[Samba] Choosing a backend idamp and example scenarios for each one

Rowland Penny rpenny at samba.org
Thu Jun 20 07:55:01 UTC 2024

On Wed, 19 Jun 2024 21:12:40 -0300
Elias Pereira via samba <samba at lists.samba.org> wrote:

> Thank you all!!!! Great content!!!
> Speaking of scenarios... What would be the best backend for?
> Scenario 1:
> 3 DCs and 1 fileserver
> 2800 users
> Scenario 2:
> 4 DCs and 2 fileserver
> 2800+ users

This all depends on if the DCs are going to be used as fileservers (not
recommended), you want the same IDs everywhere on Linux and you also
want to set different Unix home directories and shells.

Using the 'ad' idmap backend will give you the ability to have the same
numeric (and hence name) ID everywhere. You will also be able to set
different home directories and shells for users on Unix domain members,
this will not work on DCs, where the 'template' lines will be used, you
will also have to set 'idmap_ldb:use rfc2307 = yes' on the DCs to use
uidNumber & gidNumber attributes in AD.

I would recommend using the 'rid' idmap backend and only using the DCs
for authentication. Then, provided you use the same 'idmap config'
block on every Unix domain member, your users & groups will always get
the same Unix ID. The home directory path & shell can be set in
smb.conf and it usually doesn't matter if they are set differently per
fileserver etc.


More information about the samba mailing list