[Samba] Samba 4 without winbind
Rowland Penny
rpenny at samba.org
Sun Sep 18 16:15:42 UTC 2022
On 18/09/2022 16:46, Shannon Price via samba wrote:
>
> Thank you for the response, Rowland. Very helpful and we would like to move to a more modern setup.
>
> Your suggestion to move to AD means getting rid of NIS, correct? Using the users and groups from AD rather than NIS. I agree that this would be a better place to be, but have never been clear about the transition since our infrastructure has been based on NIS for so long. Can I simply run some Samba servers in the old style while converting others to all AD? Because of NFS back-end, our multiple Samba servers can serve the same files - \\SAMBA1\homes and \\SAMBA2\homes can all find my home directory. I think that Winbind handles the ID mapping between SIDs and UIDs, but I have not idea how that would work across multiple Samba servers doing things differently.
>
> --
> Shannon
>
>
Samba provides several different ways of mapping AD users & groups to
Unix ID's, the main ones are the 'autorid', 'rid' and 'ad' backends.
'autorid' is the easiest to set up, you just add a couple of lines to
the smb.conf:
idmap config * : backend = autorid
idmap config * : range = 10000-9999999
'rid' is very similar:
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-999999
Neither of the above requires adding anything to AD, the first
calculates the Unix ID from the Windows RID and allows multiple domains
without any further lines. The second again works in a similar way, but
is only used for a single domain, you can add further 'DOMAIN' lines for
trusted domains.
'ad' works differently, but uses lines very similar to the 'rid' variant
(and you can add multiple domains like the 'rid' backend), there is one
big difference, you must add rfc2307 attributes to AD. This may be a way
out of your difficulties, NIS will have its own ID's and you should be
able to use these for your user & group uidNumber & gidNumber attributes.
Which ever backend you use, if you use the same basic smb.conf on every
Unix machine, you will always get the same ID's. You should also be
aware that you cannot have the same username or group name in
/etc/passwd & /etc/group that also exists in AD, the former will always
be used first. My advice would be to just have users & groups in AD,
apart for one or two local Unix Admins, just in case anything goes wrong.
If you require any further information, just ask.
Rowland
More information about the samba
mailing list