[Samba] Joining a DC, was (no subject)

Jonathon Reinhart jonathon.reinhart at gmail.com
Sat Mar 2 22:06:05 UTC 2019

Thanks for the input, Rowland! Replies inline:

On Fri, Mar 1, 2019 at 8:57 AM Rowland Penny via samba
<samba at lists.samba.org> wrote:

> The 'Nooooo, don't do that is:
> Don't change the UPN

Why not? It's a recommended best practice to choose a subdomain of your
primary domain (e.g. "ad.example.com"), and then add alternate UPN
suffix which allows user logons to match their email addresses.

In fact, this page on the Samba Wiki recommends just that:

> > I first installed libpam-winbind, and then attempted the following:
> > # realm join --client-software=winbind --automatic-id-mapping=no
> > ad.example.com
> What about libnss-winbind ?

My mistake: I actually installed both libpam-winbind and libnss-winbind.

> >Or is it weird that realmd is trying to "join" the DC to the domain?
> Oh yes, very weird, trying to join something that is already joined to
> the domain by the provision command.

Fair enough. I attempted this out of convenience since I was familiar
with Realmd.  My biggest concern was the ability to control which
groups can login, but it looks like I can still do this with winbind by
instead using /etc/security/access.conf:


I wrote a second blog post which goes on to configure libnss-winbind:

> Oh and just in passing, you probably do not have a forwarder set in
> smb.conf

This was somehat intentional. My machines are given a different DNS
server via DHCP (both on pfSense). I've delegated the AD zone to the
Samba DC. So, the AD DNS server should only receive requests for
which he is authoritative. Is this a valid assumption?

More information about the samba mailing list