[Samba] Prevent smbd from consulting winbindd

Lukas w3l at suva.ch
Wed Jan 25 04:08:33 MST 2012

Am 25.01.2012 11:49, schrieb Victor Sudakov:
> Lukas wrote:
>>>>> Colleagues, please respond. Have I asked something too unconventional
>>>>> or something too trivial?
>>>> idmap backend = nss ??
>>> Its man page is very scarce. Is it supposed to work at all? Do you have any
>>> experience with it?
>>> root at fs02-sibptus:~# id zimaev uid=3237(zimaev) gid=2000(user) groups=2000(user),2012(budget),3134(pto),2011(ntd)
>>> root at fs02-sibptus:~# wbinfo -n zimaev S-1-5-21-839522115-2139871995-725345543-1618 User (1)
>>> root at fs02-sibptus:~# wbinfo -i zimaev
>>> Could not get info for user zimaev
>>> root at fs02-sibptus:~#
>>> what gives?
>> what do you have in smb.conf defined for security?
>> (general portion of smb.conf)
> [global]
> workgroup = SIBPTUS
> wins server =
> security = domain
> idmap backend = nss
> idmap uid = 1000-1999999
> idmap gid = 1000-1999999
> template shell = /bin/bash
> winbind use default domain = Yes
> allow trusted domains = Yes
To me it seems, since you have security = domain, samba will try to 
authenticate4 always to the domain controller.
Therefore: wbinfo -i zimaev will not return something valid, unless you 
prepend the user with the domain (wbinfo -i DOMAIN\zimaev don't forget 
to map the backslash with a second one DOMAIN\\zimaev) :-)

More about how that works with the security:

The idmap backend = nss just tells samba, where to store the mapping 
informations from AD- versus *nix-Users.

that's about what I know of... :)
hope it can hint you to where you'd like to go ...

More information about the samba mailing list