Final configuration of the smb.conf

The final configuration of /etc/samba/smb.conf should look like this.

Note

This configuration is valid for Samba-AD in version 4.18.

[global]
  workgroup =MYDOMAIN
  realm = MYDOMAIN.LAN
  netbios name = SRVADS
  server role = active directory domain controller

  # disable null session
  restrict anonymous = 2

  # disable netbios
  disable netbios = yes
  smb ports = 445

  # disable printing services
  printcap name = /dev/null
  load printers = no
  disable spoolss = yes
  printing = bsd

  # enable extra hashes
  password hash userPassword schemes = CryptSHA256 CryptSHA512

  # install valid certificate
  tls enabled = yes
  tls keyfile = /etc/samba/tls/srvads.mydomain.lan.key
  tls certfile = /etc/samba/tls/srvads.mydomain.lan.crt
  tls cafile = /etc/samba/tls/mondomaine_CA.crt

  # enable audit log
  log level = 1 auth_json_audit:3@/var/log/samba/samba_audit.log

  # sysvol write log
  full_audit:failure = none
  full_audit:success = pwrite write renameat
  full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
  full_audit:facility = local7
  full_audit:priority = NOTICE

[netlogon]
  path = /var/lib/samba/sysvol/mydomain.lan/scripts
  read only = No
  vfs objects = dfs_samba4, acl_xattr, full_audit

[sysvol]
  path = /var/lib/samba/sysvol
  read only = No
  vfs objects = dfs_samba4, acl_xattr, full_audit