[Samba] Login From Domain
Rowland Penny
rpenny at samba.org
Mon Nov 14 21:11:23 UTC 2022
On 14/11/2022 20:54, Rob Campbell via samba wrote:
>>
>> In my create user script, I did specify the uid and gid. I need to remove
> that. And removing that will keep the ids in sync between the dc and dm?
> Isn't idmap config * : backend = autorid only used on the members, not the
> controller?
> If I set template homedir in the dc smb.conf I don't need to use
> --home-directory or --unix-home with samba-tool user create?
> If I set template shell in the dc smb.conf I don't need to use
> --login-shell with samba-tool user create?
>
> I should remove --uid-number and --gid-number from samba-tool user create
> because autorid handles that?
There is only one way to have the same ID numbers on all Samba AD
computers and that is to use uidNumber and gidNumber attributes in AD
and then use the 'ad' idmap backend on all Unix domain members, you will
also have to ensure that all DC's have the line 'idmap_ldb:use rfc2307
= yes' in their smb.conf
It doesn't matter if the DC's do have have different ID's from the Unix
domain members, this is because you shouldn't use a DC for anything
other than authentication. What does matter is that all Unix domain
members (the fileservers etc) have the same ID's and this can be ensured
by using the same basic smb.conf on all Unix domain members.
What idmap backend you use is up to you, just so long that you use the
same one on all Unix domain members.
The 'autorid' one is the easiest, but as you have found out, you must
use the NetBIOS domain name.
The 'rid' idmap backend is also very easy to use, virtually the same as
'autorid', but you can use 'winbind use default domain = yes' with this
(provided you only set one DOMAIN).
The 'ad' backend is the hardest, mainly because you have to add
something to AD.
Rowland
More information about the samba
mailing list