On 02/02/2023 10:10, cYuSeDfZfb cYuSeDfZfb via samba wrote:> Hi, > > I am setting up a standalone samba server (with tdbsam) on RHEL9, > following the immaculate samba wiki: > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server > > The user creation flow described in the standalone scenario is: > > - create a system user (useradd ) with password > - create a samba user (smbpasswd) with password > > In my previous work, I have always used domain member servers with > security = ADS / winbind idmap 'ad' backend / winbind for local linux > users. > > My question: is it possible to use winbind with autorid & tdbsam (and > security = user) to avoid the requirement to generate each user TWICE? > > MJ >No, but you could use winbind with autorid (or rid) and the default tdbsam and 'security = ADS', then do not create users on the Samba Unix domain member, that way, you only create the user once, in AD. If you have AD, then leverage it, if not, script around the user creation. NOTE: if you use the rid idmap backend, you can also use 'winbind use default domain = yes'. Rowland
cYuSeDfZfb cYuSeDfZfb
2023-Feb-02 10:25 UTC
[Samba] winbind for nsswitch, without AD membership
Hi Rowland, Thanks for the very quick reply. As this machine will hold specific backup stuff, we do not want it be be 'connected' to the AD at all, adding an extra layer of protection. (next to other layers,of course) Thanks for your clear response: we will script it. MJ On Thu, 2 Feb 2023 at 11:18, Rowland Penny via samba <samba at lists.samba.org> wrote:> > > > On 02/02/2023 10:10, cYuSeDfZfb cYuSeDfZfb via samba wrote: > > Hi, > > > > I am setting up a standalone samba server (with tdbsam) on RHEL9, > > following the immaculate samba wiki: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server > > > > The user creation flow described in the standalone scenario is: > > > > - create a system user (useradd ) with password > > - create a samba user (smbpasswd) with password > > > > In my previous work, I have always used domain member servers with > > security = ADS / winbind idmap 'ad' backend / winbind for local linux > > users. > > > > My question: is it possible to use winbind with autorid & tdbsam (and > > security = user) to avoid the requirement to generate each user TWICE? > > > > MJ > > > > No, but you could use winbind with autorid (or rid) and the default > tdbsam and 'security = ADS', then do not create users on the Samba Unix > domain member, that way, you only create the user once, in AD. > > If you have AD, then leverage it, if not, script around the user creation. > > NOTE: if you use the rid idmap backend, you can also use 'winbind use > default domain = yes'. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 2/2/23 11:18, Rowland Penny via samba wrote:> On 02/02/2023 10:10, cYuSeDfZfb cYuSeDfZfb via samba wrote: >> My question: is it possible to use winbind with autorid & tdbsam (and >> security = user) to avoid the requirement to generate each user TWICE? > > No, ...there's the "add user script" option, I guess that should to what the OP wants. -slow -- Ralph Boehme, Samba Team https://samba.org/ SerNet Samba Team Lead https://sernet.de/en/team-samba -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20230202/57fbf540/OpenPGP_signature.sig>