Configuration finale du smb.conf

La configuration finale de /etc/samba/smb.conf devrait ressembler à ceci.

Note

Cette configuration est valide pour Samba-AD en version 4.8.4.

Pour la version suivante 4.9, il y a la ligne log level qui peut bénéficier des nouvelles fonctionnalités de log des évènements d’écriture LDAP.

[global]
  workgroup =MYDOMAIN
  realm = MYDOMAIN.LAN
  netbios name = SRVADS
  server role = active directory domain controller
  server services = -dns

  # disable null session
  restrict anonymous = 2

  # disable netbios
  disable netbios = yes
  smb ports = 445

  # disable printing services
  printcap name = /dev/null
  load printers = no

  # enable extra hashes
  password hash userPassword schemes = CryptSHA256 CryptSHA512

  # install valid certificate
  enabled = yes
  tls keyfile = /etc/samba/tls/srvads.mydomain.lan.key
  tls certfile = /etc/samba/tls/srvads.mydomain.lan.crt
  tls cafile = /etc/samba/tls/mondomaine_CA.crt

  # enable audit log
  log level = 0 auth_json_audit:2

  # sysvol write log
  full_audit:failure = none
  full_audit:success = pwrite write rename
  full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
  full_audit:facility = local7
  full_audit:priority = NOTICE

[netlogon]
  path = /var/lib/samba/sysvol/mydomain.lan/scripts
  read only = No
  vfs objects = full_audit

[sysvol]
  path = /var/lib/samba/sysvol
  read only = No
  vfs objects = full_audit