S6E20: "Actively Directing Samba"
        
            Posted
        
        
        
        
            Modified
        
        
        
        
        
            
                
                
                    Comments
                
                0
                
                    
                    
                
            
        
    
| Previous Episode | Next Episode | 
|---|---|
| S6E19: "A Remote Chance" | S6E21: "Almost the End" | 
| Recorded (UTC) | Aired (UTC) | Editor | 
|---|---|---|
| 2021-11-09 04:01:43 | 2021-11-21 16:31:45 | "Edita" | 
| Format | SHA256 | GPG | Audio File | 
|---|---|---|---|
| MP3 | 4f6ff4dcb99c897ede716c0bc78e96bad211a69ab2d960ce8d89a7df09f2e2fc | click | click | OGG | cf6ccf4e20a159a29212d8b167d7837f1f288ce41981fd2682af350dda675b99 | click | click | 
We talk more about Samba and Active Directory integration.
Just the Tip
- A listener wrote in to remind us that SpinRite is terrible and a sham, and Steve Gibson should be ashamed.
Notes
Starts at 23m20s.
I was drinking water. Paden was drinking water. Jthan was drinking Boulder vodka.
- Samba and AD integration
	- TL; DR: don’t use realm join --user=<username> AD.DOMAINwhen joining a Samba member! Instead, use:realm join --user=<username> --client-software=sssd --membership-software=samba AD.DOMAIN.- You’ll also need to install sssd-winbind-idmap on RHEL-like systems.
 
- We also discuss use cases for Kerberos.
 
- TL; DR: don’t use 
Here’s a working sssd.conf:
[sssd]
domains = your.ad.domain
config_file_version = 2
services = nss, pam
certificate_verification = no_verification
[pam]
pam_verbosity = 2
pam_account_expired_message = Account is expired.
pam_account_locked_message = Account is locked.
[domain/your.ad.domain]
ad_domain = your.ad.domain
krb5_realm = YOUR.AD.DOMAIN
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
#use_fully_qualified_names = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = adAnd here’s a working smb.conf:
[global]
    realm = YOUR.AD.DOMAIN
    workgroup = YOUR
    security = ads
    kerberos method = secrets and keytab
    template homedir = /home/%U
    idmap config * : backend = tdb
    idmap config * :  range = 10000-199999
    idmap config YOUR : backend = sss
    idmap config YOUR : range = 200000-2147483647
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    machine password timeout = 0
[sharename]
    comment = Share Comment
    path = /opt/shared
    read only = No
    valid users = @"YOUR.AD.DOMAIN\Domain Users" @"YOUR.AD.DOMAIN\Domain Computers"15 Clams
In this segment, Jthan shares with you a little slice of life. The title is a reference to this video. (2m16s in)
Starts at 36m40s.
Detective Jthan tries to determine if he’s getting throttled for hitting his ISP quota because his Internet connection is terrible.
Errata
- I was thinking of ATP.
- Edita actually cut most of the delays out. THANK GOODNESS.
	- Seriously, it was like 10x worse than it is in the recording.
 
Music
| Track | Title | Artist | Link | Copyright/License | 
|---|---|---|---|---|
| Intro | 14&24 | Floating Mind | click | CC-BY-NC-SA 4.0 | Outro | Still + Version | Dub Cmd | click | CC-BY-NC-ND 4.0 | 
        
            Author
        
        
            
                r00t^2
            
        
        
        
            
            
                Categories
            
            
                Season Six
            
        
    
Comments
There are currently no comments on this article.
Comment...