[Samba] Winbind troubles

Jonathan Buzzard jonathan at buzzard.me.uk
Tue Jul 23 06:48:14 MDT 2013

On Tue, 2013-07-23 at 11:55 +0100, Rowland Penny wrote:


> I thought that testparm did exactly that, it tested all the parameters
> in smb.conf, so if the ranges overlap, it should report the error.

You thought wrong then. It tests to see if they are valid so 1000-akjf
is invalid and will throw an error, 1000-2000 is valid and will not
throw an error even if it overlaps with some other range.

> Darned right it is confusing.

It was confusing because the documentation at the time was not complete.
That is no longer the case.

> Yet people still get it wrong.

There is no accounting for what some people do. I have just checked and
a Google search for "winbind ad rfc2307 setup" give a top hit that
explains the ranges must be orthogonal.

> Why are the BUILTIN uid's & gid's not set in stone? and noted
> somewhere and users told 'do not use this range'

Because your set in stone range might already be allocated in the AD.
Not all Samba servers are green field deployments. Some/many have to
integrate into already existing environments and hence admins need the
flexibility to adapt to the environment they find themselves in.

>         Also winbind can handle multiple domains so it needs to know
>         which
>         domain to use to lookup a given UID or GID in.
> sssd can do this very easily, so your point is?

That is the one thing that sssd cannot do. At least according to the
documents I have read multiple domains with cross domain trusts equals
use winbind.

Either way there is no way for either sssd or winbind to known which of
the potential multiple domains it should look that up in. You could I
guess take a sledgehammer approach and look it up in all the domains,
but I can think of lots of reasons why that would not be a good idea.


Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

More information about the samba mailing list