[Samba] Member server - group and user mapping with winbind

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Nov 1 18:27:02 GMT 2007

Hi all

I am still unsure of the correct way to configure member servers.

I  have one PDC (Samba 3.026a on Solaris 9) and several member servers
(including Samba 3.026a on Solaris 9 and 10, and Samba 3.024 on Fedora
core 6.)  Each machine uses NIS for unix accounts.

The "Samba by Examble" Book indicates that even if I am using NIS for
user accounts, and not using LDAP for a idmap backend, I still need to
use winbindd to map SID's.   It isn't clear to me if I do need to
update nsswitch.conf to use winbindd.   I don't think I want to update
nsswitch.conf to use winbindd-  after all I still want my unix level
logins (e.g. ssh ) to be done against NIS and not "windows" accounts.

If I start smbd and nmbd on a member server, I can connect to a share
from a windows 2000 or XP client.  If I look at the permissions on a
folder, if shows "Unix Account/someuser" or "UnixGroup/somegroup"
instead of "Domain/someuser" or "domain/someaccount."  If I want to
add users, I can browser users or groups from the domain but the
permissions don't hold.  If, after I have already connected to a
share, and then start winbindd, the file permissions will show the
domain component, and I can set permissions.
However, if I start winbindd before I connect to the share, I just get
prompted for a user name and password-  and I am unable to connect.
It doesn't matter how I have configured nsswitch.conf so it  it seems
that smbd will attempt to use winbindd directly, if available, and not
via the "name service switch" mechanism.

Member server smb.conf includes the following:

     idmap uid = 10000-20000
     idmap gid = 10000-20000
     template shell = /bin/bash
     winbind use default domain = yes
     winbind trusted domains only = no
     winbind enum users = Yes
     winbind enum groups = Yes
     Workgroup = MYDOMAIN
     security = domain
     Password server = MYPDC

Running "wbinfo -u" and "wbinfo -g"  on a mamber server (with winbindd
running) will list my domain user and groups.

I appreciate if any one can share some light on either what the problem is
or at least can clarify how winbindd should be working.


More information about the samba mailing list