[Samba] Samba4 ad dc with Centos7

Rowland penny rpenny at samba.org
Tue Dec 8 14:46:07 UTC 2015

On 08/12/15 13:55, mathias dufresne wrote:
> That's what I thought, and why I told there is no enumeration for system
> users.
> wbinfo can get a whole list of all Samba users (I believe it can do that
> with AD or NT4 or standalone). But wbinfo does not show system users, it
> shows Samba users which can become system users once they are transformed
> (with pam tools as winbind, sssd or nslcd).
> I insist because after months spent here and years with Samba I feel
> confusion (for me and for some users of that mailing list) between Samba's
> system users (users from Samba usable on system side, here the system it
> the one hosting Samba, the server system), Samba users (Samba internal
> users) and client system users (system users which access to the share).
> With domains there is also system users built from the domain (Windows
> system users SAMDOM\my-user or Linux user from AD/NT4 built with winbind or
> sssd or nslcd).
> Just my 2 cents, best regards,
> mathias

OK, before version 4.0.0, Samba was just a bridge between windows & 
Unix, but with the release of version 4.0.0, it became as though it was 
also a part of windows.
There is no such thing as a Samba system user, even if you are running 
Samba as an AD DC. If you run Samba as a client you can make your users, 
windows users, Unix users or both, depending on how you set up Samba. If 
you just want to use Samba 4 for authenticate users, you do not need to 
do anything else but create the users, however if you want to connect 
your users to the DC or for your users to be Unix users, there must be 
some way to map your users to Unix IDs.

On the DC, unless overridden, idmap.ldb is used, this stores mappings 
between user & group RIDs and xidNumbers that will be used by the DC as 
Unix IDs. You can override the xidNumbers by adding a uidNumber 
attribute to your users, if this is done, the contents of the uidNumber 
will be used instead of the xidNumber.
On a domain member, you have two basic ways of mapping AD users to Unix 
users, the 'ad' & 'rid' backends. The 'rid' backend does not need 
anything adding to AD, it maps user RIDs to Unix IDs with an algorithm 
and so, you should get the same ID number on all domain members. The 
'ad' backend entails adding rfc2307 attributes to a user, any user that 
doesn't get the required attributes, will be invisible to Unix.

For a user to access a share on a Unix machine, the user *must* be known 
to the underlying Unix OS, this means using winbind with either the 'ad' 
or 'rid' backend (there are other ways of doing this, but they are not 
part of Samba and this is the Samba list).


More information about the samba mailing list