[Samba] AD Member: server role = member server vs. security = ADS

David Ayers ayers at fsfe.org
Thu Mar 7 16:08:46 UTC 2019


I'm trying to add Debian stretch as a domain member to an AD domain, to
have Windows Users access shares according to permissions of AD group

For the record this is smbd --version:
Version 4.5.16-Debian

After reading
I was a bit confused about a few points when comparing it to the
default smb.conf in Debian and reading the man page

1. The default smb.conf seems to imply to set the "server role" to
"member server", but the wiki doesn't mention it.
Should "server role" be set to "member server"?

2. The default smb.conf does not include "security" but the wiki says
it should be set to ADS. 
Does "server role" being set to "member server" imply "security" set to
"ADS"? (This seems to be implied by the man page)
Or should "security" be explicitly set to "ADS" despite the server role

3. The default Debian configuration sets all the variables for
local password storage but also for password sync:

passdb backend
obey pam restrictions
passwd program
passwd chat
pam password change

but none of these are mentioned in the Wiki.  I guess the become
obsolete as domain member and there is no need to sync passwords since
any samba users will be managed by NSS and winbindd


David Ayers - Team Austria
Free Software Foundation Europe (FSFE) []          (http://www.fsfe.org)
Become a supporter of the FSFE!      [][][]      (https://fsfe.org/join)
Your donation powers our work!         ||       (http://fsfe.org/donate)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba/attachments/20190307/912f9546/signature.sig>

More information about the samba mailing list