder = %%adresse_ip_dns[0] idmap_ldb:use rfc2307 = yes winbind separator = / # active TLS (pour LDAPS et la maj des mot de passe ! tls enabled = yes tls keyfile = /var/lib/samba/private/tls/key.pem tls certfile = /var/lib/samba/private/tls/cert.pem tls cafile = /var/lib/samba/private/tls/ca.pem [netlogon] comment = Network Logon Service path = /var/lib/samba/sysvol/%%ad_realm/scripts read only = No guest ok = yes [sysvol] comment = Sysvol Service path = /var/lib/samba/sysvol read only = No guest ok = yes [profiles] comment = Profiles path = /var/lib/samba/profiles read only = No %elif %%ad_server_role == 'membre' # pas de server role ! security = ADS #dedicated keytab file = /etc/krb5.keytab #kerberos method = secrets and keytab server services = +smb idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config %%ad_domain.upper():backend = ad idmap config %%ad_domain.upper():schema_mode = rfc2307 idmap config %%ad_domain.upper():range = 10000-99999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes %end if %if %%activer_ad_share == 'oui' [home] path = %%ad_home_share_path readonly = No %else # le home est obligatoire sur un DC pour le compte 'admin' ! [home] path = /home/%u readonly = No %end if