Gaiseric Vandal gaiseric.vandal at gmail.com
Fri Dec 21 18:41:41 GMT 2007

I have posted on this subject before but am still running into
problems.   The main question is whether I need to use Windbind in a
single samba domain when each samba server also uses NIS for
centralized unix level authentication.  And if, in fact, I need
windbind do I need it on all the samba servers?  And do I need a
central IDMAP respositoryor other mechanism  to maintain consident

My interpretation of the "Samba How To" documentation is that
Windbind is not needed in a single samba domain, with  multiple  samba
servers,  if the samba servers are using NIS or LDAP for unix

The "Samba How To" chapter on "Identity Mapping"  has the following
(paraphrased) entry

Domain Member Server or Domain Member Client ->
Winbind is not used; users and groups resolved via NSS ->
user and group accounts are treated as if they are local accounts,
accounts are stored in a shared repository (NIS or LDAP.)  This
configuration may be used with domain
member servers (NT4 or ADS) or PDC

My PDC is Samba 3.026a on  Solaris.  I have member servers that are a
mix of Samba 3.026a on Solaris and Samba 3.024a on Linux.  All
machines are using NIS for unix authentication.   Some groups are
explicitly mapped between unix and windows, some aren't.        I am
not (usually) running winbind on either PDC or member server.   I have
not configured nsswitch.conf to use winbind for unix-level

On a member server  (from a Windows client), file or folder
permissions are assigned to "unix\someuser."   However, permissions
still work as I expect.    From the Windows perspective, this seems to
be  a standalone  workgroup machine that  happen to have the same user
id and password.  Since the file permissions work this is OK most of
the time.    However, if I try to add or modify permssions under
Windows I run into problems (symptoms depend on if and when winbind
has been started.)

1.  If winbind is not running,  I can browser users or groups from the
domain but the permissions don't hold.   Presumably Samba doesn't
match up "mydomain\someuser" with "unix\someuser."   So it looks like
I would need winbind.

2.  If, after I have already connected to a share, and then start
winbind on the member , the file permissions will show the domain
component, and I can set permissions

3.  However, if I start winbind before I connect to the share, I just
get prompted for a user name and password- and I am unable to connect.

 If winbind is running on the memeber server "wbinfo -u" will list the
domain accounts in "DOMAINNAME\user" format.

Member server smb.conf includes

	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template shell = /bin/bash
	winbind use default domain =  no
	winbind trusted domains only = no
	winbind enum users = Yes
	winbind enum groups = Yes
	name resolve order = host wins  bcast
	workgroup = mydomain
	security = domain
	password server = mypdc

The PDC smb.conf does not include the idmap entries.     If I run
'wbinfo -i "mydomain/someuser" ' on each machine (assuming winbind is
running) it shows a  user ID for that user.  On the member server, the
user id's are in the 10000 range.    On the PDC, the user ID matches
the unix user id.    But I am not sure if this is relevant, or it
idmap is only required in a multi-domain environment.   Even if I were
to assign an "idmap uid" range on the PDC, there is no guarantee they
would be assigned in the same order.


More information about the samba mailing list