[Samba] How to configure samba, sssd, pam etc so that domain users can log in the linux server?

Rowland Penny rpenny at samba.org
Wed Dec 13 08:03:55 UTC 2023 

On Tue, 12 Dec 2023 20:19:25 -0300
Ricardo Campos via samba <samba at lists.samba.org> wrote:

> Hi.
> 
> I'm struggling hard with those tons of configurations in order to
> allow samba ad-dc users log in the Debian server.

Samba does not recommend using a DC as a fileserver.
> 
> I couldn't really find a place with definite configuration. It seems
> that there are many possibilities what make people really confused.

It isn't that confusing on a Samba DC, you either use the default
idmap_ldb (which will give you IDs in the '3000000' range) or you use
rfc2307 attributes with idmap_ldb (in which case you get to choose the
range).

> 
> I decided to build samba from scratch meaning that I'm not using the
> distro version. The version I installed is 4.19.3.

Why build it yourself, what is wrong with Samba 4.19.3 from
bookworm-backports ?

> 
> Let me tell the basic configurations I have now.
> 
> /usr/local/samba/etc/smb.conf:
> 
> # Global parameters
> [global]
>         dns forwarder = 8.8.8.8
>         netbios name = MEUSAMBA
>         realm = XXXX.LOCAL
>         server role = active directory domain controller
>         workgroup = XXXX
>         idmap_ldb:use rfc2307 = yes
>         include registry

Why use the registry ?

> 
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
> 
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/xxxx.local/scripts
>         read only = No
> 
> [nas]
>         path = /dados/nas
>         read only = No
> 
> [suporte]
>         path = /dados/suporte
>         read only = no
> 
> /etc/sssd/sssd.conf

Samba, because it does not produce sssd, cannot provide support for it
and you do not actually need it.

> 
> In fact, I configured this way because the site said I should do so,

What 'site' ?

> but I'd rather do not use kerberos. I'd like to keep it simpler.

Active Directory requires kerberos, which in turn requires DNS, so it
isn't simple, but then again it isn't rocket science :-)

Rowland

More information about the samba mailing list