Winbind - functionality

Andrew Bartlett abartlet at
Tue Jul 21 16:20:09 MDT 2009

On Tue, 2009-07-21 at 14:21 -0500, MICHAEL BROWN wrote:
> Hello Mr. Bartlet,
> this does indeed allow import of uid/gid information into SAMBA 4 AD backend using non "msSFU" attributes.  Using
> the normal POSIX uid/gid LDAP attributes work great.  I can join SAMBA 3.4 to SAMBA 4 just fine.  The problem I am having
> with SAMBA 3.4 is that SAMBA is not recognizing the groups defined within the share areas within the smb.conf file.
> However, the user is pulled from the AD backend just fine (if the shares are configured with no groups).  Meaning,
> within the smb.conf file, I typically set group access to shares defined as:
> [myshare]
> valid users = @Mygroup, @ThisGroup
> To explain, I don't want to use Winbind at all.
> I have everything configured with nss-ldap within the nsswitch.conf file.
> Also, I have modified my ldap.conf file to pull this information from SAMBA 4's AD backend using the correct attributes
> defined within the Win2008 schema and the groups and users are picked up just like my OpenLDAP backend perfectly.
> Meaning, getent group and shadow pull just like the OpenLDAP backend calls.  I can't point smb.conf to AD via an
> LDAP call because it is wanting SAMBA attributes that are not within the Windows 2008 schema.
> Is there any way I can get SAMBA 3 to recognize the AD groups (just like it does the users) with nss-ldap?

I strongly recommend you use winbindd.  This is the Samba Team's
supported client for AD servers.  

If the problem was so easy that a simple nss_ldap invocation handled it
properly, we would not have 'wasted' so much time on winbind.  It was
developed for a very real reason.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list