[Samba] Questions about adding a DC

Rowland Penny rpenny at samba.org
Tue Jun 19 06:41:05 UTC 2018 

On Mon, 18 Jun 2018 16:55:26 -0400 (EDT)
me at tdiehl.org wrote:

> On Mon, 18 Jun 2018, Rowland Penny via samba wrote:
> 
> > On Mon, 18 Jun 2018 14:42:12 -0400 (EDT)
> > me at tdiehl.org wrote:
> >
> >> On Mon, 18 Jun 2018, Rowland Penny via samba wrote:
> >>
> >>> On Mon, 18 Jun 2018 11:42:05 -0400 (EDT)
> >>> Tom Diehl via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> In reading
> >>>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
> >>>> it says "If the other DCs are Samba DCs and were provisioned with
> >>>> --use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 =
> >>>> yes' to the join command"
> >>>>
> >>>> So does this mean that rfc2307 should not be used if the other
> >>>> DCs are MS DCs? Does the answer change if the ultimate goal is to
> >>>> decommission the MS DCs?
> >>>
> >>> Do you have any Unix clients or do have an intention of either
> >>> using the Samba DC as a fileserver, or adding any Unix domain
> >>> members ?
> >>>
> >>> If you do, then add the line to any Samba DC's, if not then you
> >>> can ignore it.
> >>
> >> There are no Unix clients today but the plan is to add them once
> >> the Samba DC is up and running. So if I understand you correctly, I
> >> should add rfc2307 attributes so that I have them available when we
> >> provision the member server. Then on the member server add
> >> something like the following to the smb.conf: idmap config * :
> >> backend = tdb idmap config * : range = 3000-7999
> >> idmap config SAMDOM:backend = ad
> >> idmap config SAMDOM:schema_mode = rfc2307
> >> idmap config SAMDOM:unix_nss_info = yes
> >> idmap config SAMDOM:range = 10000-999999
> >>
> >> This will also necessitate adding unix attributes to the user
> >> accounts.
> >
> > Not exactly, if the Samba AD DC is only going to be used for
> > authentication, then you could use the winbind 'rid' backend on Unix
> > domain members, this way you don't have to add anything to AD.
> 
> Am I correct that if I use the 'rid' backend then I do not need
> rfc2307 attributes?
> 
> So for rid the smb.conf on the member servers would look something
> like the following:
> 
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config SAMDOM:backend = rid
> idmap config SAMDOM:unix_nss_info = yes
> idmap config SAMDOM:range = 10000-999999
> 
> Is this correct? 

Nearly, you do not need the 'unix_nss_info' line with the 'rid'
backend.

Rowland

More information about the samba mailing list