Wed Oct 20 02:45:58 MDT 2010
I enquired on this list about the problems we were having and the best
advice I received was that winbind was now a required service.
So I tried using winbind and it seemed to work better, but still not
completely reliably. So we just stayed on 3.0.24
Recently changes to the domain mean that we will need to run a recent
version of samba. So I've been looking into upgrading.
I ran up a copy of 3.5.6 using winbind.
But testing indicated that it didn't appear to be respecting secondary
groups for the users. It was picking up the primary group for a user ie the
one in the password file. But not the secondary groups (specified in
Then someone suggested trying without winbind.
And that seems to be working OK.
But my question is, is there something that I need to be using winbind for.
The documentation is a little confusing.
I can't find anything that says categorically that winbind is necessary.
But the winbind man page says
Even if winbind is not used for nsswitch, it still provides a service to
smbd, ntlm_auth and the pam_winbind.so PAM module, by managing connections
to domain controllers
And chapter 24 of the how to says
Fact: Winbind is needed to handle users who use workstations that are NOT
part of the local domain.
But that appears to be to avoid name clashes. Here we're using a unified
namespace (from NSS) so name clashes shouldn't be a problem.
So was the earlier recommendation I received that winbind was compulsory
either incorrect or outdated?
Various documentation implies that using winbind without idmap guid (in
netlogon proxy only mode) should work the same as not using winbind. In both
cases they will pick up user info via NSS.
So why is the behaviour different when using winbind and not using winbind
Systems & Desktop Services
Division of Information
R.G Menzies Building
The Australian National University
Canberra ACT 0200 Australia
T: +61 2 6125 8389
F: +61 2 6125 7699
CRICOS Provider #00120C
More information about the samba