[Samba] Domain member?

Rowland Penny rpenny at samba.org
Tue Oct 26 07:35:50 UTC 2021 

On Tue, 2021-10-26 at 08:45 +0200, Joachim Lindenberg via samba wrote:
> Hello Rowland,
> I read 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member,
> and I specifically read "If your users will only use the Samba AD DC
> for authentication and will not store data on it or log into it, you
> can use the the winbind 'rid' backend, this calculates the user and
> group IDs from the Windows RID, if you use the same [global] section
> of the smb.conf on every Unix domain member, you will get the same
> IDs." - that´s the reason I started with a smb.conf of a DC and
> removed stuff that was apparently irrelevant. Is this section of
> documentation also wrong?
> 

No, but you do not start with the smb.conf from a DC, did you miss this
on the wiki page:

To create a basic smb.conf, you need something like this (note, this
does not include any 'idmap config' auth lines, they will be added
later. It also does not show any shares)

[global]
   workgroup = SAMDOM
   security = ADS
   realm = SAMDOM.EXAMPLE.COM

   winbind refresh tickets = Yes
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes


If you are creating a new smb.conf on an unjoined machine and add these
lines, a keytab will be created during the join:

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab


If you do not want to enter the domain set in 'workgroup =' during
login etc (just 'username' instead of DOMAIN\username) and have only
one domain, add this line:

   winbind use default domain = yes

And this from https://wiki.samba.org/index.php/Idmap_config_rid

Configuring the rid Back End

    To configure the rid back end using the 10000-999999 ID range for
the SAMDOM domain, set the following in the [global] section of your
smb.conf file:

security = ADS
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM

log file = /var/log/samba/%m.log
log level = 1

# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999

Rowland

More information about the samba mailing list