4.2rc2 and winbindd

Rowland Penny repenny241155 at gmail.com
Mon Oct 20 15:12:49 MDT 2014

On 20/10/14 15:08, Rowland Penny wrote:
> On 20/10/14 14:45, David Mansfield wrote:
>> On 10/20/2014 08:46 AM, Rowland Penny wrote:
>>> On 20/10/14 13:34, Michael Adam wrote:
>>>> Hi Rowland,
>>>> On 2014-10-20 at 13:07 +0100, Rowland Penny wrote:
>>>>> On 20/10/14 12:44, Michael Adam wrote:
>>>>>> Ok. I think the DC-with-winbindd scenario is special here,
>>>>>> just need to understand, how so.
>>>>> I thought that the whole idea of changing 'winbind' to 'winbindd'
>>>>> was to get all the benefits of the established winbind without
>>>>> having to do anything special, you are now saying that 'Something
>>>>> special' may be required, if this is the case, just what is required
>>>>> ????
>>>> There are several points for using winbindd.
>>>> Here are the two (imho) most important ones:
>>>> - Make use of winbindd's ability to speak to other domains
>>>>    (the winbind internal samba component can't), hence enabling
>>>>    support for trusts!
>>>> - Don't maintain two winbind implementations but just one.
>>>> That being said, winbindd is avery versatile, flexible tool
>>>> that can be configured in various ways. So similar to the
>>>> mode of samba starting smbd for file serving, which also
>>>> enforces several parameters for the running smbd (which reflects
>>>> the special purpose for which smbd is run, namely to serve
>>>> SMB in a DC setup), I could imagine that samba enforces
>>>> several parameters to reflect the special situation.
>>>> That's what I meant with special.
>>>> I have not found anything special though with a brief look at
>>>> the code.
>>>> But that being said, of course things should work in the DC
>>>> setup, and you have most certainly found a problem.
>>>> Since I did not have the time yet to dig deeper, I don't know
>>>> the answer yet. So we'll need to do more testing / digging until
>>>> we find it or possibly Andrew can shed some light.
>>>> We should have some nss-level test also in our selftest.
>>>> (If this is not the case, then it needs to be added...)
>>>> The samba-setup for this test (from the selftest provisioning
>>>> code) would tell us how to proceed.
>>>> (Just trying to give a few hints as to where I would look next
>>>> if I had the time right now..)
>>>> Cheers - Michael
>>> Hi Michael, I have the feeling that you would like me to compile 
>>> samba again, this is not a problem except I haven't a clue just how 
>>> to configure the build and then how do I carry out any tests. ?
>>> Rowland
>> Hi Rowland,
>> Just a stab in the dark: with the "old" winbind-on-DC approach (4.0, 
>> 4.1) you had to use the libnss_winbind.so that was built during 
>> compile, which in my case involved symlinking the shared objects into 
>> the /lib64 directory (on centos6). This was not done by "make 
>> install".  Is it possible you are using the "old" libraries still?
> Good thought, but unfortunately wrong ;-)
> I installed samba4 from backports, then ignored it, built samba4.2rc2, 
> altered /etc/init.d/samba-ad-dc to use the samba daemon in 
> /usr/local/samba/sbin, updated PATH and then tried wbinfo, all ok so 
> tried getent, got nothing. remembered having to create the symlinks 
> from when I did compile samba4, so copied the ones I compiled to where 
> the ones apt-get had installed and getent burst into life, but it just 
> doesn't display the users home directory or login shell.
> Bug report made:
> https://bugzilla.samba.org/show_bug.cgi?id=10886
> Rowland
OK, I have just received an update to my bug report:

--- Comment #1 from Andrew Bartlett<abartlet at samba.org>  ---
Correct, just as the old internal winbind did not ask for these attributes,
nothing has changed with Samba 4.2.  The %U and %D bug is 10852.

So it would seem that we will have to wait until the attributes are 
plumbed in :'(

Until bug 10852 is fixed I suppose the work around is to add 'server 
service = -winbindd +winbind' to smb.conf on the DC, this will at least 
get you back to where you where before 4.2, or you can do as I will be 
doing, not upgrading until it is fixed.


More information about the samba-technical mailing list