[Samba] Winbind + NIS + winbind trusted domains

Christoph Scheeder christoph.scheeder at scheeder.de
Wed Dec 15 10:36:38 GMT 2004

that behavior is logical correct, i would say.
What happens is:
the user is found from nis, and gets an userid not from the winbind-range.
As a result samba is not able to verify this uid against the AD, as it 
is not an AD-user-id.
i guess to achive what you want you would have to add the nis-users to 
the local smbpasswd-database with the correct username and password and 
tell samba to loock up users first in local database and then in AD.
But i don't know if this is possible, i never tried it.

question to the developpers,

IF the AD-mode is implemented as a normal TDB-Backend i guess it would
work, but i think this is a little bit a diffrent beast, isn't it?
wouldn't it be a nifty feature for futere versions of samba, giving it
much more flexibility?

Plant, Dean schrieb:
> Hello list,
> I need to setup a samba file server with user access from a Windows AD
> domain and a separate Solaris NIS domain. All of our users have an account
> on the AD domain but only some of our users have a Unix account. I would
> like Windows users that have a Unix account to have files written as per
> their Unix uid and users that do not have an account to have a uid assigned
> from winbind. 
> I had thought of using winbind with
> winbind trusted domains only = yes 
> with the nsswitch.conf file listing 
> passwd:     files winbind nis
> shadow:     files winbind nis
> group:      files winbind nis
> which I thought would match known user names to NIS id's and unknown user
> names to winbind uid's. This does not work as I expected as all users are
> given winbind uid's
> If I change nsswitch.conf to 
> passwd:     files nis winbind
> shadow:     files nis winbind
> group:      files nis winbind
> Users that have Unix accounts are given the NIS uid but users without a Unix
> account are asked for a username/password when connecting to Samba.
> Can anyone confirm that what I am trying to do is possible and if so any
> idea's what I have missed.
> I am testing with 3.0.9 on FC3
> My smb.conf below
> [global]
> workgroup = AD
> server string = Samba
> printcap name = /etc/printcap
> load printers = yes
> cups options = raw
> log file = /var/log/samba/%m.log
> max log size = 50
> security = ads
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> name resolve order = wins bcast
> wins server =
> dns proxy = no
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> template shell = /bin/false
> password server = *
> winbind trusted domains only = yes
> winbind use default domain = no
> Thanks in advance
> Dean Plant

More information about the samba mailing list