[Samba] Joining Linux Domain Member to Windows AD/DC

Rowland Penny rpenny at samba.org
Sat Jul 22 19:58:01 UTC 2023

On 22/07/2023 18:52, Mark Foley via samba wrote:
> I am installing a new Linux Domain Member on a Active Directory domain that is
> otherwise 100% Windows, including a Windows AD/DC.  Previously, I've added a
> Linux domain member to a domain with a Samba AD/DC and I had all the needful
> information available.

It doesn't matter what the DC's are, Windows or Samba, the setup is the 

> I'm using the wiki https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Introduction
> for reference.
> In this case, what idmap backend should I use? ad, rid, autorid?

Which idmap backend you use is entirely up to you, they all have their 

If you use the 'ad' idmap backend you will need to have (or add) 
uidNumber and gidNumber attributes in AD.

If you use the 'rid' idmap backend then the Unix ID's are calculated 
from the AD objects RID. You will have to add a set of 'idmap config 
lines' for every DOMAIN

The 'autorid' idmap backend works in a similar way to the 'rid' idmap 
backend, but is meant for multiple domains and you will only require one 
set of 'idmap config' lines.

> My domain member on my existing Samba domain has smb.conf settings:
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config HPRS:backend = ad
> idmap config HPRS:schema_mode = rfc2307
> idmap config HPRS:range = 10000-10099

That setup will require that your users have uidNumber attributes and 
your groups will have gidNumber attributes in AD, All of these 
attributes will have to contain numbers inside the 10000-10099 range 
(which to be honest is a bit small and only allows for 99 users).

> winbind enum groups = Yes
> winbind enum users = Yes

If you only have 99 users, then the 'winbind enum' lines should be okay, 
but they are not required and on larger domains, they will slow things down.

> winbind nss info = rfc2307

If you use the 'ad' idmap backend, then 'winbind nss info' is now part 
of the 'idmap config' lines and isn't used with any other idmap backend

> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes

'winbind use default domain' cannot be used with the 'autorid' idmap 

> These settings were monkey-typed from a smb.conf example by kjhambrick, many,
> many moons ago.  I really don't know why I have two backends specific (tdb and
> ad) or why there are two different ranges (2000-9999 and 10000-10099 - although
> I see the wiki also has a range for * and for domain).  Do I need all these in
> the Windows AD config?
> I don't see backend tdb listed in the wiki. Is that obsolete? It does list other
> backends: ldap and nss.

The 'tdb' idmap backend is an allocating backend and is only used for 
the default '*' domain (unless you use the 'autorid' idmap backend, when 
it isn't required at all). The default domain is meant for the Well 
Known SIDs and anything outside the DOMAIN.

> How would I find the range on this domain?

You don't, you choose and set it :-)

Anything you don't understand, please ask.


More information about the samba mailing list