4.2rc2 and winbindd

Rowland Penny repenny241155 at gmail.com
Sun Oct 19 06:46:37 MDT 2014

OK, I have compiled 4.2rc2 on Debian 7.5 running in a VM and set up a 
test DC. this was set up to test the new (old?) winbindd. From what I 
have read this is exactly the same daemon that would be run if I setup a 
client and presumably needs the same configuration in smb.conf.

Therefore, after provision, I changed smb.conf to this:

# Global parameters
         workgroup = EXAMPLE
         realm = example.com
         netbios name = DEBDC
         server role = active directory domain controller
         dns forwarder =
         idmap_ldb:use rfc2307 = yes
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = secrets and keytab
         winbind enum users = yes
         winbind enum groups = yes
         winbind use default domain = yes
         winbind expand groups = 4
         winbind nss info = rfc2307
         winbind refresh tickets = Yes
         winbind normalize names = Yes
         idmap config * : backend = tdb
         idmap config * : range = 2000-9999
         idmap config HOME : backend  = ad
         idmap config HOME : range = 10000-999999
         idmap config HOME : schema_mode = rfc2307
         log level = 9

         path = /usr/local/samba/var/locks/sysvol/example.com/scripts
         read only = No

         path = /usr/local/samba/var/locks/sysvol
         read only = No

This is based on a working samba 4.1.6 client.

I gave Domain Users a gidNumber, created a user, gave the user a 
uidNumber and the loginShell & unixHomeDirectory attributes.

Everything else is setup as standard.

wbinfo -u shows all domain users, wbinfo -g shows all domain groups.

getent passwd & getent group, do not display anything from the domain

getent group Domain\ Users displays:


getent passwd rowland displays:

rowland:*:10000:10000:Rowland Penny:/home/%D/%U:/bin/false

As you can see, like the old builtin winbind, the users uidNumber and 
the Domain Users gidNumber are displayed. The unixHomeDirectory & 
loginShell attributes do not seem to be pulled from AD, are they 
supposed to be ?

Am I barking up the wrong tree ? Am I doing something wrong or not doing 
something I should ?


More information about the samba-technical mailing list