[Samba] Choosing a backend idamp and example scenarios for each one
Rowland Penny
rpenny at samba.org
Sat Jun 15 07:48:04 UTC 2024
On Fri, 14 Jun 2024 17:32:30 -0300
Andreas Hasenack via samba <samba at lists.samba.org> wrote:
> Hi,
>
> On Fri, Jun 14, 2024 at 4:44 PM Elias Pereira via samba <
> samba at lists.samba.org> wrote:
>
> > hi,
> >
> > Knowing the 3 idmap backends (ad, rid and autorid) available to
> > configure samba as a domain member, could you give examples of
> > scenarios in which each backend would be more suitable?
> >
> >
> I also wrote some documentation for the ubuntu server guide about
> this, recently. Here is one point of entry:
> https://ubuntu.com/server/docs/choosing-an-integration-method
That first one doesn't even mention idmap_ad
Why do you use the range 100000 - 199999 for the default '*' domain,
when this is meant for the Well Known SIDs and anything outside the
'DOMAIN' domain (which really means '0'), there are less than 200 Well
Known SIDs.
Wouldn't 'Not a member server' be better as 'Authentication
only' with the caveat that you only run Winbind for this (which is what
sssd really is).
The main difference between idmap_rid and idmap_autorid is that it is
easier to set up idmap_autorid, just two lines, but it will also suffer
from the same problem that sssd does, if a domain gets large enough,
you will get ID collisions.
>
> Some more practical docs start here:
> https://ubuntu.com/server/docs/join-a-domain-with-winbind-preparation
> including a cross-forest example.
Why does Ubuntu seem to require the hostname setting to a FQDN, but
Debian just requires the short hostname ?
Rowland
More information about the samba
mailing list