gpoupdate failing on DC / winbind
Kristján Valur Jónsson
kristjan at rvx.is
Wed Feb 27 10:09:50 UTC 2019
After a discussion on the main samba list, Rowland suggested that I mention
I recently updated from 4.7 to 4.8.9 on my three DCs and decided to give
the new samba_gpoupdate a whirl.
Well, it failed with an inexplicaple error. Looking at the source, I found
that the python bindings require some work regarding error handling, and
that's something I'm undertaking in the tracker.
However, the real problem was that a low level call to getpwuid(uid) to get
the password entry for my DCs uid was failing. (again, the reporting of
this failure and handling in the source3/auth library is not nice and
subject to another bug/change)
I fixed this issue by adding winbind directives into /etc/nsswitch.conf, as
and subsequently https://wiki.samba.org/index.php/Libnss_winbind_Links)
However, Rowland states: " it is my understanding that it is actually
recommended to not
set up the libnss-winbind links on a DC, yet you now seem to be saying
it is required."
And indeed, our three DCs had been running fine for three years with
various generations of samba 4 without having this set up. I also don't
recall having come across instructions to do so.
In fact, this text is in the generic AD-DC set up page: "If you only have a
small domain (small office, home network) and do not want to follow the
Samba team's recommendation and use the DC additionally as a file server,
configure Winbindd before you start setting up shares. For details,
Winbindd on a Samba AD DC
In fact, I have left out any idmap directives from smb.conf as
recommentded, but still find that this nss bindings are required for the
GPO update thingie.
So, I wanted to draw attention to this. What is the recommended practice,
Kristján Valur Jónsson, RVX
More information about the samba-technical