[Samba] idmap ad question
Rowland Penny
rpenny at samba.org
Tue Feb 14 14:29:40 UTC 2023
On 14/02/2023 13:59, Vaughan, Robert J via samba wrote:
> We created the groups we have in UNIX LDAP in AD, gave them the same gidNumber, this seems to work?
Provided they do not exist in /etc/group, you shouldn't have a problem
>
>>> Now, can I ask what you are actually trying to achieve ?
>>> What is the application ?
>
> We will be migrating our UNIX LDAP to AD. Our UNIX LDAP is used by a few Windows users for shell logins, and by quite a few for SAMBA. Our environment is Solaris and Red Hat, with Solaris being replaced by Red Hat.
>
> The users don't have Linux workstations
>
> Right now production is still using UNIX LDAP
>
> AD DC are all Windows and managed by another team. All the users use AD for their Windows client.
Have you tried talking to the Windows sysadmins about the benefits of AD ?
To be honest, you sound like you are saying 'we have always done it this
way' and are missing the major benefits of running an AD Unix domain member.
>
> All users are assigned UID by the corp
That shouldn't be a problem, provided they are unique.
>
> I am testing a Red Hat SAMBA domain member in two modes (via snapshots I can switch back and forth), one with winbind only, and one with winbind using sssd
All that sssd gets you is authentication and you can get that without
running Samba at all.
If you read this:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers#proc_using-the-rid-id-mapping-back-end_assembly_understanding-and-configuring-samba-id-mapping
You will find this:
Important
Red Hat only supports running Samba as a server with the winbindd
service to provide domain users and groups to the local system. Due to
certain limitations, such as missing Windows access control list (ACL)
support and NT LAN Manager (NTLM) fallback, SSSD is not supported.
It is very simple, if you only require authentication, then run sssd
without Samba, but if you require shares, then run Samba (with winbind)
without sssd.
Rowland
More information about the samba
mailing list