[Samba] Login From Domain

Rowland Penny rpenny at samba.org
Mon Nov 14 21:11:23 UTC 2022

On 14/11/2022 20:54, Rob Campbell via samba wrote:

>> In my create user script, I did specify the uid and gid.  I need to remove
> that.  And removing that will keep the ids in sync between the dc and dm?
> Isn't idmap config * : backend = autorid only used on the members, not the
> controller?
> If I set template homedir in the dc smb.conf I don't need to use
> --home-directory or --unix-home with samba-tool user create?
> If I set template shell in the dc smb.conf I don't need to use
> --login-shell with samba-tool user create?
> I should remove --uid-number and --gid-number from samba-tool user create
> because autorid handles that?

There is only one way to have the same ID numbers on all Samba AD 
computers and that is to use uidNumber and gidNumber attributes in AD 
and then use the 'ad' idmap backend on all Unix domain members, you will 
also have to ensure that all DC's have the line 'idmap_ldb:use rfc2307 
= yes' in their smb.conf

It doesn't matter if the DC's do have have different ID's from the Unix 
domain members, this is because you shouldn't use a DC for anything 
other than authentication. What does matter is that all Unix domain 
members (the fileservers etc) have the same ID's and this can be ensured 
by using the same basic smb.conf on all Unix domain members.

What idmap backend you use is up to you, just so long that you use the 
same one on all Unix domain members.

The 'autorid' one is the easiest, but as you have found out, you must 
use the NetBIOS domain name.
The 'rid' idmap backend is also very easy to use, virtually the same as 
'autorid', but you can use 'winbind use default domain = yes' with this 
(provided you only set one DOMAIN).
The 'ad' backend is the hardest, mainly because you have to add 
something to AD.


More information about the samba mailing list