[Samba] Questions about adding a DC
me at tdiehl.org
me at tdiehl.org
Mon Jun 18 20:55:26 UTC 2018
On Mon, 18 Jun 2018, Rowland Penny via samba wrote:
> On Mon, 18 Jun 2018 14:42:12 -0400 (EDT)
> me at tdiehl.org wrote:
>
>> On Mon, 18 Jun 2018, Rowland Penny via samba wrote:
>>
>>> On Mon, 18 Jun 2018 11:42:05 -0400 (EDT)
>>> Tom Diehl via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi,
>>>>
>>>> In reading
>>>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
>>>> it says "If the other DCs are Samba DCs and were provisioned with
>>>> --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 =
>>>> yes' to the join command"
>>>>
>>>> So does this mean that rfc2307 should not be used if the other DCs
>>>> are MS DCs? Does the answer change if the ultimate goal is to
>>>> decommission the MS DCs?
>>>
>>> Do you have any Unix clients or do have an intention of either using
>>> the Samba DC as a fileserver, or adding any Unix domain members ?
>>>
>>> If you do, then add the line to any Samba DC's, if not then you can
>>> ignore it.
>>
>> There are no Unix clients today but the plan is to add them once the
>> Samba DC is up and running. So if I understand you correctly, I
>> should add rfc2307 attributes so that I have them available when we
>> provision the member server. Then on the member server add something
>> like the following to the smb.conf: idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>> idmap config SAMDOM:backend = ad
>> idmap config SAMDOM:schema_mode = rfc2307
>> idmap config SAMDOM:unix_nss_info = yes
>> idmap config SAMDOM:range = 10000-999999
>>
>> This will also necessitate adding unix attributes to the user
>> accounts.
>
> Not exactly, if the Samba AD DC is only going to be used for
> authentication, then you could use the winbind 'rid' backend on Unix
> domain members, this way you don't have to add anything to AD.
Am I correct that if I use the 'rid' backend then I do not need rfc2307
attributes?
So for rid the smb.conf on the member servers would look something like the
following:
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SAMDOM:backend = rid
idmap config SAMDOM:unix_nss_info = yes
idmap config SAMDOM:range = 10000-999999
Is this correct?
Regards,
--
Tom me at tdiehl.org
More information about the samba
mailing list