S6E20: "Actively Directing Samba"

Comments 0

Previous EpisodeNext Episode
Recorded (UTC) Aired (UTC) Editor
2021-11-09 04:01:43 2021-11-21 16:31:45 "Edita"
Format SHA256 GPG Audio File
MP3 4f6ff4dcb99c897ede716c0bc78e96bad211a69ab2d960ce8d89a7df09f2e2fc click click
OGG cf6ccf4e20a159a29212d8b167d7837f1f288ce41981fd2682af350dda675b99 click click

We talk more about Samba and Active Directory integration.

Just the Tip

  • A listener wrote in to remind us that SpinRite is terrible and a sham, and Steve Gibson should be ashamed.
    • I remind listeners to instead grab an image with ddrescue, and then perform data recovery on that image using tools such as TestDisk, PhotoRec, Scalpel, etc.


Starts at 23m20s.

I was drinking water. Paden was drinking water. Jthan was drinking Boulder vodka.

  • Samba and AD integration
    • TL; DR: don’t use realm join --user=<username> AD.DOMAIN when joining a Samba member! Instead, use: realm join --user=<username> --client-software=sssd --membership-software=samba AD.DOMAIN.
      • You’ll also need to install sssd-winbind-idmap on RHEL-like systems.
    • We also discuss use cases for Kerberos.

Here’s a working sssd.conf:

domains = your.ad.domain
config_file_version = 2
services = nss, pam
certificate_verification = no_verification

pam_verbosity = 2
pam_account_expired_message = Account is expired.
pam_account_locked_message = Account is locked.

ad_domain = your.ad.domain
krb5_realm = YOUR.AD.DOMAIN
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
#use_fully_qualified_names = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad

And here’s a working smb.conf:

    realm = YOUR.AD.DOMAIN
    workgroup = YOUR
    security = ads
    kerberos method = secrets and keytab
    template homedir = /home/%U
    idmap config * : backend = tdb
    idmap config * :  range = 10000-199999
    idmap config YOUR : backend = sss
    idmap config YOUR : range = 200000-2147483647
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    machine password timeout = 0

    comment = Share Comment
    path = /opt/shared
    read only = No
    valid users = @"YOUR.AD.DOMAIN\Domain Users" @"YOUR.AD.DOMAIN\Domain Computers"

15 Clams

In this segment, Jthan shares with you a little slice of life. The title is a reference to this video. (2m16s in)

Starts at 36m40s.

Detective Jthan tries to determine if he’s getting throttled for hitting his ISP quota because his Internet connection is terrible.


  • I was thinking of ATP.
  • Edita actually cut most of the delays out. THANK GOODNESS.
    • Seriously, it was like 10x worse than it is in the recording.


Music Credits
Track Title Artist Link Copyright/License
Intro 14&24 Floating Mind click CC-BY-NC-SA 4.0
Outro Still + Version Dub Cmd click CC-BY-NC-ND 4.0
(All music is royalty-free, properly licensed for use, used under fair use, or public domain.)



There are currently no comments on this article.


Enter your comment below. Fields marked * are required. You must preview your comment before submitting it.