[Samba] Joining Linux Domain Member to Windows AD/DC

Rowland Penny rpenny at samba.org
Sun Dec 10 10:49:00 UTC 2023 

On Sat, 09 Dec 2023 17:26:15 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:

> I'm back to joining a Linux computer as a domain member to a Windows
> Domain. This is not the same thread I've been posting lately, but
> rather one that trailed off back in July 2023, same subject.
> 
> My hold-up then, and my question now, has to do with "Choosing an
> idmap backend",
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Choosing_an_idmap_backend.
> 
> As the wiki says, "It can appear to be a complex decision choosing
> which winbind idmap backend to use", and "Once you Have decided which
> winbind idmap backend to use, you have to choose the ranges to use
> with 'idmap config' in smb.conf."
> 
> The wiki is right, it does appear "complex"!

Only in that there are numerous idmap config backends that you can use.
However, on a Unix domain member there are three main ones that are
used:

The 'ad' backend:
This is only required if you need the rfc2307 attributes for different
Unix home directories and login shells. It also requires that you use
and populate the rfc2307 uidNumber & gidNumber attributes for users &
groups that you require to be visible on Unix.

The 'rid' backend:
This backend does not require any alterations to AD. It calculates the
user & group Unix IDs from the user or group RID. If you use the same
basic smb.conf on all Samba Unix domain members, you will always get
the same Unix ID. You are limited to Unix home directory path and login
shell which by default are set to /home/%D/%U and /bin/false , though
they can be changed by setting the relevant parameters in smb.conf ,
for instance

template shell = /bin/bash
template homedir = /home/%U

NOTE: '%D' & '%U' are variable substitutions for the NetBIOS domain
name (aka WORKGROUP) and username.

The 'autorid' backend:
This backend works similar to the 'rid' backend (it uses a different
calculation to obtain the Unix ID), but it is mostly used for multiple
domains.

> 
> My domain is hprs.locl.
> 
> I won't include here the extensive responses I got back in July, but
> to summarize my understanding:
> 
> It doesn't matter what idmap backend I choose, but the Rowland
> suggested one back then was rid.
> 
> As far as the ranges, the wiki gives the following example:
> 
>  *        3000-7999 (default domain)
>  DOMAIN   10000-999999 (hprs.locl)
>  TRUSTED  1000000-9999999
> 
> I'm not really sure what the "default domain" is versus "DOMAIN", nor
> what a "TRUSTED" domain is versus the others, but maybe I don't
> really care?

Very simplistically:
 
The 'default' domain (identified by '*') is where Samba stores the IDs
for the Well Known SIDs (there are less than two hundred of these) and
anything outside the 'DOMAIN' or 'TRUSTED' domain (and there really
shouldn't be anything).

The 'DOMAIN' domain is where Samba stores the Unix IDs for the main
DOMAIN (where 'DOMAIN' is the workgroup name.

The 'TRUSTED' domain (and there can multiples of these) is where Samba
stores the IDs for any external domains where a 'trust' has been set up
between your 'DOMAIN' and it. If you haven't got any trusts, then you
can ignore trusts.

When you set ranges for the various backends you use, these ranges must
not overlap.

There is a bit of a difference when it comes to the 'autorid' backend.
This backend (when setting the 'idmap config' lines in the smb.conf
file) is referred to with the same symbol as the default domain '*' and
you only need two lines in your smb.conf:

idmap config * : backend = autorid
idmap config * : range = 10000-999999

The code will do what is required for any domain that connects, be that
the default, DOMAIN or a TRUSTED domain, you do not require the default
domain lines.

There are a few other idmap backends, but those are the main ones in
use.

> 
> Apparently, according to responses on my early thread, the Windows
> AD/DC doesn't have idmap ranges, so I needn't worry about doing
> anything that won't work with that server, right?

If you look closely, 'idmap' is really two words, 'id' and 'map', This
means that Samba takes the user or group AD ID and maps it a Unix ID.
Windows doesn't need this, it just uses the user or group SID.
If you use the 'ad' backend and add uidNumber & gidNumber attributes,
then these will take precedence over the '3000000' range of numbers
that a DC normally uses. There is a way to use the 'ad' backend on Unix
domain members and use the '3000000' range on DCs, remove
'idmap_ldb:use rfc2307  = yes' from the DCs smb.conf and restart Samba.

> 
> Given all of the above, and reading
> https://wiki.samba.org/index.php/Idmap_config_rid, I come up with the
> following for my smb.conf:
> 
> security = ADS
> workgroup = HPRS
> realm = HPRS.LOCL
> 
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config HPRS : backend = rid
> idmap config HPRS : range = 10000-999999
> 
> template shell = /bin/bash
> template homedir = /home/%U
> 
> And that should be it to enable this computer to join the domain,
> right?

Correct, but it is a very minimal smb.conf and will undoubtedly require
more parameters, but it is enough to get the computer joined to the
domain.

Rowland

More information about the samba mailing list