Final configuration of the smb.conf

The final configuration of /etc/samba/smb.conf should look like this.

Note

This configuration is valid for Samba-AD in version 4.20.

[global]
  workgroup = MYDOMAIN
  realm = MYDOMAIN.LAN
  netbios name = SRVADS
  server role = active directory domain controller

  # we have a local named service listening on 127.0.0.1:5353
  dns forwarder = 127.0.0.1:5353

  # disable null session
  restrict anonymous = 2

  # disable netbios
  disable netbios = yes
  smb ports = 445

  # disable printing services
  printcap name = /dev/null
  load printers = no
  disable spoolss = yes
  printing = bsd

  # enable extra hashes
  password hash userPassword schemes = CryptSHA256 CryptSHA512

  # install valid certificate
  tls enabled = yes
  tls keyfile = /etc/samba/tls/srvads.mydomain.lan.key
  tls certfile = /etc/samba/tls/srvads.mydomain.lan.crt
  tls cafile = /etc/samba/tls/mondomaine_CA.crt
  tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
  tls crlfile = /etc/samba/tls/mydomain_authentication.crl
  tls dhparams file = /etc/samba/tls/srvads.mydomain.lan.dhparams

  # enable audit log
  log level = 1 \
          auth_json_audit:3@/var/log/samba/auth_json_audit.log \
          dsdb_json_audit:5@/var/log/samba/dsdb_json_audit.log \
          dsdb_password_json_audit:9@/var/log/samba/dsdb_password_json_audit.log \
          dsdb_group_json_audit:9@/var/log/samba/dsdb_group_json_audit.log \
          kerberos:3@/var/log/samba/kerberos.log \
          dns:0

  # sysvol write log
  full_audit:failure = none
  full_audit:success = pwrite write renameat
  full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
  full_audit:facility = local7
  full_audit:priority = NOTICE

[netlogon]
  path = /var/lib/samba/sysvol/mydomain.lan/scripts
  read only = No
  vfs objects = dfs_samba4, acl_xattr, full_audit

[sysvol]
  path = /var/lib/samba/sysvol
  read only = No
  vfs objects = dfs_samba4, acl_xattr, full_audit