[Samba] Samba 4.1.4 and winbind

Rowland Penny rowlandpenny at googlemail.com
Sat Feb 1 02:35:14 MST 2014

After the 'you should use winbind saga', I decide that I needed to learn 
about using winbind with samba 4 clients.

So I created a VM running ubuntu 12.04 server and installed and compiled 
samba 4 to use as a test client.

created /usr/local/samba/etc/smb.conf

     workgroup = EXAMPLE
     security = ADS
     realm = EXAMPLE.COM
     encrypt passwords = yes
     server string = %h server (Samba)
     idmap config *:backend = tdb
     idmap config *:range = 70001-80000
     idmap config EXAMPLE:backend = ad
     idmap config EXAMPLE:schema_mode = rfc2307
     idmap config EXAMPLE:range = 1000-40000

     winbind nss info = rfc2307
     winbind trusted domains only = no
     winbind use default domain = yes
     winbind enum users  = yes
     winbind enum groups = yes

     domain master = no
     local master = no
     preferred master = no
     os level = 20
     map to guest = bad user

Set up pam etc and started the three samba daemons, checked they were 
running via 'ps ax'

My domain users uidNumber's start at 10000, so they are within 1000-40000

BUT, getent passwd & group did not return anything, although wbinfo -u & 
-g did return the domain users & groups.

Gave it a bit of thought, now I gave Domain Users the gidNumber of '100' 
i.e. 'users' on my linux box, so I altered 'idmap config EXAMPLE:range = 
1000-40000' to 'idmap config EXAMPLE:range = 0-40000' and restarted the 

Winbind now works, so from this, I summise that a user needs both a 
uidNumber & gidNumber before the ad backend will extract them from AD 
and both need to be inside the range supplied.

This sort of begs the question, if you are using the ad backend and 
presumably have already given your users & groups a uidNumber &/or a 
gidNumber, why does winbind need the range line at all for the domain? 
Shouldn't winbind just extract any and all records, where the object has 
the required RFC2307 attributes?

There is still one problem though, 'getent group' still does not return 
anything, but 'getent group <a group name>' does.

And you wonder why I tell everybody to use that package I cannot name! 
it just works.


More information about the samba mailing list