[Samba] [bounce] Problem with pam_winbind

Robert LeBlanc robert at leblancnet.us
Thu Nov 5 14:04:38 MST 2009

On Thu, Nov 5, 2009 at 2:32 PM, Alex Samad <alex at samad.com.au> wrote:

> > I haven't used any of the ldap stuff that you are using so it's beyond me
> at
> > this point. I wish I could help more, I know how it is to be in that
> > position. Is this just a member workstation/server or is it trying to be
> a
> > DC? To me if it is just a member, I can't see why you would need all the
> > LDAP stuff. Security should also probably be ADS as well. Here is my conf
> not sure what you mean by all that ldap stuff I have, I understand ads
> is stored in M$ ldap
Indeed, Active Directory is ldap, but the link on pastbin is much different
than what you posted here. For most of what I need, I don't have to do LDAP
stuff. I just finished writing a script to query AD for a user's e-mail
address and I had to do that over LDAP because winbind dosen't provide it.
It would be nice to have winbind provide things like that (makes note to
self when things slow down, to look at patching that in).

> [global]
> workgroup = AD
> server string = %h server
> dns proxy = no
> interfaces =
> bind interfaces only = yes
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> encrypt passwords = true
> passdb backend = tdbsam
> obey pam restrictions = yes
> unix password sync = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
> %n\n *password\supdated\ssuccessfully* .
> pam password change = yes
> netbios name = bblx01
> realm =
> ad.barbarast.samad.com.au
> security = ADS
> encrypt passwords = true
> password server = *
> winbind separator = +
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/%D/%U
> template shell = /bin/false
> winbind use default domain =
> yes
> socket options = TCP_NODELAY
> So, a couple things that I notice that may/may not help. Your realm is
lower case, it needs to be uppercase. You are missing an idmap_backend type
(I'm pretty sure you need this so that winbind knows how to map your users'
SID to UIDs). You can choose from hash, rid or ads. See my example for hash
(you don't need ranges ie. idmap uid = 10000-20000). Rid, you need to
specify the domain (tusted domains may not work, although I think you can
specify different ranges for different domains) and you will need the ranges
that you currently have. Ads, needs to have the Active Directory schema
extended, you don't need the ranges, but the schema will need to be
populated (I think Samaba can do that for you, but I don't have experience).
Each one comes with it's pros and cons, if your schema is not extended and
you don't have other *NIXs that rely on it, I'd suggest using hash, but it
is only in 3.4.x. Other than that things look ok. Also, if a home directory
is not created for the user, they probably won't be able to log in due to
the template shel = /bin/false.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University

More information about the samba mailing list