Using Samba as an AD domain member with consistent automatically generated POSIX attributes across Linux members

Question

I am trying to join multiple Linux devices to a Windows Active Directory Domain with both Domain logon and Samba file sharing functionality. I am trying to avoid manually adding POSIX attributes to AD users and groups here. Although seeming simple enough to perform with the autorid backend of samba, based on Redhat's documentation File and print servers - drawbacks of autorid

Autorid creates inconsistent uid and gid attributes when compared against other Linux devices. Since I want permissions on domain user & group owned directories and files to be consistent across all members, (from client to server, and from client to client) inconsistent generated attributes are unacceptable for my environment.

Seemingly, sssd automatic id mapping (ldap_id_mapping = true in sssd.conf) uses an algorithm that automatically generates consistent uid and gid attributes for domain users across multiple Linux hosts. I would use this as the backend for samba - however as Redhat states in their documentation, they do not recommend this as sssd cannot perform NetBIOS lookups or NTLM. Using SMB shares with SSSD and Winbind

So for seeking an ideal configuration that allows consistent automatic generation of uid and gid attributes across multiple linux domain members but still allows full domain samba functionality, what options are there?

Answer 1

Use the 'auto-rid' backend if you have multiple domains and the 'rid' backend if you only have one. Provide you use the same '[global]' lines on every Unix domain member, you will get the same ID's on each. Use 'idmap config' lines something like this for the 'rid' backend:

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999

Where 'SAMDOM' is your workgroup name.

With that, I can guarantee (for instance) that the Domain Users group will always get the group ID '10513' on all machines.

if you add 'winbind use default domain = yes' to '[global]', your users will be able to log in with 'username' instead of 'SAMDOM\username' (note: you cannot use this with the 'autorid' backend)