gpoupdate failing on DC / winbind

Rowland Penny rpenny at samba.org
Fri Mar 1 14:37:00 UTC 2019 

On Wed, 27 Feb 2019 10:09:50 +0000
Kristján Valur Jónsson via samba-technical
<samba-technical at lists.samba.org> wrote:

> Hello there.
> After a discussion on the main samba list, Rowland suggested that I
> mention this here.
> 
> I recently updated from 4.7 to 4.8.9 on my three DCs and decided to
> give the new samba_gpoupdate a whirl.
> Well, it failed with an inexplicaple error.  Looking at the source, I
> found that the python bindings require some work regarding error
> handling, and that's something I'm undertaking in the tracker.
> 
> However, the real problem was that a low level call to getpwuid(uid)
> to get the password entry for my DCs uid was failing.  (again, the
> reporting of this failure and handling in the source3/auth library is
> not nice and subject to another bug/change)
> 
> I fixed this issue by adding winbind directives
> into /etc/nsswitch.conf, as recommended here:
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> ( and subsequently
> https://wiki.samba.org/index.php/Libnss_winbind_Links)
> 
> However, Rowland states:  " it is my understanding that it is actually
> recommended to not
> set up the libnss-winbind links on a DC, yet you now seem to be saying
> it is required."
> 
> And indeed, our three DCs had been running fine for three years with
> various generations of samba 4 without having this set up.  I also
> don't recall having come across instructions to do so.
> In fact, this text is in the generic AD-DC set up page: "If you only
> have a small domain (small office, home network) and do not want to
> follow the Samba team's recommendation and use the DC additionally as
> a file server, configure Winbindd before you start setting up shares.
> For details, see Configuring
> Winbindd on a Samba AD DC
> <https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC>."
> 
> In fact, I have left out any idmap directives from smb.conf as
> recommentded, but still find that this nss bindings are required for
> the GPO update thingie.
> 
> So, I wanted to draw attention to this.  What is the recommended
> practice, then?
> 

PING

Why does something that is meant to run on a DC seemingly need the
libnss-winbind links setting up ?

Rowland

More information about the samba-technical mailing list