[Samba] Winbind on Samba 3.5.5 (centos5)

Adrian Graham binarydinosaurs at gmail.com
Tue Oct 19 08:50:43 MDT 2010


Having some fun with winbind on Samba 3.5.5 on RHEL5 and/or Centos5.
I’ve got it working so ssh logins work correctly and file permissions
are seemingly correct with created files etc. Backend authentication
is from a Win2K3R2 box running RFC2372 extensions (ie not SFU) and all
UIDs etc are assigned for the users who need them.

However, wbinfo returns some interesting things. We’re in a reasonably
sized AD forest and there seems to be some ID mashing going on. If I
do wbinfo –u it will sniff out the entire forest and return anything
its allowed to as well as the local domain, obviously this can be
filtered by using --domain=DOMAIN which sometimes works well, groups

Things that don’t work:

wbinfo -i returns ‘could not get info for user’
wbinfo -r returns ‘could not get groups for user’
wbinfo -Y returns ‘could not convert sid’
wbinfo --user-sidinfo returns ‘couldn’t get info for user’
wbinfo --user-sids also returns failure.

Things that do:

wbinfo -S my-username-SID correctly returns my UID of 666
wbinfo -s my-username-SID correctly returns DOMAIN+Username
getent group
getent passwd

Wish I could remember what I changed, but at some point wbinfo -u
username DID work but returned a UID of 147, no idea where it got that
from as I even deleted the idmap cache files etc. Also if I browse to
a share and create a file it ends up with the UID/GID of a user in a
completely different domain!

Current smb.conf:


        workgroup = CAM
        realm = CAM.CW.LOCAL
        server string = test-samba server (CentOS 5)
        interfaces =, eth0
        bind interfaces only = Yes
        security = ADS
        map to guest = Bad User
        password server =
        log level = 100
        log file = /var/log/samba/%m.log
        printcap name = cups
        wins server =
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
        winbind separator = +
        winbind cache time = 5
        winbind use default domain = Yes
        winbind trusted domains only = Yes
        idmap config CAM: range = 100-9999
        idmap config CAM: backend = ad
        idmap config CAM: schema_mode = rfc2307
        idmap config CAM: default = yes

        comment = Home Directories
        read only = No
        create mask = 0664
        directory mask = 0775
        browseable = No

        path = /usr/share/doc/samba3/htmldocs
        guest ok = Yes

Anyone? Kerberos seems to be acting ok too, otherwise SSH logins wouldn't work?

Owner of Binary Dinosaurs, the UK's biggest home computer collection?

More information about the samba mailing list