How I got winbind to work with rh71/samba_2_2 and win2k (PDC)

jtrostel at jtrostel at
Thu Sep 20 12:04:05 GMT 2001

Here is my procedure to get winbind running with (a fairly recent) CVS of

A. Shutdown samba smbd, nmbd and winbindd daemons

        1. kill all smbd's
        2. kill all nmbd's
        3. kill all winbindd's

B. Make a clean version of samba to test with
        as root, in the samba/source directory

        1. # rm -rf /usr/local/samba
                (get's rid of any old samba you may have)
                (*** save ../lib/smb.conf if you want to reuse it)

        2. # make clean

        3. # rm config.cache

        4. # ./configure --with-pam --with-winbind (--with-acl-support)
                (I use XFS acls, you don't need to to use winbind)

        5. # make

        6. # make install
                (puts the stuff in /usr/local/samba by default)

        7. # cp nsswitch/ /lib

        8. # ln -s /lib/ /lib/

        9. # cp nsswitch/ /lib/security/

        10. edit nsswitch.conf

                passwd:     files nisplus winbind
                shadow:     files nisplus winbind
                group:      files nisplus winbind
           (note: group needs winbind entry too!)

        11. # /sbin/ldconfig -v | grep winbind
                (makes libnss_winbind available and checks)

        12. copy proper smb.conf into /usr/local/samba/lib

        13. # /usr/local/samba/bin/smbpasswd -j DOMAIN
                (where DOMAIN is the domain of your PDC)

        12. # /usr/local/samba/bin/winbindd
                (starts up the winbindd daemon)

        13. # ps -ae | grep winbindd
                (make sure winbindd started ok)

        14. # /usr/local/samba/bin/wbinfo -u
                (should give a list containing local AND domain users)

        15. # /usr/local/samba/bin/wbinfo -g
                (should give a list containing local AND domain groups)

        16. # getent passwd
                (should give a list containing local AND domain users)

        17. # getent group
                (should give a list containing local AND domain users)
C. Now need to fix the pam.d files!

        1. to enable authentication and accounts from local and DOMAIN users
                change /etc/pam.d/samba to:

                auth required /lib/security/
                account required /lib/security/

        2. Other pam.d files:  I'm working on them ;->

D. restart smbd and nmbd
        1. # /etc/rc.d/init.d/smb restart
        (note: I have 'fixed' /etc/rc.d/init.d/smb to run smbd and nmbd from

I can now connect to my share as a user who exists ONLY in the domain (i.e.,
not a local user at all) and create and modify files.  For instance, I have a
user CEO/burdell (domain CEO, user burdell) who doesn't exist in my local
/etc/passwd or my /usr/local/samba/private/smbpasswd files.  I can log in from
a windows box as 'burdell' and files are created in the share with owner

[jt at jtsdevel jt]$ ls -l /mnt/xfs_part/bu*

-rwxrwxr--    1 CEO\burd root     37 Sep 20 14:32 /mnt/xfs_part/burdell's.txt

(Using XFS ACLs)
[jt at jtsdevel jt]$ getfacl /mnt/xfs_part/bu*

getfacl: Removing leading '/' from absolute path names
# file: mnt/xfs_part/burdell's.txt
# owner: CEO\burdell
# group: root

My smb.conf file:

        workgroup = CEO
        netbios name = JTSDEVEL
        server string = JTs devel machine XFS Samba Server
        printing = bsd
        printcap name = /etc/printcap
        load printers = yes
        guest account = guest
        encrypt passwords = Yes
        update encrypted = Yes
        os level = 0
        preferred master = False
        local master = No
        domain master = False
        security = domain
        password server = ZEPHYR 
        smb passwd file = /usr/local/samba/private/smbpasswd
        debug level = 1
        wins server =
        name resolve order = wins host bcast
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes

        path = /mnt/xfs_part
        public = yes
        read only = No
        inherit permissions = yes
        create mask = 777
        force create mode = 0
        directory security mask = 777
        force directory security mode = 0

John M. Trostel
Senior Software Engineer
Quantum / SnapAppliances
jtrostel at

More information about the samba-technical mailing list