[Samba] Samba 4 without winbind

Rowland Penny rpenny at samba.org
Sun Sep 18 16:15:42 UTC 2022

On 18/09/2022 16:46, Shannon Price via samba wrote:
> Thank you for the response, Rowland.  Very helpful and we would like to move to a more modern setup.
> Your suggestion to move to AD means getting rid of NIS, correct?  Using the users and groups from AD rather than NIS.  I agree that this would be a better place to be, but have never been clear about the transition since our infrastructure has been based on NIS for so long. Can I simply run some Samba servers in the old style while converting others to all AD? Because of NFS back-end, our multiple Samba servers can serve the same files - \\SAMBA1\homes and \\SAMBA2\homes can all find my home directory.  I think that Winbind handles the ID mapping between SIDs and UIDs, but I have not idea how that would work across multiple Samba servers doing things differently.
> --
> Shannon
Samba provides several different ways of mapping AD users & groups to 
Unix ID's, the main ones are the 'autorid', 'rid' and 'ad' backends.

'autorid' is the easiest to set up, you just add a couple of lines to 
the smb.conf:

idmap config * : backend = autorid
idmap config * : range = 10000-9999999

'rid' is very similar:

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-999999

Neither of the above requires adding anything to AD, the first 
calculates the Unix ID from the Windows RID and allows multiple domains 
without any further lines. The second again works in a similar way, but 
is only used for a single domain, you can add further 'DOMAIN' lines for 
trusted domains.

'ad' works differently, but uses lines very similar to the 'rid' variant 
(and you can add multiple domains like the 'rid' backend), there is one 
big difference, you must add rfc2307 attributes to AD. This may be a way 
out of your difficulties, NIS will have its own ID's and you should be 
able to use these for your user & group uidNumber & gidNumber attributes.

Which ever backend you use, if you use the same basic smb.conf on every 
Unix machine, you will always get the same ID's. You should also be 
aware that you cannot have the same username or group name in 
/etc/passwd & /etc/group that also exists in AD, the former will always 
be used first. My advice would be to just have users & groups in AD, 
apart for one or two local Unix Admins, just in case anything goes wrong.

If you require any further information, just ask.


More information about the samba mailing list