[Samba] Joining Linux Domain Member to Windows AD/DC

Mark Foley mfoley at novatec-inc.com
Sat Dec 9 22:26:15 UTC 2023


I'm back to joining a Linux computer as a domain member to a Windows Domain.
This is not the same thread I've been posting lately, but rather one that
trailed off back in July 2023, same subject.

My hold-up then, and my question now, has to do with "Choosing an idmap
backend", https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Choosing_an_idmap_backend.

As the wiki says, "It can appear to be a complex decision choosing which winbind
idmap backend to use", and "Once you Have decided which winbind idmap backend to
use, you have to choose the ranges to use with 'idmap config' in smb.conf."

The wiki is right, it does appear "complex"!

My domain is hprs.locl.

I won't include here the extensive responses I got back in July, but to summarize my
understanding:

It doesn't matter what idmap backend I choose, but the Rowland suggested one
back then was rid.

As far as the ranges, the wiki gives the following example:

 *        3000-7999 (default domain)
 DOMAIN   10000-999999 (hprs.locl)
 TRUSTED  1000000-9999999

I'm not really sure what the "default domain" is versus "DOMAIN", nor what a
"TRUSTED" domain is versus the others, but maybe I don't really care?

Apparently, according to responses on my early thread, the Windows AD/DC doesn't
have idmap ranges, so I needn't worry about doing anything that won't work with
that server, right?

Given all of the above, and reading https://wiki.samba.org/index.php/Idmap_config_rid, 
I come up with the following for my smb.conf:

security = ADS
workgroup = HPRS
realm = HPRS.LOCL

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config HPRS : backend = rid
idmap config HPRS : range = 10000-999999

template shell = /bin/bash
template homedir = /home/%U

And that should be it to enable this computer to join the domain, right?

Thanks --Mark



More information about the samba mailing list