[Samba] Samba AD and NIS integration

Rowland Penny rpenny at samba.org
Thu Nov 16 08:26:36 UTC 2017 

On Wed, 15 Nov 2017 22:22:38 +0000
Stephen Parry via samba <samba at lists.samba.org> wrote:

> I have questions regarding the operation of AD and integrating NIS or
> LDAP with it. I have a small heterogenous network consisting of
> various computing devices running either Windows 10 pro or a flavour
> of Linux. I am setting up a NAS box running Debian Stretch and Samba
> 4.5.12 to be the central file server and authenticator for the
> network, including LDAP aware software such as owncloud. I have
> carefully followed the samba.org instructions for setting up the AD
> including rfc2307 data, except for ignoring the recommendation
> regarding not running AD and file services from the same box - I
> cannot afford two boxes for the job and I believe I can live with the
> limitations if one. Can someone please help with these questions: 
>1. What are the id ranges that the AD uses / expects for uidNumber and
> gidNumber? 

The id ranges are what you choose, reading this may help:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Setting_up_a_Basic_smb.conf_File

>Is there any working way of controlling those ranges,
> given idmap breaks stuff? 

What do you mean 'idmap breaks things' ?

>Winbind only seems to respond to id queries
> if the numbers are created in the correct range, but I cannot find
> what the exact ranges are.

Winbind only uses the ranges you set in smb.conf, but then the users
and groups must have uidNumber or gidNumber attributes containing
numbers inside the 'DOMAIN' range.


> 2. Is there a way of making NIS use Samba
> AD as the central repo for user credentials? 

If you mean make the Unix OS know who the AD users and groups are, then
yes.

>I would like to support
> NIS/NFS clients if possible. I am open to using LDAP/NFS instead. 

I think you mean Unix/NFS clients and yes this is very doable  

>3. Can someone please point me at a good guide for configuring a server
> so that Samba AD's LDAP can support LDAP authentication requests from
> other systems too? The key point is I would like Samba to be 'king of
> the castle' here - for it to store and maintain the authoritative
> login credentials across all my systems. Thanks Stephen
> 

Try reading the Samba wiki:

https://wiki.samba.org/index.php/Main_Page

Rowland

More information about the samba mailing list