selftest: re-enable nss_winbind via nss_wrapper in the test-envs.

Björn JACKE bj at SerNet.DE
Thu Feb 19 03:53:36 MST 2015

On 2015-02-18 at 11:21 +0100 Michael Adam sent off:
> Hmmm. I don't see what this has to do with a general purpose
> file server. My understanding was that a DC without nss_winbind
> is incomplete. My understanding is also that smbd is not
> functional without the ability to reach out into nss some time
> because it tries to do getpwnam at times. Maybe this is just
> not true with the way smbd is used in the DC environment, but
> I was not aware. That is the basis of my statement that I
> consider a DC setup without nss_winbind incomplete, or broken. :)

I definetely don't consider this as incomplete or broken. Actually I strongly
prefer AD DC setups without nss_winbind. As we should have no more than the
sysvol share on a DC the uglyness of non-resolved uids in the filesystem is not
a big deal at all and we have reduced complexity. The most striking argument
why I decided to avoid nss_winbind on AD DCs was the fact that by default
Administrator gets the uidnumber 0 assinged. This screwes up root's account
occasionally. See . On a member
server this nasty uidnumber 0 is being filtered out by the uid range of the
domain. On a DC nss_winbind screws the system up if such bad uidnumbers are
assinged in AD.

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
  ☎ +49-551-370000-0, ℻ +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <>

More information about the samba-technical mailing list