Samba4 ADS BDC howto/help/status, please?

Matthieu Patou mat+Informatique.Samba at
Fri Jan 22 03:36:11 MST 2010

On 21/01/2010 21:28, Brian Dickson wrote:
> Hi,
> I'm interested in deploying Samba4 in a non-critical (but very useful!) role, as an AD backup DC, for authentication purposes only.
> Specifically, the environment in which this is to be deployed is:
> (A) An AD PDC (and two BDCs) all running Windows Server 2003 SP2 (not, unfortunately, R2 :-) ).
> (B) Lots of users and groups, for some smallish value of "lots" (a few dozen).
> (C) Add to this, the desire to have Linux host(s) which will authenticate users via PAM with one of pam_winbind, pam_ldap, and/or pam_krb5, by way of Samba4.
> The need to have a Linux host do the mappings between UID/GID, and RID/SID (or whatever *ID exists), is why I think Samba4 as BDC (possibly read-only) would be ideal.

> Samba3 only supports queries against AD PDC with the "support for unix" stuff that came in R2, or against a stand-alone Linux Samba3 PDC.
That's if you use the idmaping and storing the UID/GID in the ldap.
> The mappings UID/GID would be one-way only, on one host, so the scope is very limited. No conflicts, no race conditions, no data sharing, just authentication (and creating home directories, natch.)
So in fact as I understand you want to have on linux host a UID/GID for 
each Windows user and be able to authenticate them. Then a very simple 
pam_winbind + winbind setup: check here and

For your information in my shop with a s4 domain (but I do not have any 
UID/GID in the LDAP) and we are using winbind on some linux host for 
authentification it just works !

As I want to have a bit of uniformity in the UID of my users I decided 
to use the rid backend for UID/GID allocation: with this backend the uid 
are allocated from starting

    idmap domains = FOO
    idmap config FOO: default = yes
    idmap config FOO: backend = rid
    idmap config FOO: range = 10000-20000

    # For big domain take care of the enumeration time ...
    winbind enum groups = yes
    winbind use default domain = yes
    winbind enum users = yes
    # It might not be needed anymore now ...
    allow trusted domains = No

And for the authentification I just added:

account sufficient
auth sufficient

to the pam files.
> So, my questions are:
> (1) Will Samba4 in its current state, be able to handle this?
> (2) What compile/install/provision/configure steps/instructions are (or will be) required?
> (3) Can anyone point me at relevant bits and pieces that might need to be added or tweaked, to support this, if there's still work to be done? (I have incentive to do this, of course.)
> (4) Would anyone object to me adding this to the Wiki/howto, as I think this will be a common use-case?
No of course be our guest !


More information about the samba-technical mailing list