Finalise (hopefully\!) samba configs.

.gitattributesdb

@@ -118,6 +118,7 @@ ZXRjL2hvc3RuYW1l 1757594311.000000000 1777400265.660000000 root:root 0644 - -
 ZXRjL2hvc3Rz 1775846139.436411007 1777400265.660000000 root:root 0644 - -
 ZXRjL2luaXQuZC8uZ2l0aWdub3Jl 1775484728.393595405 1777400265.660000000 root:root 0644 - -
 ZXRjL2luaXQuZC9maXJld2FsbA== 1776520875.412000000 1777400254.148000000 root:root 0777 - -
+ZXRjL2luaXQuZC9zYW1iYS1hZC1kYw== 1777226878.460000000 1777404401.440000000 root:root 0755 - -
 ZXRjL2luaXQuZC90ZXJyYWZvcm0taHR0cC1iYWNrZW5k 1773654405.833829368 1777400265.660000000 root:root 0755 - -
 ZXRjL2tlcm5lbC1pbWcuY29uZg== 1776526522.312000000 1777400265.680000000 root:root 0644 - -
 ZXRjL2tyYjUuY29uZg== 1776540770.172000000 1777400265.680000000 root:root 0644 - -

etc/init.d/samba-ad-dc

@@ -0,0 +1,63 @@
+#! /bin/sh
+
+### BEGIN INIT INFO
+# Provides:          samba-ad-dc
+# Required-Start:    $network $local_fs $remote_fs autofs
+# Required-Stop:     $network $local_fs $remote_fs
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Samba daemons for the AD DC
+# Description:  Meta-service to provide AD and SMB/CIFS services to clients
+### END INIT INFO
+
+NAME=samba
+DAEMON=/usr/sbin/$NAME
+PIDFILE=/run/samba/$NAME.pid
+DESC="Samba AD DC server"
+SCRIPT=samba-ad-dc
+
+# clear conflicting settings from the environment
+unset TMPDIR
+
+test -x $DAEMON || exit 0
+/usr/share/samba/is-configured $NAME || exit 0
+
+[ -f /etc/default/samba ] && . /etc/default/samba
+
+. /lib/lsb/init-functions
+
+case "$1" in
+	(start)
+		# CVE-2013-4475
+		KEYFILE=/var/lib/samba/private/tls/key.pem
+		if [ -e $KEYFILE ]
+		then
+				KEYPERMS=`stat -c %a $KEYFILE`
+				if [ "$KEYPERMS" != "600" ]
+				then
+						echo "wrong permission on $KEYFILE, must be 600"
+						echo "samba will not start (CVE-2013-4475)"
+						echo "Removing all tls .pem files will cause an auto-regeneration with the correct permissions."
+						exit 1
+				fi
+		fi
+		log_daemon_msg "Starting $DESC" $NAME
+		start-stop-daemon --start --quiet --oknodo --exec $DAEMON --pidfile $PIDFILE -- -D $SAMBAOPTIONS
+		log_end_msg $?
+		;;
+	(stop)
+		log_daemon_msg "Stopping $DESC" $NAME
+		start-stop-daemon --stop  --quiet --oknodo --exec $DAEMON --pidfile $PIDFILE
+		log_end_msg $?
+		;;
+	(restart|force-reload)
+		$0 stop && sleep 1 && $0 start
+		;;
+	(status)
+		status_of_proc -p $PIDFILE $DAEMON $NAME
+		;;
+	(*)
+		echo "Usage: /etc/init.d/$SCRIPT {start|stop|restart|force-reload|status}"
+		exit 1
+		;;
+esac

etc/samba/smb.conf

@@ -1,40 +1,47 @@
 [global]
-realm = SLACKWARE.UK.INTERNAL
-netbios name = CORE
-workgroup = SLACKWAREUKINT
-server string = "slackware.uk.internal Domain Controller"
-bind interfaces only = yes
-interfaces = lo eth1
-# FIXME:
-# dns forwarder = 5.101.171.216 5.101.171.217 185.176.90.169
-dns forwarder = 216.119.155.58 185.176.90.169
-allow dns updates = secure
-tls cafile = /etc/ssl/certs/ca-certificates.crt
-tls certfile = /etc/certificates/core.slackware.uk.internal_cert.pem
-tls keyfile = /etc/certificates/core.slackware.uk.internal_key_samba.pem
-tls verify peer = ca_and_name_if_available
-log level = 1
-logging = syslog:local5
-log file = /var/log/samba/samba-debug
-debug syslog format = always
-debug hires timestamp = no
-enable core files = no
-idmap config * : backend = tdb
-# There are only 568 IDs mapped into the container by TrueNAS, so limit the number that can be used.
-idmap config * : range = 10000-10500
-idmap_ldb:use rfc2307 = yes
-password hash userPassword schemes = CryptSHA512
-server role = active directory domain controller
-username map = /etc/samba/smbusers
-vfs objects = dfs_samba4 posixacl acl_xattr
-nfs4acl_xattr:encoding = nfs
-nfs4acl_xattr:version = 41
-nfs4acl_xattr:xattr_name = user.nfs4_acl
-nfs4acl_xattr:default acl style = windows
 acl_xattr:security_acl_name = user.NTACL
 acl_xattr:default acl style = windows
 add machine script = /usr/sbin/useradd -c "%u machine account" -d /dev/null -g machines -M -N -s /bin/false %u
 add user script = /usr/sbin/useradd -c "%u domain user" -d /dev/null -g users -M -N -s /bin/false %u
+allow dns updates = secure
+bind interfaces only = yes
+debug syslog format = always
+debug hires timestamp = no
+# FIXME:
+# dns forwarder = 5.101.171.216 5.101.171.217 185.176.90.169
+dns forwarder = 216.119.155.58 185.176.90.169
+#dsdb:schema update allowed = true
+enable core files = no
+idmap config * : backend = tdb
+idmap config * : range = 1000000 - 9999999
+idmap config SLACKWARE.UK.INTERNAL : backend = ad
+idmap config SLACKWARE.UK.INTERNAL : schema_mode = rfc2307
+idmap config SLACKWARE.UK.INTERNAL : range = 100 - 10000
+idmap config SLACKWARE.UK.INTERNAL : unix_nss_info = yes
+idmap config SLACKWARE.UK.INTERNAL : unix_primary_group = yes
+idmap_ldb:use rfc2307 = yes
+interfaces = lo eth1
+logging = syslog:local5
+log file = /var/log/samba/samba-debug
+log level = 1
+netbios name = CORE
+nfs4acl_xattr:encoding = nfs
+nfs4acl_xattr:version = 41
+nfs4acl_xattr:xattr_name = user.nfs4_acl
+nfs4acl_xattr:default acl style = windows
+password hash userPassword schemes = CryptSHA512
+realm = SLACKWARE.UK.INTERNAL
+server role = active directory domain controller
+server string = "slackware.uk.internal Domain Controller"
+template shell = /bin/bash
+template homedir = /home/%U
+tls cafile = /etc/ssl/certs/ca-certificates.crt
+tls certfile = /etc/certificates/core.slackware.uk.internal_cert.pem
+tls keyfile = /etc/certificates/core.slackware.uk.internal_key_samba.pem
+tls verify peer = ca_and_name_if_available
+username map = /etc/samba/smbusers
+vfs objects = dfs_samba4 posixacl acl_xattr
+workgroup = SLACKWAREUKINT
 
 # [homes]