Final configuration of the smb.conf
The final configuration of /etc/samba/smb.conf
should look like this.
Note
This configuration is valid for Samba-AD in version 4.20.
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.LAN
netbios name = SRVADS
server role = active directory domain controller
# we have a local named service listening on 127.0.0.1:5353
dns forwarder = 127.0.0.1:5353
# disable null session
restrict anonymous = 2
# disable netbios
disable netbios = yes
smb ports = 445
# disable printing services
printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd
# enable extra hashes
password hash userPassword schemes = CryptSHA256 CryptSHA512
# install valid certificate
tls enabled = yes
tls keyfile = /etc/samba/tls/srvads.mydomain.lan.key
tls certfile = /etc/samba/tls/srvads.mydomain.lan.crt
tls cafile = /etc/samba/tls/mondomaine_CA.crt
tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
tls crlfile = /etc/samba/tls/mydomain_authentication.crl
tls dhparams file = /etc/samba/tls/srvads.mydomain.lan.dhparams
# enable audit log
log level = 1 \
auth_json_audit:3@/var/log/samba/auth_json_audit.log \
dsdb_json_audit:5@/var/log/samba/dsdb_json_audit.log \
dsdb_password_json_audit:9@/var/log/samba/dsdb_password_json_audit.log \
dsdb_group_json_audit:9@/var/log/samba/dsdb_group_json_audit.log \
kerberos:3@/var/log/samba/kerberos.log \
dns:0
# sysvol write log
full_audit:failure = none
full_audit:success = pwrite write renameat
full_audit:prefix = IP=%I|USER=%u|MACHINE=%m|VOLUME=%S
full_audit:facility = local7
full_audit:priority = NOTICE
[netlogon]
path = /var/lib/samba/sysvol/mydomain.lan/scripts
read only = No
vfs objects = dfs_samba4, acl_xattr, full_audit
[sysvol]
path = /var/lib/samba/sysvol
read only = No
vfs objects = dfs_samba4, acl_xattr, full_audit