Winbind - functionality

Wed Jul 22 17:09:25 MDT 2009

I figured out what was wrong.  I was missing a mssfu attribute
when I did my user and group import into samba 4's backend
from openldap..
Samba 3 joined to samba 4 AD using nss-ldap does indeed
work in that uid/gid is resolved by samba and nss-ldap.  I
am sure winbind will work as well using idmap.


>>> Andrew Bartlett <abartlet at> 07/21/09 5:21 PM >>>
On Tue, 2009-07-21 at 14:21 -0500, MICHAEL BROWN wrote:
> Hello Mr. Bartlet,
> this does indeed allow import of uid/gid information into SAMBA 4 AD backend using non "msSFU" attributes.  Using
> the normal POSIX uid/gid LDAP attributes work great.  I can join SAMBA 3.4 to SAMBA 4 just fine.  The problem I am having
> with SAMBA 3.4 is that SAMBA is not recognizing the groups defined within the share areas within the smb.conf file.
> However, the user is pulled from the AD backend just fine (if the shares are configured with no groups).  Meaning,
> within the smb.conf file, I typically set group access to shares defined as:
> [myshare]
> valid users = @Mygroup, @ThisGroup
> To explain, I don't want to use Winbind at all.
> I have everything configured with nss-ldap within the nsswitch.conf file.
> Also, I have modified my ldap.conf file to pull this information from SAMBA 4's AD backend using the correct attributes
> defined within the Win2008 schema and the groups and users are picked up just like my OpenLDAP backend perfectly.
> Meaning, getent group and shadow pull just like the OpenLDAP backend calls.  I can't point smb.conf to AD via an
> LDAP call because it is wanting SAMBA attributes that are not within the Windows 2008 schema.
> Is there any way I can get SAMBA 3 to recognize the AD groups (just like it does the users) with nss-ldap?

I strongly recommend you use winbindd.  This is the Samba Team's
supported client for AD servers.  

If the problem was so easy that a simple nss_ldap invocation handled it
properly, we would not have 'wasted' so much time on winbind.  It was
developed for a very real reason.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.

NOTICE - This communication may contain confidential and privileged information that is for the sole use of the intended recipient. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited.  If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer.

More information about the samba-technical mailing list