[Samba] Man page for idmap_rid

Rowland Penny rpenny at samba.org
Wed Aug 10 15:47:59 UTC 2016


On Wed, 10 Aug 2016 11:16:36 -0400
"James B. Byrne via samba" <samba at lists.samba.org> wrote:


> 
> You are correct. I did not know this.  So that I can get this clear in
> my own head let me restate this case by case:
> 
> 1.  Logon to AD from a Windows OS domain member.  User obtains UID,
> GID from LDAP but ignores shell (there is no alternative to MS-Windows
> on the client) and the home directory (which is the USERS home drive
> share or local drive in any case).

No, it is only if you log into the DC that you only get the IDs,
anywhere else and you can use the RFC2307 attributes if they are set.

> 
> 2. Logon to AD from a *NIX OS domain member.  User obtains UID, GID,
> shell, and home directory path from AD.

Sort of, it all depends on how smb.conf on the domain member is set up.

If you want to obtain the info from AD, it must be in AD and Samba must
be set up to get it.

Try reading this wiki page:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

> 
> Is there a reference as to how UNIX hosts are added to the Domain

That is on the wiki page, but it fairly simple, set up the host
correctly including smb.conf and then run:

net ads join -U Administrator

> (SSSD?) or is that unnecessary?

The only place where you may need sssd, is on a DC and then only if you
want to use it as a fileserver along with using the RFC2307 attributes
stored in AD.

> I ask because one of my goals is to
> implement a single sign-on for our Unix host users via the Samba AD.

If you mean storing your Unix users in AD and then allowing them to
login to Unix machines that are joined to the domain, then this is
very possible. The users home directories don't have to exist, you can
set PAM to create these at login.
 
> These machines come and go but not with any great frequency. Many are
> themselves virtualised.  Most are accessed via ssh or using OPENVPN
> (which will be certificate based anyway).
> 
> I am hoping that adding the PAM AD authentication will alleviate some
> of the tediousness of setting up temporary hosts for an unknown number
> of users.  Respecting which, are there references to any scripts that
> can be run to automatically set-up a user's home directory upon first
> login to an AD authenticated *NIX host?

You do this by adding this line to /etc/pam.d/common-account

session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022"

Rowland





More information about the samba mailing list