[Samba] winbindd- confused about when to use

Ken Gunderson kgunders at teamcool.net
Wed May 3 06:40:27 GMT 2006


I come to Samba with a strong Unix background but weak on the MS
networking side.  Hence I've read a lot of the Samba documentation, more
than once...  Something that continues to confuse me, however, is
whether or not I want/need winbindd for the task at hand.

Objective:  replace aged NT4 domain/file server w/Samba based file


1) approx. 25 users.  stable staff environment w/low to no turnover.
slow to no growth.

2) All workstations run Windows XP Pro.  Only 1-2 mobile users w/
notebook pc's.

3) End users are low tech.  No need to provide Unix shell, ftp, etc.,
accounts (sysadmin personnel are all unix geeks and use ssh).  

4) email, webmail, etc. runs on dedicated servers using separate
authentication systems.

5) sso is not a big win for this environment, although might be nice to
migrate to LDAP backend after Samba4 goes stable so as to integrate
email auth, address books, etc.  OTOH, the complexities of LDAP might
not be worth it for such small environment.

6) only two groups, membership and accounting.  And only two
members in the latter.  Don't think I need complexities of nested
groups ) but then I'm also not enough of a MS guy to make that call
confidently at this juncture...).  I'll add a managers group so
management can snoop w/o having full domain admin rights.

7) posix acl's seem to work nicely with FreeBSD and Samba:)

8) stackable vfs to do some av scanning.

9) 2 network printers and too many cheap low end parallel, usb, etc
inkjets that came bundled w/cheap Dell deals...  None of the injets
need to be accessed other than by local machine.  CUPS for the two
network printers.

10 Roaming profiles- not implemented in current scheme but will use on
Samba replacement and begin to do more with profiles and management on
backend side of things.

Given the above criteria it seems pretty simple config w/Samba as
PDC runing TDB supplemented w/some POSIX ACL's for group access, and
clamav to handle some anti-virii scanning.  I've gotten most all this
working in test environment.  That machine went away and is being used
for other things so I no longer have the luxury;(

 I will soon roll out production machine something along the lines of
above but I am unclear as to whether I should use WInbindd- It is
unlikely any additional domain member servers will need to be added in
near future.  Password sync is not an issue since all we need to be
concerned with is local tdb.  There MAY be some need down the road to
set up Squid proxy- mostly so management can track what employees are
doing on the web during company time (history of abuse in the past
but they have been waffling on this for sometime). ntlm_auth may or may
not be a part of that picture. Too early to say at this juncture. I
don't know enough about the nested and local vs. domain group of MS to
make an informed decision.  The last paragraph here discussing foreign
sid's concerns me somewhat:


e.g. If a user shows up with a notebook that is not part of domain.
Assuming guest account is disabled they're not going to be granted any
access whatsoever unless they know user/pass/domain credentials,
correct? In which case they probably are authorized.  So I'm not clear
on the foreign sid bit..

In absence of evidence to the contrary my inclination is to skip the
added complexity and forgo winbindd.  But I also don't want to get
caught in a bind 6 months down the road if some new criteria emerges
that requires nested groups, ntlm_auth, etc.  

Sorry for the long winded post and so many questions.  I have an
awareness of this stuff but not the experience to make a clear
decision.  So I'm in search of enlightenment....  TIA for your

Best regards,

Ken Gunderson

Q: Because it reverses the logical flow of conversation.
A: Why is putting a reply at the top of the message frowned upon?

More information about the samba mailing list