[Samba] Several questions about winbind[d]

mathias dufresne infractory at gmail.com
Tue Jun 30 04:17:22 MDT 2015 

@Andrew: I expect these lines came from RDP issue workaround which should
be happening with previous Samba version. I removed all these lines as now,
with 4.2.2 Samba version RDP and RSAT are working well without them.

I removed also each and every idmap lines, commented most of winbind lines
too and now my smb.conf is:
------------------------------------------------------------
[global]
        workgroup = AD.DOMAIN
        realm = ad.domain.tld
        netbios name = DC01
        server role = active directory domain controller

        dns forwarder = 10.0.0.240

        wins support = yes
        winbind nss info = rfc2307

[netlogon]
        path = /var/lib/samba/sysvol/ad.domain.tld/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
------------------------------------------------------------

There is still something I don't understand:
"wbinfo -i some.user" does not show configured homeDirectory nor loginShell
nor for gidNumber
For loginShell it displays "/bin/false" rather than configured "/bin/bash"
For homeDirectory it displays "/home/AD.DOMAIN/some.user" rather configured
"/home/some.user"
For gidNumber it displays "100" rather than content of "gidNumber".

SSSD can easily be configured on non-DC to replace winbind and it gives
possibility to configure which  LDB attributes are retrieved.
On DC I'm still facing incompatibility between Sernet's Samba and SSSD
package (on Centos 6 & 7 and Debian 8) so initially I planned to use
winbind in nsswitch.conf and pam.d/* on DC to be able to check ACLs on
sysvol folder but the fact using winbind all users have "Domain users" as
primary group seems to me an issue to agree with that solution...

As far I understand wbinfo fill user's primary group according to
"primaryGroup" value.

Is there a way to configure winbind to fill user's primary group using
"gidNumber" rather than "primaryGroup"?

Cheers,

mathias


2015-06-29 11:18 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:

> On Thu, 2015-06-25 at 16:27 +0200, mathias dufresne wrote:
> > Hi all,
> >
> > I'm wondering about winbind[d] behaviour.
> > I tried the following with:
> > auth methods = sam winbindd
> > and the same with only one d:
> > auth methods = sam winbind
>
> Please never set these manually.
>
> There are almost no situations where these need to be manually managed,
> the defaults based on the server role will behave correctly and as
> expected.
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>

More information about the samba mailing list