[Samba] Man page for idmap_rid

James B. Byrne byrnejb at harte-lyne.ca
Fri Aug 12 20:46:03 UTC 2016

On Wed, August 10, 2016 11:47, Rowland Penny wrote:

>> 1.  Logon to AD from a Windows OS domain member.  User obtains UID,
>> GID from LDAP but ignores shell (there is no alternative to
>> MS-Windows
>> on the client) and the home directory (which is the USERS home drive
>> share or local drive in any case).
> No, it is only if you log into the DC that you only get the IDs,
> anywhere else and you can use the RFC2307 attributes if they are set.

Got it.  Thanks.

>> 2. Logon to AD from a *NIX OS domain member.  User obtains UID, GID,
>> shell, and home directory path from AD.
> Sort of, it all depends on how smb.conf on the domain member is set
> up.
> If you want to obtain the info from AD, it must be in AD and Samba
> must be set up to get it.
> Try reading this wiki page:
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>> Is there a reference as to how UNIX hosts are added to the Domain
> That is on the wiki page, but it fairly simple, set up the host
> correctly including smb.conf and then run:
> net ads join -U Administrator
>> (SSSD?) or is that unnecessary?
> The only place where you may need sssd, is on a DC and then only
> if you want to use it as a fileserver along with using the
> RFC2307 attributes stored in AD.
>> I ask because one of my goals is to
>> implement a single sign-on for our Unix host users via the Samba AD.
> If you mean storing your Unix users in AD and then allowing them to
> login to Unix machines that are joined to the domain, then this is
> very possible. The users home directories don't have to exist, you can
> set PAM to create these at login.
>> These machines come and go but not with any great frequency. Many
>> are
>> themselves virtualised.  Most are accessed via ssh or using OPENVPN
>> (which will be certificate based anyway).
>> I am hoping that adding the PAM AD authentication will alleviate
>> some
>> of the tediousness of setting up temporary hosts for an unknown
>> number
>> of users.  Respecting which, are there references to any scripts
>> that
>> can be run to automatically set-up a user's home directory upon
>> first
>> login to an AD authenticated *NIX host?
> You do this by adding this line to /etc/pam.d/common-account
> session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022"

Thank you for this.  You have been most helpful.

***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the samba mailing list