[Samba] Samba as member of multi domain AD (nss/pam)

NdK ndk.clanbo at gmail.com
Fri May 25 06:34:57 MDT 2012

Il 25/05/2012 09:57, Marcel Ritter ha scritto:

> our setup looks much like yours:
>    One domain "FAUAD" containing all our users, and several
>    domains containing computer objects (and maybe "local" users).
> To prevent inconsistencies in user/group membership, we'd like
> to use nss/pam winbind on the unix side to get users/groups out
> of our AD.
Add winbind to /etc/nss.conf (passwd and group lines). Then use idmap
rid for the domains you're interested in (and tdb fot eventual others):
        idmap backend = tdb
        idmap uid = 10000-99999
        idmap gid = 10000-99999
        idmap config PERSONALE:backend = rid
        idmap config PERSONALE:base_rid  = 500
        idmap config PERSONALE:range = 100000 - 49999999
        idmap config STUDENTI:backend = rid
        idmap config STUDENTI:base_rid  = 500
        idmap config STUDENTI:range = 50000000 - 99999999
Users and groups in PERSONALE and STUDENTI are consistent across all
servers, while other domains receive "first come first served" ids.

> However for most purposes it'd be nice to only get the short user
> names ("user" instead of "FAUAD+user") for all domains (or at
> least for a selectable domain). AFAIK the "default domain" is the
> one the computer object is created in (in our case this is *not* the
> one containing the user objects).
> I haven't found an option to specify this "default domain" without
> changing the domain location of the computer object.
Neither did I.
I tried really hard with:
        idmap domains = PERSONALE STUDENTI
        idmap config PERSONALE:default = no
        idmap config STUDENTI:default = yes
To make 'STUDENTI' the default domain while the server is joined to
'PERSONALE', but it didn't work. Maybe someone have a clue.

> Any idea about how to solve this is welcome :-)
I'm in the dark like you :(


More information about the samba mailing list