[Samba] Samba 4.10.6-1 Configuration on AIX

Bob Wyatt bwyatt_sub at comcast.net
Fri Feb 7 17:44:36 UTC 2020 

Rowland,

Thanks for everything!

If I understand correctly, let's say that the user mydomain\bobw is the domain login.
Let's say that bobw is my UNIX login ID.
I can’t use bobw in my usermap file?
	'!bobw=mydomain\bobw'
So I need to change my shares to a new ID and set that in my usermap file?
	'!bobw_smb=mydomain\bobw'

I don’t need to add bobw_smb to /etc/passwd?
Or do I need to add the user and need to set idmap user range to a range to be used for samba users?
 
Anything else I may be missing?

Thanks again for your patience!

Bob Wyatt
-----Original Message-----
From: Rowland penny <rpenny at samba.org> 
Sent: Friday, February 7, 2020 3:26 AM
To: sambalist <samba at lists.samba.org>
Subject: Re: [Samba] Samba 4.10.6-1 Configuration on AIX

On 07/02/2020 02:27, Bob Wyatt wrote:
> Thanks again for the continued help...
>
> Current thinking is using rid for the backend does not place any new administrative functions on the staff - agree?

If by this, you mean that you do not have to add anything to AD, then 
yes. You may have to add a couple of template lines to your smb.conf, 
the defaults are:

template homedir = /home/%D/%U

template shell = /bin/false

With the above, your users will not be able login to the Unix computer 
and will get a Unix homedirectory of /home/DOMAIN/username

> Begs questions of what is being written in smbpasswd, and do we have administrative work on AIX?
> Such as adding users and a group or two in the range specified for idmap? A mapping "table"?

You do not use smbpasswd and you need something else in smb.conf:

username map = /etc/samba/user.map

With '/etc/samba/user.map' containing '!root = DOMAIN\Administrator'

After this, using the 'rid' backend, all users and groups in AD become 
Unix users and groups.

Basically it boils down to, forget most of what you know about Samba3 
domains ;-)

> If rid is hands-off administration, that's likely the way they want to go.
>
> Going with rid - security is still ads?

Yes, it is just a different winbind backend.

Rowland

More information about the samba mailing list