[Samba] Samba4 ad dc with Centos7
rpenny at samba.org
Tue Dec 8 14:46:07 UTC 2015
On 08/12/15 13:55, mathias dufresne wrote:
> That's what I thought, and why I told there is no enumeration for system
> wbinfo can get a whole list of all Samba users (I believe it can do that
> with AD or NT4 or standalone). But wbinfo does not show system users, it
> shows Samba users which can become system users once they are transformed
> (with pam tools as winbind, sssd or nslcd).
> I insist because after months spent here and years with Samba I feel
> confusion (for me and for some users of that mailing list) between Samba's
> system users (users from Samba usable on system side, here the system it
> the one hosting Samba, the server system), Samba users (Samba internal
> users) and client system users (system users which access to the share).
> With domains there is also system users built from the domain (Windows
> system users SAMDOM\my-user or Linux user from AD/NT4 built with winbind or
> sssd or nslcd).
> Just my 2 cents, best regards,
OK, before version 4.0.0, Samba was just a bridge between windows &
Unix, but with the release of version 4.0.0, it became as though it was
also a part of windows.
There is no such thing as a Samba system user, even if you are running
Samba as an AD DC. If you run Samba as a client you can make your users,
windows users, Unix users or both, depending on how you set up Samba. If
you just want to use Samba 4 for authenticate users, you do not need to
do anything else but create the users, however if you want to connect
your users to the DC or for your users to be Unix users, there must be
some way to map your users to Unix IDs.
On the DC, unless overridden, idmap.ldb is used, this stores mappings
between user & group RIDs and xidNumbers that will be used by the DC as
Unix IDs. You can override the xidNumbers by adding a uidNumber
attribute to your users, if this is done, the contents of the uidNumber
will be used instead of the xidNumber.
On a domain member, you have two basic ways of mapping AD users to Unix
users, the 'ad' & 'rid' backends. The 'rid' backend does not need
anything adding to AD, it maps user RIDs to Unix IDs with an algorithm
and so, you should get the same ID number on all domain members. The
'ad' backend entails adding rfc2307 attributes to a user, any user that
doesn't get the required attributes, will be invisible to Unix.
For a user to access a share on a Unix machine, the user *must* be known
to the underlying Unix OS, this means using winbind with either the 'ad'
or 'rid' backend (there are other ways of doing this, but they are not
part of Samba and this is the Samba list).
More information about the samba