selftest: re-enable nss_winbind via nss_wrapper in the test-envs.

Michael Adam obnox at
Wed Feb 18 15:37:47 MST 2015

On 2015-02-19 at 11:06 +1300, Andrew Bartlett wrote:
> On Wed, 2015-02-18 at 11:21 +0100, Michael Adam wrote:
> > My understanding is also that smbd is not
> > functional without the ability to reach out into nss some time
> > because it tries to do getpwnam at times. 
> The only case I'm aware of is for the [homes].  The other cases are
> handled because we go via pdb_samba_dsdb. 

There are more cases, mainly through auth. Example:

-> check_account()
   -> smb_getpwnam()
      -> Get_Pwnam_alloc()


So I am really puzzled that you call this a supported config...

> > Maybe this is just
> > not true with the way smbd is used in the DC environment, but
> > I was not aware. That is the basis of my statement that I
> > consider a DC setup without nss_winbind incomplete, or broken. :)
> OK.  But given that isn't the case, you might now understand my concern
> with your change.

Given the above, I'd still argue that the setup with nss_winbind
is the one we should call supported, and even if there are
special situations where one might get along without it, the the
nss_winbindd setup is to be preferred. So if we were to test just
one of the scenarios, I'd make a strong vote for the nss_winbind

> > If you want to keep the test as it is, I propose to do a special
> > environment for this test only that does not enable nss_winbindd
> > for it. But for other envs / tests we do need it, so I would not
> > want go back the whole way...
> Please restore the test as-was, until you get time to investigate
> further what is going on.  

I will probably not have the resources to deeply investigate in
the very near future. As I said I hoped that someone with more
stakes in the AD/DC and the test itself would assist... :-)

That being said I still think that we have become more realistic in
testing the dc with nss_winbind, and we should not give that up
because we know there is a problem hidden. And as I said above, I
think it is more important to test with nss_winbindd than

So the concession I would be happy to make is to add an environment
for the plugin_s4_dc that does not use nss_winbindd and run the
original test (with 6 instead of 7) against that.

OK for you? - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list