Web lists-archives.com

Re: [Samba] Questions about adding a DC




On Mon, 18 Jun 2018, Rowland Penny via samba wrote:

On Mon, 18 Jun 2018 14:42:12 -0400 (EDT)
me@xxxxxxxxxx wrote:

On Mon, 18 Jun 2018, Rowland Penny via samba wrote:

On Mon, 18 Jun 2018 11:42:05 -0400 (EDT)
Tom Diehl via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi,

In reading
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
it says "If the other DCs are Samba DCs and were provisioned with
--use-rfc2307, you Should add --option='idmap_ldb:use rfc2307 =
yes' to the join command"

So does this mean that rfc2307 should not be used if the other DCs
are MS DCs? Does the answer change if the ultimate goal is to
decommission the MS DCs?

Do you have any Unix clients or do have an intention of either using
the Samba DC as a fileserver, or adding any Unix domain members ?

If you do, then add the line to any Samba DC's, if not then you can
ignore it.

There are no Unix clients today but the plan is to add them once the
Samba DC is up and running. So if I understand you correctly, I
should add rfc2307 attributes so that I have them available when we
provision the member server. Then on the member server add something
like the following to the smb.conf: idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:unix_nss_info = yes
idmap config SAMDOM:range = 10000-999999

This will also necessitate adding unix attributes to the user
accounts.

Not exactly, if the Samba AD DC is only going to be used for
authentication, then you could use the winbind 'rid' backend on Unix
domain members, this way you don't have to add anything to AD.

Am I correct that if I use the 'rid' backend then I do not need rfc2307
attributes?

So for rid the smb.conf on the member servers would look something like the
following:

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SAMDOM:backend = rid
idmap config SAMDOM:unix_nss_info = yes
idmap config SAMDOM:range = 10000-999999

Is this correct?

Regards,

--
Tom			me@xxxxxxxxxx

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba