[Samba] winbind/idmap issue on samba4 member server

Rowland Penny rowlandpenny at googlemail.com
Mon Oct 20 10:55:20 MDT 2014 

On 20/10/14 17:23, ?icro MEGAS wrote:
>> Hi, I think that you are falling into the 'winbind on the DC != winbind
>> on the client' problem.
>>
>> On the DC, winbind is built into the samba daemon and does not have the
>> same capabilities of the separate winbind daemon that is in use on your
>> member server. This is the main reason that it is not recommended to use
>> the DC for anything other than authentication.
>>
>> Rowland
> Hi Rowland,
>
> can you explain what I should do, I think I didn't understand you, I'm sorried. Did you mean I should remove winbind from /etc/nsswitch.conf (and the symbolic links in /lib64) on my DC1 and DC2 ? I want to use DC1 and DC2 only for authentication, that was my intension. That's why I installed an extra samba4 host which should have the fileshare role. Please be patient with me. Thanks a lot.
>
> Mirco
Hi Mirco, winbind on the DC just doesn't work like the winbind that you 
will be using on your member server, there is little in the DC smb.conf 
to setup winbind and what there is are workarounds. As standard the DC 
winbind pulls the id numbers from idmap.ldb and that is it, anything 
else is ignored, the workarounds are that you can set 'template shell' & 
'template home directory' in smb.conf, but these would affect everybody 
and cannot be set on a user by user basis.

On the member server, windbind can use different backends, rid or ad, 
for instance. The rid backend takes the users RID from AD and calculates 
the users id from this, provided that you use the same smb.conf on all 
linux machines (apart from the DC) the users will get the same id number.

The best way (IMHO) is to use the ad backend, with this, you have to 
give your users and groups various rfc2307 attributes and then you are 
positive that your users & groups will have the same id numbers 
everywhere including the DC, also you can give your users different unix 
homedirectories, login shells and windows attributes.

Hope this helps you understand the differences, if not, I will try to 
answer your questions.

Rowland

More information about the samba mailing list