[Samba] winbind for nsswitch, without AD membership

Rowland Penny rpenny at samba.org
Thu Feb 2 10:18:01 UTC 2023

On 02/02/2023 10:10, cYuSeDfZfb cYuSeDfZfb via samba wrote:
> Hi,
> I am setting up a standalone samba server (with tdbsam) on RHEL9,
> following the immaculate samba wiki:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server
> The user creation flow described in the standalone scenario is:
> - create a system user (useradd ) with password
> - create a samba user (smbpasswd) with password
> In my previous work, I have always used domain member servers with
> security = ADS /  winbind idmap 'ad' backend / winbind for local linux
> users.
> My question: is it possible to use winbind with autorid & tdbsam (and
> security = user) to avoid the requirement to generate each user TWICE?
> MJ

No, but you could use winbind with autorid (or rid) and the default 
tdbsam and 'security = ADS', then do not create users on the Samba Unix 
domain member, that way, you only create the user once, in AD.

If you have AD, then leverage it, if not, script around the user creation.

NOTE: if you use the rid idmap backend, you can also use 'winbind use 
default domain = yes'.


More information about the samba mailing list