Winbind - functionality

Tue Jul 21 13:21:46 MDT 2009

Hello Mr. Bartlet,
this does indeed allow import of uid/gid information into SAMBA 4 AD backend using non "msSFU" attributes.  Using
the normal POSIX uid/gid LDAP attributes work great.  I can join SAMBA 3.4 to SAMBA 4 just fine.  The problem I am having
with SAMBA 3.4 is that SAMBA is not recognizing the groups defined within the share areas within the smb.conf file.
However, the user is pulled from the AD backend just fine (if the shares are configured with no groups).  Meaning,
within the smb.conf file, I typically set group access to shares defined as:

valid users = @Mygroup, @ThisGroup

To explain, I don't want to use Winbind at all.
I have everything configured with nss-ldap within the nsswitch.conf file.
Also, I have modified my ldap.conf file to pull this information from SAMBA 4's AD backend using the correct attributes
defined within the Win2008 schema and the groups and users are picked up just like my OpenLDAP backend perfectly.
Meaning, getent group and shadow pull just like the OpenLDAP backend calls.  I can't point smb.conf to AD via an
LDAP call because it is wanting SAMBA attributes that are not within the Windows 2008 schema.
Is there any way I can get SAMBA 3 to recognize the AD groups (just like it does the users) with nss-ldap?


>>> Andrew Bartlett <abartlet at> Wednesday, July 08, 2009 >>>
On Wed, 2009-07-08 at 12:36 -0500, MICHAEL BROWN wrote:
> Hello,
> will it be, or is it, possible to add the rfc2307 schema attributes
> extension to SAMBA 4's AD back-end so that a SAMBA 3 server can join a
> SAMBA 4 AD server and do these lookups from there?  Meaning, SAMBA 3
> can be joined to Windows 2003 R2 so that the UIDs/GIDs are stored in
> AD for POSIX resolution with nss-ldap and would like to know if this
> is possible with SAMBA 4 instead of Windows 2003?  We do not use
> winbind and opted to use OpenLDAP for keeping all of the UIDs/GIDs the
> same over multiple SAMBA servers (version 2).  I have tested SAMBA 3
> joined to Windows 2003 AD but, naturally, would like to use SAMBA 4's
> AD to keep this POSIX information, as well as nss-ldap so that the UID
> and GID information is the same everywhere.  OpenLDAP with MS schema
> and POSIX schema possibly?

Samba4 already has the Windows 2008 schema loaded for this exact
purpose.  We have not yet taken any steps to automatically allocate
uidNumber values into the directory (nor do we use those for the Samba4
file server), but both a very much the plan.

If you fill in the uidNumber attribute, the rest *should* work (do let
me know how well it works, please). 

Andrew Bartlett

Andrew Bartlett 
Authentication Developer, Samba Team  ( )
Samba Developer, Cisco Inc.

NOTICE - This communication may contain confidential and privileged information that is for the sole use of the intended recipient. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited.  If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.

More information about the samba-technical mailing list