[Samba] Samba domain name in short format
Rowland Penny
rpenny at samba.org
Wed May 8 05:42:23 UTC 2024
On Tue, 7 May 2024 22:19:38 +0000
"Sun, Zhongdong" <zhongdong.sun at yale.edu> wrote:
> Hi Rowland,
>
> You are right. We are running some old software here, such as NIS.
> All these started in 20 years ago when I joined the group and we had
> about 20-30 workstations running Linux. NIS was chosen at that time
> to manage user accounts. Some users were not familiar with Linux, so
> we provided Samba to them so that they could map Linux file systems
> to their computers. I know NIS is old technology and can be replaced
> with others, such as LDAP. But this is clinical research environment
> and is very difficult to change system. We have to live with this
> system.
Even 20 years ago NIS was dying and I have since found out that NIS has
been removed from RHEL 9. I really think you need to seriously consider
upgrading your setup.
>
> Fortunately, NIS is only used to manage account. And user
> authentication occurs in AD.
Samba, if used correctly, can manage the account, but you would have to
join it to the AD domain and probably use the 'ad' idmap backend with
RFC2307 attributes, that is if the current ID numbers must be used.
> So there is not too much security
> concern here. I'll say it's not easy to manage such a complicated and
> a little outdated system in a production environment, because we
> cannot shut down the system for upgrade or maintenance. For the Samba
> server, I just leave the production server running, and use another
> server to test new version of Samba. If it works, we may switch the
> new server as production system. Otherwise, we have to keep the
> current Samba server running.
>
> For the test Samba server, I followed the instructions to setup
> Samba, but without winbind. In my test, everything works except that
> it cannot recognize the short domain name YALE. If I use the full
> domain name yu.yale.edu, everything works well. But it's difficult to
> ask all users to use the long format. As I think, this seems a DNS
> issue. But I don't know how to tell Samba server to resolve the short
> name YALE as long name yu.yale.edu. I wonder if you or any experts
> here can provide any advice on this.
If you run Samba without winbind, then it cannot be joined to a domain
and can only be a standalone server.
When it comes to the domain names, 'yu.yale.edu' looks like it is the
AD dns domain (which means the kerberos realm will be 'YU.YALE.EDU'),
'YALE' will be the NetBIOS domain name, which is also known as the
workgroup name or 'pre-windows 2000' domain name. So, while
'yu.yale.edu' seems to be working for you, I do not think 'YALE' not
working is a dns problem, NetBIOS doesn't use dns.
Here is what I suggest you do, setup a test VM using Debian 12 and I
will then talk you through joining that to your AD using Samba. You can
then test its capabilities to see if you could use it instead of your
present setup. The only 'problem' I can see is the NFS shares, it isn't
a good idea to re-share them via Samba to Windows, you would probably
be better off getting the Linux machines to use Samba instead. My rule
of thumb is:
All Linux machines, use NFS
A mixture of Linux and Windows machines, use Samba.
A side affect of using Samba is that your users will be able to logon
using 'username' instead of 'YALE\username' or 'yu.yale.edu\username'
if required.
Rowland
More information about the samba
mailing list