[Samba] Man page for idmap_rid

James B. Byrne byrnejb at harte-lyne.ca
Wed Aug 10 15:16:36 UTC 2016

On Wed, August 10, 2016 03:59, Rowland Penny wrote:
> On Tue, 9 Aug 2016 22:22:55 -0400
> "James B. Byrne via samba" <samba at lists.samba.org> wrote:
>> I have zero experience with this so my question may appear fairly
>> naive.  What about user home directories and shells on *NIX hosts
>> other than the AD-DC?  I read somewhere that user UNIX Attributes
>> other than UID and GID are not implemented in Samba.
>> My use-case would be sshd session authentication on a remote host
>> using an AD-DC PAM module.
> I think you have misunderstood this, if you use a Samba AD DC as a
> fileserver, then winbindd only uses the uidNumber & gidNumber
> attributes. On a Unix domain member, winbindd will use all available
> RFC2307 attributes, including loginShell & unixHomeDirectory.

You are correct. I did not know this.  So that I can get this clear in
my own head let me restate this case by case:

1.  Logon to AD from a Windows OS domain member.  User obtains UID,
GID from LDAP but ignores shell (there is no alternative to MS-Windows
on the client) and the home directory (which is the USERS home drive
share or local drive in any case).

2. Logon to AD from a *NIX OS domain member.  User obtains UID, GID,
shell, and home directory path from AD.

Is this correct?

Is there a reference as to how UNIX hosts are added to the Domain
(SSSD?) or is that unnecessary? I ask because one of my goals is to
implement a single sign-on for our Unix host users via the Samba AD. 
These machines come and go but not with any great frequency. Many are
themselves virtualised.  Most are accessed via ssh or using OPENVPN
(which will be certificate based anyway).

I am hoping that adding the PAM AD authentication will alleviate some
of the tediousness of setting up temporary hosts for an unknown number
of users.  Respecting which, are there references to any scripts that
can be run to automatically set-up a user's home directory upon first
login to an AD authenticated *NIX host?


***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the samba mailing list