Better Posix AD

From SambaWiki
Revision as of 01:43, 27 January 2018 by Abartlet (talk | contribs) (more detail)

Jump to: navigation, search


When Setting up Samba as an AD DC for Linux and other POSIX clients some things are not as simple as they could be.


A user on a POSIX system needs a uid and gid value. Many POSIX clients will use the uidNumber and gidNumber values, so we should have those filled in by default.

Possible solutions

Samba should set a uidNumber and gidNumber on the directory entry when the user or group is created. Additionally the schema should be extended to indicate that the uidNumber is actually IDMAP_BOTH, that is able to be expressed as a GID for ACLs.

This should be allocated via winbind, so that the administrator has control, however a new default should be created to use the SSSD idmap algorithm.

For RID based algorithms the base values for the domain should be stored the in trustPosixOffset value of the domain trust entry so that they run on each host autonomously. For counter based allocation, the allocation of the uid/gid should be deferred to the PDC FSMS role holder (or similar).

SSH public keys

Schema for the ssh public key (sshPublicKey or nsSSHPublicKey) should be included in the default install. However don't use the default schema as it has the SSH public key as MUST and it should be MAY.

Sudo schema

Include the FreeIPA sudo schema.

SSSD HBAC access control

Include the schema so that SSSD can use HBAC rules stored in a Samba AD.


There is initial support for the GPO going in to Samba 4.8, but this work need to continue.