mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 16:31:08 -06:00
6e6fad4b76
As a part of CVE-2020-25717 mitigations, Samba now assumes 'CLASSIC PRIMARY DOMAIN CONTROLLER' server role does not support Kerberos operations. This is the role that IPA domain controller was using for its hybrid NT4/AD-like operation. Instead, 'IPA PRIMARY DOMAIN CONTROLLER' server role was introduced in Samba. Switch to this role for new installations and during the upgrade of servers running ADTRUST role. Fixes: https://pagure.io/freeipa/issue/9031 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
37 lines
1.0 KiB
Plaintext
37 lines
1.0 KiB
Plaintext
[global]
|
|
workgroup = $NETBIOS_NAME
|
|
netbios name = $HOST_NETBIOS_NAME
|
|
realm = $REALM
|
|
kerberos method = dedicated keytab
|
|
dedicated keytab file = /etc/samba/samba.keytab
|
|
create krb5 conf = no
|
|
server role = $SERVER_ROLE
|
|
security = user
|
|
domain master = yes
|
|
domain logons = yes
|
|
log level = 1
|
|
max log size = 100000
|
|
log file = /var/log/samba/log.%m
|
|
passdb backend = ipasam:ldapi://$LDAPI_SOCKET
|
|
disable spoolss = yes
|
|
ldapsam:trusted=yes
|
|
ldap ssl = off
|
|
ldap suffix = $SUFFIX
|
|
ldap user suffix = cn=users,cn=accounts
|
|
ldap group suffix = cn=groups,cn=accounts
|
|
ldap machine suffix = cn=computers,cn=accounts
|
|
rpc_server:epmapper = external
|
|
rpc_server:lsarpc = external
|
|
rpc_server:lsass = external
|
|
rpc_server:lsasd = external
|
|
rpc_server:samr = external
|
|
rpc_server:netlogon = external
|
|
rpc_server:tcpip = yes
|
|
rpc_daemon:epmd = fork
|
|
rpc_daemon:lsasd = fork
|
|
idmap config * : backend = tdb
|
|
idmap config * : range = 0 - 0
|
|
idmap config $NETBIOS_NAME : backend = sss
|
|
idmap config $NETBIOS_NAME : range = $IPA_LOCAL_RANGE
|
|
max smbd processes = 1000
|