On 2014-07-28 16:54, Caleb O'Connell wrote:> I have a samba4 Domain Controller, there are no other samba4 domain member
> servers in the network, there is one other samba 3 member server in the
> network.
> I've setup the DC with:
> idmap_ldb:use rfc2307 = yes
>
> On the samba4, do we use the idmap attributes?
>
> # idmap config * : backend = tdb
> # idmap config * : range = 70001-999999
> # idmap config IAPP : backend = ad
> # idmap config IAPP : schema_mode = rfc2307
> # idmap config IAPP : range = 10000-70000
> # winbind nss info = rfc2307
> # winbind trusted domains only = no
> # winbind use default domain = Yes
> # winbind enum users = Yes
> # winbind enum groups = Yes
> # winbind refresh tickets = yes
> # winbind nested groups = Yes
>
>
> Is this only a member server thing? The samba 3 server is using this and
it
> works well. In my reading it sounds like samba4 does not support this on
> the DC.
>
> Is it recommended to use sssd on the DC for local accounts from AD?
It is generally recommended to not use either on a DC and use it just to
authenticate other nodes.
That said, winbind is broken on s4 dcs, sssd isn't. (Or rather,
s4-winbind is woefully incomplete in comparison to the already quite
limited s3-winbind, while sssd, being independently developed, works the
same with either).
--
Mit freundlichen Gr??en, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167
http://software.tao.at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20140728/1184f1aa/attachment.pgp>