samba, sssd, kerberos and nsswitch conf files

1. ##################################################### SAMBA .CONF FILE ##################################################
2. #
3. # Sample configuration file for the Samba suite for Debian GNU/Linux.
4. #
5. #
6. # This is the main Samba configuration file. You should read the
7. # smb.conf(5) manual page in order to understand the options listed
8. # here. Samba has a huge number of configurable options most of which
9. # are not shown in this example
10. #
11. # Some options that are often worth tuning have been included as
12. # commented-out examples in this file.
13. # - When such options are commented with ";", the proposed setting
14. # differs from the default Samba behaviour
15. # - When commented with "#", the proposed setting is the default
16. # behaviour of Samba but the option is considered important
17. # enough to be mentioned here
18. #
19. # NOTE: Whenever you modify this file you should run the command
20. # "testparm" to check that you have not made any basic syntactic
21. # errors.
22.  
23. #======================= Global Settings =======================
24.  
25. [global]
26.  
27. ## Browsing/Identification ###
28.  
29. # Change this to the workgroup/NT-domain name your Samba server will part of
30.  
31. workgroup = DOMAIN
32. #client singing = yes
33. client use spnego = yes
34. kerberos method = secrets and keytab
35. realm = DOMAIN.local
36. security = ads
37. winbind use default domain = Yes
38. winbind offline logon = true
39. winbind enum users = Yes
40. winbind enum groups = Yes
41. template homedir = /home/%D/%U
42. template shell = /bin/bash
43.  
44. # server string is the equivalent of the NT Description field
45. server string = %h server (Samba, Ubuntu)
46.  
47. # Windows Internet Name Serving Support Section:
48. # WINS Support - Tells the NMBD component of Samba to enable its WINS Server
49. # wins support = no
50.  
51. # WINS Server - Tells the NMBD components of Samba to be a WINS Client
52. # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
53. ; wins server = w.x.y.z
54.  
55. # This will prevent nmbd to search for NetBIOS names through DNS.
56. dns proxy = no
57.  
58. #### Networking ####
59.  
60. # The specific set of interfaces / networks to bind to
61. # This can be either the interface name or an IP address/netmask;
62. # interface names are normally preferred
63. ; interfaces = 127.0.0.0/8 eth0
64.  
65. # Only bind to the named interfaces and/or networks; you must use the
66. # 'interfaces' option above to use this.
67. # It is recommended that you enable this feature if your Samba machine is
68. # not protected by a firewall or is a firewall itself. However, this
69. # option cannot handle dynamic or non-broadcast interfaces correctly.
70. ; bind interfaces only = yes
71.  
72.  
73.  
74. #### Debugging/Accounting ####
75.  
76. # This tells Samba to use a separate log file for each machine
77. # that connects
78. log file = /var/log/samba/log.%m
79.  
80. # Cap the size of the individual log files (in KiB).
81. max log size = 1000
82.  
83. # If you want Samba to only log through syslog then set the following
84. # parameter to 'yes'.
85. # syslog only = no
86.  
87. # We want Samba to log a minimum amount of information to syslog. Everything
88. # should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
89. # through syslog you should set the following parameter to something higher.
90. syslog = 0
91.  
92. # Do something sensible when Samba crashes: mail the admin a backtrace
93. panic action = /usr/share/samba/panic-action %d
94.  
95.  
96. ####### Authentication #######
97.  
98. # Server role. Defines in which mode Samba will operate. Possible
99. # values are "standalone server", "member server", "classic primary
100. # domain controller", "classic backup domain controller", "active
101. # directory domain controller".
102. #
103. # Most people will want "standalone sever" or "member server".
104. # Running as "active directory domain controller" will require first
105. # running "samba-tool domain provision" to wipe databases and create a
106. # new domain.
107. server role = standalone server
108.  
109. # If you are using encrypted passwords, Samba will need to know what
110. # password database type you are using.
111. passdb backend = tdbsam
112.  
113. obey pam restrictions = yes
114.  
115. # This boolean parameter controls whether Samba attempts to sync the Unix
116. # password with the SMB password when the encrypted SMB password in the
117. # passdb is changed.
118. unix password sync = yes
119.  
120. # For Unix password sync to work on a Debian GNU/Linux system, the following
121. # parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
122. # sending the correct chat script for the passwd program in Debian Sarge).
123. passwd program = /usr/bin/passwd %u
124. passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
125.  
126. # This boolean controls whether PAM will be used for password changes
127. # when requested by an SMB client instead of the program listed in
128. # 'passwd program'. The default is 'no'.
129. pam password change = yes
130.  
131. # This option controls how unsuccessful authentication attempts are mapped
132. # to anonymous connections
133. map untrusted to domain = Yes
134. map to guest = bad user
135.  
136. ########## Domains ###########
137.  
138. #
139. # The following settings only takes effect if 'server role = primary
140. # classic domain controller', 'server role = backup domain controller'
141. # or 'domain logons' is set
142. #
143.  
144. # It specifies the location of the user's
145. # profile directory from the client point of view) The following
146. # required a [profiles] share to be setup on the samba server (see
147. # below)
148. ; logon path = \\%N\profiles\%U
149. # Another common choice is storing the profile in the user's home directory
150. # (this is Samba's default)
151. # logon path = \\%N\%U\profile
152.  
153. # The following setting only takes effect if 'domain logons' is set
154. # It specifies the location of a user's home directory (from the client
155. # point of view)
156. ; logon drive = H:
157. # logon home = \\%N\%U
158.  
159. # The following setting only takes effect if 'domain logons' is set
160. # It specifies the script to run during logon. The script must be stored
161. # in the [netlogon] share
162. # NOTE: Must be store in 'DOS' file format convention
163. ; logon script = logon.cmd
164.  
165. # This allows Unix users to be created on the domain controller via the SAMR
166. # RPC pipe. The example command creates a user account with a disabled Unix
167. # password; please adapt to your needs
168. ; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
169.  
170. # This allows machine accounts to be created on the domain controller via the
171. # SAMR RPC pipe.
172. # The following assumes a "machines" group exists on the system
173. ; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
174.  
175. # This allows Unix groups to be created on the domain controller via the SAMR
176. # RPC pipe.
177. ; add group script = /usr/sbin/addgroup --force-badname %g
178.  
179. ############ Misc ############
180.  
181. # Using the following line enables you to customise your configuration
182. # on a per machine basis. The %m gets replaced with the netbios name
183. # of the machine that is connecting
184. ; include = /home/samba/etc/smb.conf.%m
185.  
186. # Some defaults for winbind (make sure you're not using the ranges
187. # for something else.)
188. idmap uid = 1000000000-4999999999
189. idmap gid = 1000000000-4999999999
190. template shell = /bin/bash
191. ; idmap backend = TDB
192. idmap config * : range = 1000000000-4999999999
193. idmap config * : backend = tdb
194. idmap config DOMAIN : backend = rid
195. idmap config DOMAIN : range = 1000000000-4999999999
196.  
197.  
198. # Setup usershare options to enable non-root users to share folders
199. # with the net usershare command.
200.  
201. # Maximum number of usershare. 0 (default) means that usershare is disabled.
202. ; usershare max shares = 100
203.  
204. # Allow users who've been granted usershare privileges to create
205. # public shares, not just authenticated ones
206. usershare allow guests = yes
207.  
208. #======================= Share Definitions =======================
209.  
210. # Un-comment the following (and tweak the other settings below to suit)
211. # to enable the default home directory shares. This will share each
212. # user's home directory as \\server\username
213. ;[homes]
214. ; comment = Home Directories
215. ; browseable = no
216.  
217. # By default, the home directories are exported read-only. Change the
218. # next parameter to 'no' if you want to be able to write to them.
219. ; read only = yes
220.  
221. # File creation mask is set to 0700 for security reasons. If you want to
222. # create files with group=rw permissions, set next parameter to 0775.
223. ; create mask = 0700
224.  
225. # Directory creation mask is set to 0700 for security reasons. If you want to
226. # create dirs. with group=rw permissions, set next parameter to 0775.
227. ; directory mask = 0700
228.  
229. # By default, \\server\username shares can be connected to by anyone
230. # with access to the samba server.
231. # Un-comment the following parameter to make sure that only "username"
232. # can connect to \\server\username
233. # This might need tweaking when using external authentication schemes
234. ; valid users = %S
235.  
236. # Un-comment the following and create the netlogon directory for Domain Logons
237. # (you need to configure Samba to act as a domain controller too.)
238. ;[netlogon]
239. ; comment = Network Logon Service
240. ; path = /home/samba/netlogon
241. ; guest ok = yes
242. ; read only = yes
243.  
244. # Un-comment the following and create the profiles directory to store
245. # users profiles (see the "logon path" option above)
246. # (you need to configure Samba to act as a domain controller too.)
247. # The path below should be writable by all users so that their
248. # profile directory may be created the first time they log on
249. ;[profiles]
250. ; comment = Users profiles
251. ; path = /home/samba/profiles
252. ; guest ok = no
253. ; browseable = no
254. ; create mask = 0600
255. ; directory mask = 0700
256.  
257. [printers]
258. comment = All Printers
259. browseable = no
260. path = /var/spool/samba
261. printable = yes
262. guest ok = no
263. read only = yes
264. create mask = 0700
265.  
266. # Windows clients look for this share name as a source of downloadable
267. # printer drivers
268. [print$]
269. comment = Printer Drivers
270. path = /var/lib/samba/printers
271. browseable = yes
272. read only = yes
273. guest ok = no
274. # Uncomment to allow remote administration of Windows print drivers.
275. # You may need to replace 'lpadmin' with the name of the group your
276. # admin users are members of.
277. # Please note that you also need to set appropriate Unix permissions
278. # to the drivers directory for these users to have write rights in it
279. ; write list = root, @lpadmin
280.  
281. ################################################## END OF SAMBA .CONF FILE ##############################################
282.  
283. ################################################## SSSD .CONF FILE ######################################################
284. [sssd]
285. services = nss, pam
286. config_file_version = 2
287. domains = DOMAIN.LOCAL
288.  
289. [nss]
290. filter_groups = root
291. filter_users = root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
292. reconnection_retries = 3
293. entry_cache_nowait_percentage = 50
294.  
295. [pam]
296. reconnection_retries = 3
297.  
298. [domain/DOMAIN.LOCAL]
299. id_provider = ad
300. access_provider = ad
301. dns_discovery_domain = domain.local
302. auth_provider = ad
303. access_provider = ad
304. chpass_provider = none
305.  
306. override_homedir = /home/%d/%u
307.  
308. ad_domain = domain.local
309. ad_enable_gc = false
310. ldap_id_mapping = False
311. ldap_use_tokengroups = true
312. dyndns_update = False
313. cache_credentials = False
314. ldap_user_gecos = displayName
315. ad_gpo_access_control=permissive
316.  
317. default_shell = /bin/bash
318.  
319. # Uncomment if the client machine hostname doesn't match the computer object on the DC.
320. # ad_hostname = mymachine.myubuntu.example.com
321.  
322. # Uncomment if DNS SRV resolution is not working
323. # ad_server = dc.mydomain.example.com
324.  
325. # Uncomment if the AD domain is named differently than the Samba domain
326. # ad_domain = MYUBUNTU.EXAMPLE.COM
327.  
328. # Enumeration is discouraged for performance reasons.
329. enumerate = true
330.  
331. #################################################### END OF SSSD .CONF FILE #############################################
332.  
333. ################################################# KERBEROS .CONF FILE ###################################################
334. [libdefaults]
335. default_realm = DOMAIN.LOCAL
336.  
337. # The following krb5.conf variables are only for MIT Kerberos.
338. krb4_config = /etc/krb.conf
339. krb4_realms = /etc/krb.realms
340. kdc_timesync = 1
341. ccache_type = 4
342. forwardable = true
343. proxiable = true
344.  
345. # The following encryption type specification will be used by MIT Kerberos
346. # if uncommented. In general, the defaults in the MIT Kerberos code are
347. # correct and overriding these specifications only serves to disable new
348. # encryption types as they are added, creating interoperability problems.
349. #
350. # Thie only time when you might need to uncomment these lines and change
351. # the enctypes is if you have local software that will break on ticket
352. # caches containing ticket encryption types it doesn't know about (such as
353. # old versions of Sun Java).
354.  
355. # default_tgs_enctypes = des3-hmac-sha1
356. # default_tkt_enctypes = des3-hmac-sha1
357. # permitted_enctypes = des3-hmac-sha1
358.  
359. # The following libdefaults parameters are only for Heimdal Kerberos.
360. v4_instance_resolve = false
361. v4_name_convert = {
362. host = {
363. rcmd = host
364. ftp = ftp
365. }
366. plain = {
367. something = something-else
368. }
369. }
370. fcc-mit-ticketflags = true
371. default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
372. default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
373. preferred_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
374. dns_lookup_realm = true
375. dns_lookup_kdc = true
376. pkinit_kdc_hostname = <DNS>
377. pkinit_anchors = DIR:/var/lib/likewise/trusted_certs
378. pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
379. pkinit_eku_checking = kpServerAuth
380. pkinit_win2k_require_binding = false
381. pkinit_identities = PKCS11:/usr/lib/likewise-open/libpkcs11.so
382. default_keytab_name = /etc/krb5.keytab
383.  
384. [realms]
385. ATHENA.MIT.EDU = {
386. kdc = kerberos.mit.edu:88
387. kdc = kerberos-1.mit.edu:88
388. kdc = kerberos-2.mit.edu:88
389. admin_server = kerberos.mit.edu
390. default_domain = mit.edu
391. }
392. MEDIA-LAB.MIT.EDU = {
393. kdc = kerberos.media.mit.edu
394. admin_server = kerberos.media.mit.edu
395. }
396. ZONE.MIT.EDU = {
397. kdc = casio.mit.edu
398. kdc = seiko.mit.edu
399. admin_server = casio.mit.edu
400. }
401. MOOF.MIT.EDU = {
402. kdc = three-headed-dogcow.mit.edu:88
403. kdc = three-headed-dogcow-1.mit.edu:88
404. admin_server = three-headed-dogcow.mit.edu
405. }
406. CSAIL.MIT.EDU = {
407. kdc = kerberos-1.csail.mit.edu
408. kdc = kerberos-2.csail.mit.edu
409. admin_server = kerberos.csail.mit.edu
410. default_domain = csail.mit.edu
411. krb524_server = krb524.csail.mit.edu
412. }
413. IHTFP.ORG = {
414. kdc = kerberos.ihtfp.org
415. admin_server = kerberos.ihtfp.org
416. }
417. GNU.ORG = {
418. kdc = kerberos.gnu.org
419. kdc = kerberos-2.gnu.org
420. kdc = kerberos-3.gnu.org
421. admin_server = kerberos.gnu.org
422. }
423. 1TS.ORG = {
424. kdc = kerberos.1ts.org
425. admin_server = kerberos.1ts.org
426. }
427. GRATUITOUS.ORG = {
428. kdc = kerberos.gratuitous.org
429. admin_server = kerberos.gratuitous.org
430. }
431. DOOMCOM.ORG = {
432. kdc = kerberos.doomcom.org
433. admin_server = kerberos.doomcom.org
434. }
435. ANDREW.CMU.EDU = {
436. kdc = kerberos.andrew.cmu.edu
437. kdc = kerberos2.andrew.cmu.edu
438. kdc = kerberos3.andrew.cmu.edu
439. admin_server = kerberos.andrew.cmu.edu
440. default_domain = andrew.cmu.edu
441. }
442. CS.CMU.EDU = {
443. kdc = kerberos.cs.cmu.edu
444. kdc = kerberos-2.srv.cs.cmu.edu
445. admin_server = kerberos.cs.cmu.edu
446. }
447. DEMENTIA.ORG = {
448. kdc = kerberos.dementix.org
449. kdc = kerberos2.dementix.org
450. admin_server = kerberos.dementix.org
451. }
452. stanford.edu = {
453. kdc = krb5auth1.stanford.edu
454. kdc = krb5auth2.stanford.edu
455. kdc = krb5auth3.stanford.edu
456. master_kdc = krb5auth1.stanford.edu
457. admin_server = krb5-admin.stanford.edu
458. default_domain = stanford.edu
459. }
460. UTORONTO.CA = {
461. kdc = kerberos1.utoronto.ca
462. kdc = kerberos2.utoronto.ca
463. kdc = kerberos3.utoronto.ca
464. admin_server = kerberos1.utoronto.ca
465. default_domain = utoronto.ca
466. }
467. DOMAIN.LOCAL = {
468. kdc = dc.domain.local
469. kdc = dc.domain.local
470. }
471. MY-MACHINE.DOMAIN.LOCAL = {
472. auth_to_local = RULE:[1:$0\$1](^MY-MACHINE\.DOMAIN\.LOCAL\\.*)s/^MY-MACHINE\.DOMAIN\.LOCAL/MY-MACHINE/
473. auth_to_local = DEFAULT
474. }
475.  
476.  
477. [domain_realm]
478. .mit.edu = ATHENA.MIT.EDU
479. mit.edu = ATHENA.MIT.EDU
480. .media.mit.edu = MEDIA-LAB.MIT.EDU
481. media.mit.edu = MEDIA-LAB.MIT.EDU
482. .csail.mit.edu = CSAIL.MIT.EDU
483. csail.mit.edu = CSAIL.MIT.EDU
484. .whoi.edu = ATHENA.MIT.EDU
485. whoi.edu = ATHENA.MIT.EDU
486. .stanford.edu = stanford.edu
487. .slac.stanford.edu = SLAC.STANFORD.EDU
488. .toronto.edu = UTORONTO.CA
489. .utoronto.ca = UTORONTO.CA
490. .domain.local = DOMAIN.local
491. domain.local = DOMAIN.local
492. .my-machine.domain.local = MY-MACHINE.DOMAIN.LOCAL
493.  
494. [login]
495. krb4_convert = true
496. krb4_get_tickets = false
497. [appdefaults]
498. pam = {
499. mappings = MY-MACHINE\\(.*) $1@MY-MACHINE.DOMAIN.LOCAL
500. forwardable = true
501. validate = true
502. }
503. httpd = {
504. mappings = MY-MACHINE\\(.*) $1@MY-MACHINE.DOMAIN.LOCAL
505. reverse_mappings = (.*)@MY-MACHINE\.DOMAIN\.LOCAL MY-MACHINE\$1
506. }
507.  
508. ############################################ END OF KERBEROS .CONF FILE #################################################
509.  
510. ############################################### NSSWITCH.CONF FILE ######################################################
511. # /etc/nsswitch.conf
512. #
513. # Example configuration of GNU Name Service Switch functionality.
514. # If you have the `glibc-doc-reference' and `info' packages installed, try:
515. # `info libc "Name Service Switch"' for information about this file.
516.  
517. passwd: compat ldap lsass sss
518. passwd_compat: ldap
519. group: compat ldap lsass sss winbind
520. shadow: compat sss winbind
521. gshadow: files
522.  
523. hosts: files mdns4_minimal dns mdns4 wins
524. #hosts: files mdsn4 mdns4_minimal [NOTFOUND=return] dns
525. networks: files
526.  
527. protocols: db files
528. services: db files sss
529. ethers: db files
530. rpc: db files
531.  
532. netgroup: nis sss
533. sudoers: files sss
534.  
535. ################################################### END OF NSSWITCH.CONF FILE ###########################################