Samba 4 and winbind

Colin Simpson Colin.Simpson at
Fri Apr 19 08:42:39 MDT 2013

On Fri, 2013-04-19 at 12:01 +0100, Rowland Penny wrote:
> On 19/04/13 08:41, Stefan (metze) Metzmacher wrote:
> > Am 18.04.2013 20:04, schrieb Jeremy Allison:
> >> On Thu, Apr 18, 2013 at 07:01:43PM +0100, Rowland Penny wrote:
> >>> On 15/04/13 21:52, Jeremy Allison wrote:
> >>>> On Mon, Apr 15, 2013 at 07:35:03PM +0100, Rowland Penny wrote:
> >>>>> OK, listen to bug 9795, but in my opinion ( for what it is worth )
> >>>> Thanks !
> >>>>
> >>>>> winbind is rubbish, god knows how many backends and setting options,
> >>>>> have you looked at sssd lately?
> >>>> Yes, quite recently actually. What you have to remember is
> >>>> that winbindd has been developed for a long time, and we've
> >>>> been learning along the way - the developers of sssd were
> >>>> some of the people who also added the backends and setting
> >>>> options to winbindd, as they were also learning how this
> >>>> thing should be done.
> >>>>
> >>>> sssd is an excellent solution, and the developers of sssd
> >>>> had the benefits of being able to learn from how winbindd
> >>>> was developed and any mistakes that were made along the way
> >>>> (many of which you still see as legacy support for the many
> >>>> backends and setting options :-).
> >>>>
> >>>>> Also they say that the truth hurts.
> >>>> No, directionless moaning without purpose hurts :-). The
> >>>> truth is always welcome :-).
> >>>>
> >>>> Jeremy
> >>>>
> >>>>
> >>> Hi, I have just updated bug 9795 with what I believe is the problem,
> >>> S4 winbind requires posix objectclasses but if you add the unix
> >>> attributes via windows ADUC, you do not get them, so by my reading,
> >>> winbind shouldn't require them.
> >> Roland,
> >>
> >> I just want to say a big THANK YOU for doing this,
> >> very much in the spirit of Free Software/Open Source !
> >>
> >> This is a very good resolution to the problem, and
> >> allows us something actionable that we can now work
> >> on and get fixed.
> > That sounds like
> > which is fixed in 4.0.5...
> >
> > metze
> >
> I have now upgraded from 4.0.4 to 4.0.5 and can confirm that S4 builtin
> winbind now works without the posix objectclasses, thanks for that,
> great work, but I presume that the S3 winbind still requires the posix
> objectclasses and what about the separate S4 winbind?
> Rowland
> ps Geremy, could you please stop misspelling my name :-)

I'm guessing it's okay in the S3 winbind. I have S3 winbind setup
against a pure Windows 2003 AD with RFC2307 schema extensions
environment. My users have the following objectClasses:

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: top
objectClass: group

S3 Winbind with the "ad" backend and the rfc2307 scehema_mode seems okay
with these.

You seem to have addressed one of my Winbind questions I posted in my
"Winbind/Samba RFC2307 Roadmap" question (I must re-ask if I can help
with this in any way, since no reply to this). Quoting myself:


Additionally last time I tried I notice the add user commands don't seem
to be able to add Unix attributes, which means people have hand rolled
their own, and some of these scripts do things that Windows AD doesn't
for Unix users and groups, for example setting objectClass
"posixAccount" and "posixGroup", this won't inerop easily with a Windows
DC, I'd imagine.

Even though Windows uses RFC2307 it isn't pure RFC2307, (it's been a
while since I setup a clean AD forest) Windows seems to basically puts
the RFC2307 attributes into the standard AD objectClass "Person" and
objectClass "group". I'd have thought Samba 4's useradding should allow
adding RFC2307 attributes, and should add them the same way that AD
Users and Computers does, to existing user and group objects. Maybe I'm
behind the times on this one and this is fixed.


Seems it has...great work. And answers my question, why people's hand
rolled scripts add the posixAccount and posixGroup objectclasses, the S4
winbind couldn't handle not having them!




This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify the sender and delete the original.

More information about the samba-technical mailing list