[Samba] AD Member: server role = member server vs. security = ADS
rpenny at samba.org
Thu Mar 7 16:52:05 UTC 2019
On Thu, 07 Mar 2019 17:08:46 +0100
David Ayers via samba <samba at lists.samba.org> wrote:
> I'm trying to add Debian stretch as a domain member to an AD domain,
> to have Windows Users access shares according to permissions of AD
> group membership.
> For the record this is smbd --version:
> Version 4.5.16-Debian
> After reading
> I was a bit confused about a few points when comparing it to the
> default smb.conf in Debian and reading the man page
The default Debian smb.conf is for a standalone server.
> 1. The default smb.conf seems to imply to set the "server role" to
> "member server", but the wiki doesn't mention it.
> Should "server role" be set to "member server"?
You can if you wish, but it amounts to the same as setting 'security =
> 2. The default smb.conf does not include "security" but the wiki says
> it should be set to ADS.
> Does "server role" being set to "member server" imply "security" set
> to "ADS"? (This seems to be implied by the man page)
> Or should "security" be explicitly set to "ADS" despite the server
> role setting?
> 3. The default Debian configuration sets all the variables for
> local password storage but also for password sync:
> passdb backend
This will undoubtedly be set to 'tdbsam' and is the default, so isn't
> obey pam restrictions
This was recently found to be affecting umask, so probably shouldn't be
> passwd program
> passwd chat
> pam password change
these can be set if required, but are not strictly needed.
> but none of these are mentioned in the Wiki. I guess the become
> obsolete as domain member and there is no need to sync passwords since
> any samba users will be managed by NSS and winbindd
The smb.conf files found on the wiki are very basic and are only meant
to get you up and running and able to join a domain. It is up to a
sysadmin to decide whatever else they need in smb.conf.
More information about the samba