samba - Mar 2019 - AD Member: server role = member server vs. security = ADS

Hello,

I'm trying to add Debian stretch as a domain member to an AD domain, to
have Windows Users access shares according to permissions of AD group
membership.

For the record this is smbd --version:
Version 4.5.16-Debian

After reading
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
I was a bit confused about a few points when comparing it to the
default smb.conf in Debian and reading the man page


1. The default smb.conf seems to imply to set the "server role" to
"member server", but the wiki doesn't mention it.
Should "server role" be set to "member server"?


2. The default smb.conf does not include "security" but the wiki says
it should be set to ADS. 
Does "server role" being set to "member server" imply
"security" set to
"ADS"? (This seems to be implied by the man page)
Or should "security" be explicitly set to "ADS" despite the
server role
setting?


3. The default Debian configuration sets all the variables for
local password storage but also for password sync:

passdb backend
obey pam restrictions
passwd program
passwd chat
pam password change

but none of these are mentioned in the Wiki.  I guess the become
obsolete as domain member and there is no need to sync passwords since
any samba users will be managed by NSS and winbindd

Cheers,
David

-- 
David Ayers - Team Austria
Free Software Foundation Europe (FSFE) []          (http://www.fsfe.org)
Become a supporter of the FSFE!      [][][]      (https://fsfe.org/join)
Your donation powers our work!         ||       (http://fsfe.org/donate)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190307/912f9546/signature.sig>

On Thu, 07 Mar 2019 17:08:46 +0100
David Ayers via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I'm trying to add Debian stretch as a domain member to an AD domain,
> to have Windows Users access shares according to permissions of AD
> group membership.
> 
> For the record this is smbd --version:
> Version 4.5.16-Debian
> 
> After reading
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> I was a bit confused about a few points when comparing it to the
> default smb.conf in Debian and reading the man page
The default Debian smb.conf is for a standalone server.
> 
> 
> 1. The default smb.conf seems to imply to set the "server role"
to
> "member server", but the wiki doesn't mention it.
> Should "server role" be set to "member server"?
You can if you wish, but it amounts to the same as setting 'security
ADS'
> 
> 
> 2. The default smb.conf does not include "security" but the wiki
says
> it should be set to ADS. 
> Does "server role" being set to "member server" imply
"security" set
> to "ADS"? (This seems to be implied by the man page)
> Or should "security" be explicitly set to "ADS" despite
the server
> role setting?
See above
> 
> 
> 3. The default Debian configuration sets all the variables for
> local password storage but also for password sync:
> 
> passdb backend
This will undoubtedly be set to 'tdbsam' and is the default, so
isn't
required.
> obey pam restrictions
This was recently found to be affecting umask, so probably shouldn't be
set.
> passwd program
> passwd chat
> pam password change
these can be set if required, but are not strictly needed.
> 
> but none of these are mentioned in the Wiki.  I guess the become
> obsolete as domain member and there is no need to sync passwords since
> any samba users will be managed by NSS and winbindd
The smb.conf files found on the wiki are very basic and are only meant
to get you up and running and able to join a domain. It is up to a
sysadmin to decide whatever else they need in smb.conf.

Rowland

Am Donnerstag, den 07.03.2019, 16:52 +0000 schrieb Rowland Penny via
samba:
> On Thu, 07 Mar 2019 17:08:46 +0100
> David Ayers via samba <samba at lists.samba.org> wrote:
Thank you for the clarifications!
> The smb.conf files found on the wiki are very basic and are only
> meant
> to get you up and running and able to join a domain. It is up to a
> sysadmin to decide whatever else they need in smb.conf.
Yes, I understand that samba is complex and therefore the decision on
what to set when is likely answered with "it depends" on a case by
case
basis.

In the case of "server role" and "security" it seems strange
that
different settings amount to the same assumed result.

It also wasn't clear to me whether any local password management was
useful or even valid in the case of a domain member at all, but I
didn't clearly ask that question.  Yet now I infer that it isn't.

Thank you very much for your guidance!

David Ayers

-- 
David Ayers - Team Austria
Free Software Foundation Europe (FSFE) []          (http://www.fsfe.org)
Become a supporter of the FSFE!      [][][]      (https://fsfe.org/join)
Your donation powers our work!         ||       (http://fsfe.org/donate)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190308/208a94bb/signature.sig>