On 22/07/2023 18:52, Mark Foley via samba wrote:> I am installing a new Linux Domain Member on a Active Directory domain that
is
> otherwise 100% Windows, including a Windows AD/DC. Previously, I've
added a
> Linux domain member to a domain with a Samba AD/DC and I had all the
needful
> information available.
It doesn't matter what the DC's are, Windows or Samba, the setup is the
same.
>
> I'm using the wiki
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Introduction
> for reference.
>
> In this case, what idmap backend should I use? ad, rid, autorid?
Which idmap backend you use is entirely up to you, they all have their
places:
If you use the 'ad' idmap backend you will need to have (or add)
uidNumber and gidNumber attributes in AD.
If you use the 'rid' idmap backend then the Unix ID's are calculated
from the AD objects RID. You will have to add a set of 'idmap config
lines' for every DOMAIN
The 'autorid' idmap backend works in a similar way to the 'rid'
idmap
backend, but is meant for multiple domains and you will only require one
set of 'idmap config' lines.
>
> My domain member on my existing Samba domain has smb.conf settings:
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config HPRS:backend = ad
> idmap config HPRS:schema_mode = rfc2307
> idmap config HPRS:range = 10000-10099
That setup will require that your users have uidNumber attributes and
your groups will have gidNumber attributes in AD, All of these
attributes will have to contain numbers inside the 10000-10099 range
(which to be honest is a bit small and only allows for 99 users).
>
> winbind enum groups = Yes
> winbind enum users = Yes
If you only have 99 users, then the 'winbind enum' lines should be okay,
but they are not required and on larger domains, they will slow things down.
> winbind nss info = rfc2307
If you use the 'ad' idmap backend, then 'winbind nss info' is
now part
of the 'idmap config' lines and isn't used with any other idmap
backend
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
'winbind use default domain' cannot be used with the 'autorid'
idmap
backend.
>
> These settings were monkey-typed from a smb.conf example by kjhambrick,
many,
> many moons ago. I really don't know why I have two backends specific
(tdb and
> ad) or why there are two different ranges (2000-9999 and 10000-10099 -
although
> I see the wiki also has a range for * and for domain). Do I need all these
in
> the Windows AD config?
>
> I don't see backend tdb listed in the wiki. Is that obsolete? It does
list other
> backends: ldap and nss.
The 'tdb' idmap backend is an allocating backend and is only used for
the default '*' domain (unless you use the 'autorid' idmap
backend, when
it isn't required at all). The default domain is meant for the Well
Known SIDs and anything outside the DOMAIN.
>
> How would I find the range on this domain?
You don't, you choose and set it :-)
Anything you don't understand, please ask.
Rowland