[Samba] Manage unix users from AD

Michael Adam obnox at samba.org
Wed Jan 29 04:00:02 MST 2014

Hi Márcio,

On 2014-01-28 at 14:28 -0200, Márcio Merlone wrote:
> Em 28-01-2014 11:10, Volker Lendecke escreveu:
> >On Tue, Jan 28, 2014 at 01:54:11PM +0100, Sven Schwedas wrote:
> >>>Which of each would bring my rfc2307 users with all their attributes
> >>>defined on SFU, *and only those users*, to my linux system? If I create
> >>>a user _without_ rc2307 means I don't want linux to know about him. If I
> >>>define a user with /bin/false as shell on SFU, bring that to linux.
> >>>That's it. As an admin, I don't care about idmapping, I already defined
> >>>an uidNumber (or wathever AD attribute is used to store it) to the user,
> >>>just use it.
> >>Then you can safely ignore winbindd, as it doesn't honour shell settings.
> >
> >If you use "winbind nss info = sfu" it should do it.
> Good to know, I'll play with that and see how it works. But looking
> for information and docs I found that on smb.conf man page (1) it
> says something about "winbind nss info = sfu" - and no more than you
> have already said - while at winbind page (2) there is no mention to
> 'sfu' nor 'nss' even though it seems to be the samba4 version of
> winbind - as per the url.
> (1) http://www.samba.org/samba/docs/man/manpages/smb.conf.5.html#idp62681648
> (2) http://www.samba.org/samba/docs/man/manpages/winbindd.8.html

Oh Right... The documentation is not sufficient.
You can actually set up nss backends differently for different
domains like this:

  winbind nss info = backend1, backend2:domA, backend3:domB

Here the entry without a domain part is used as default.
Only backends currently available are template and sfu/rfc2307.

This admittedly sucks, and lacks consistency.
I would really like to make this more systematic
and more flexible. Wishes/suggestions welcome!

But I guess a first step would be to document it better... :-)

> Also, I am still not sure to which winbind all docs and information
> found on net refers to: samba3, samba4, internal, daemon... . for a
> non-samba expert/specialist, it is very confusing and frustrating.

It all ususally refers to:
winbindd == winbind daemon, the classical/member server one
(known from Samba3)
These documents are grown out of the former Samba 3.X

The internal winbind is the "samba4" winbind, but that
is not correct now, since the former samba3 winbind is now
a part of samba 4.X of course... So better refer to the
AD/DC winbind. For this internal winbind there is not very
much to document or configure. It is just sitting there
doing it's job, unless turned off.

Note that this splitting is not intended. It is just grown.
And it is our (samba developer's) goal to get rid of the
splitting, which will be realized in the (hopefully not too
far future) by always running the winbindd, also in the
AD/DC case. This will be necessary once we seriously start
to support domain trusts. And once we have the s3-winbindd
in place as an AD/DC component, it will most probably also
support using the rfc 2307 attributes for local id mapping.

That this is not the case yet is mainly a matter of lack of
developer ressources... :-/

Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 215 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20140129/90f9f59a/attachment.pgp>

More information about the samba mailing list