[Samba] Questions about adding a DC

me at tdiehl.org me at tdiehl.org
Mon Jun 18 18:42:12 UTC 2018 

On Mon, 18 Jun 2018, Rowland Penny via samba wrote:

> On Mon, 18 Jun 2018 11:42:05 -0400 (EDT)
> Tom Diehl via samba <samba at lists.samba.org> wrote:
>
>> Hi,
>>
>> In reading
>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
>> it says "If the other DCs are Samba DCs and were provisioned with
>> --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 = yes'
>> to the join command"
>>
>> So does this mean that rfc2307 should not be used if the other DCs
>> are MS DCs? Does the answer change if the ultimate goal is to
>> decommission the MS DCs?
>
> Do you have any Unix clients or do have an intention of either using
> the Samba DC as a fileserver, or adding any Unix domain members ?
>
> If you do, then add the line to any Samba DC's, if not then you can
> ignore it.

There are no Unix clients today but the plan is to add them once the Samba DC
is up and running. So if I understand you correctly, I should add rfc2307
attributes so that I have them available when we provision the member server.
Then on the member server add something like the following to the smb.conf:
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:unix_nss_info = yes
idmap config SAMDOM:range = 10000-999999

This will also necessitate adding unix attributes to the user accounts.

Does this sound reasonable?

>>
>> In addition,
>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings
>> states that "you must Create a hot-backup of
>> the /usr/local/samba/private/idmap.ldb file on the existing DC:" and
>> import into the new DC.
>>
>> If The existing DC is an MS DC, how do I accomplish this step?
>
> You cannot, because a windows DC will not have that file. There is a
> problem (or is it a feature ?) with idmap.ldb on Samba DC's, they can,
> and most probably will, return different ID's from each other. So for
> Sysvol, you must copy idmap.ldb from the first Samba DC to any other
> Samba DC's

So is it safe to just ignore this part until I add a 2nd Samba DC or is there
something special I need to do to get the ID's to match when one of the DC's
is an MS DC?

Regards,

-- 
Tom			me at tdiehl.org

More information about the samba mailing list