[Samba] Re: Winbindd on a pdc??

Frank Van Damme frank.vandamme at gmail.com
Fri Sep 21 18:34:37 GMT 2007

On 9/20/07, Frank Van Damme <frank.vandamme at gmail.com> wrote:
> Hello,

Replying to myself here. Some more brainwork and a clarifying
conversation on IRC have shed more light on these affairs. Also, in
some part I must have skipped or overlooked, the LDAP directory in the
example was provisioned with Posix accounts. Which changes matters :-)


> I'm not sure I understand this part and  could be helped if someone
> did a sanity check on my reasoning below. As far as I understood,
> there are two ways to resolve a windows sid to a Unix uid:
> 1. if your users are in a Windowsy database, like Active Directory, or
> if we're speaking about Samba member servers, your unix users do not
> exist in the local passwd database. In these cases, you can use
> winbind to authenticate users and to get (via nsswitch?) a unix user
> id that matches your windows user (and it saves those mapping in the
> passdb for reuse).

Clear question mark after nsswitch. All username-to-uid resolving goes
through nsswitch on a Linux box.

> 2. You use LDAP, and (I expected it to function like this) Samba
> authenticates the incoming connections to LDAP (it searches for a
> "sambaSamAccount" object with the correct "cn"). It knows what the
> unix uid is, because the very same object is also a posixAccount and
> shadowAccount with a "uidNumber" - so there we are, samba nor nsswitch
> need winbind, since all the information is in LDAP. Earlier on in the
> chapter, nsswitch.conf is configured to look up passwd, shadow and
> group information through LDAP (see 5.4.2, PAM and NSS Client
> Configuration).

Not quiet correct, Samba never looks up the uidNumber directly in ldap
but only uses the Samba attributes of the object to do Windows
Then, it asks the OS (which uses nss on Linux/Unix) to return an uid
for the username. NSS uses nss_ldap to get this info from the LDAP

> But then again, I first fiddled with LDAP to put my unix id's in the
> database. So, what I believe is that in the example, unix user id's
> are still generated "old style" in the same way as with eg tdbsam, so
> user connects, samba looks up the user in LDAP, authenticates him,
> then uses winbindd to resolve the Unix uid of that Windows user. It
> will first look in the idmap ou of our LDAP directory if there's
> allready a mapping for that user, else create one, then return the uid
> value.

So no, that's not what happens. If the Unix box is a Samba PDC with an
LDAP backend, the posix accounts apparently MUST be in LDAP. Winbindd
is only used to return a uid on member servers of an MS or Samba

> So, come to think of it, nsswitch is probably configured to use files
> and ldap so winbindd can do a proper, reliable job of choosing the
> right uid to chain to the windows sid. Or does winbindd not use
> nsswitch? I can imagine so because it would probably create a nice
> infinite loop if you're also trying to use winbind to let your users
> which are, let's say, in Active Directory or on an NT server, log in
> to the Unix machine.

NSS is using files and ldap but not for winbind, it simply returns the
uid and period. Winbind is used by NSS (sometimes), not the other way

> How many mistakes did I make? :-)

A few :-p

Frank Van Damme

A: Because it destroys the flow of the conversation
Q: Why is it bad?
A: No, it's bad.
Q: Should I top post in replies to mails or on usenet?

More information about the samba mailing list