gpoupdate failing on DC / winbind

Kristján Valur Jónsson kristjan at
Wed Feb 27 10:09:50 UTC 2019

Hello there.
After a discussion on the main samba list, Rowland suggested that I mention
this here.

I recently updated from 4.7 to 4.8.9 on my three DCs and decided to give
the new samba_gpoupdate a whirl.
Well, it failed with an inexplicaple error.  Looking at the source, I found
that the python bindings require some work regarding error handling, and
that's something I'm undertaking in the tracker.

However, the real problem was that a low level call to getpwuid(uid) to get
the password entry for my DCs uid was failing.  (again, the reporting of
this failure and handling in the source3/auth library is not nice and
subject to another bug/change)

I fixed this issue by adding winbind directives into /etc/nsswitch.conf, as
recommended here: (
and subsequently

However, Rowland states:  " it is my understanding that it is actually
recommended to not
set up the libnss-winbind links on a DC, yet you now seem to be saying
it is required."

And indeed, our three DCs had been running fine for three years with
various generations of samba 4 without having this set up.  I also don't
recall having come across instructions to do so.
In fact, this text is in the generic AD-DC set up page: "If you only have a
small domain (small office, home network) and do not want to follow the
Samba team's recommendation and use the DC additionally as a file server,
configure Winbindd before you start setting up shares. For details,
see Configuring
Winbindd on a Samba AD DC

In fact, I have left out any idmap directives from smb.conf as
recommentded, but still find that this nss bindings are required for the
GPO update thingie.

So, I wanted to draw attention to this.  What is the recommended practice,

Kristján Valur Jónsson, RVX

More information about the samba-technical mailing list