[Samba] netlogon proxy only mode

Rowland Penny rowlandpenny at googlemail.com
Wed Jan 29 06:36:23 MST 2014

On 29/01/14 13:32, Volker Lendecke wrote:
> On Wed, Jan 29, 2014 at 11:36:18AM +0000, Rowland Penny wrote:
>> OK, I know understand that I should be running winbind and as I have
>> always had problems setting it up, I thought that reading the
>> manpage would probably be a good idea.
>> Whilst reading it, I found this:
>> Even if winbind is not used for nsswitch, it still provides a
>> service to smbd, ntlm_auth and the pam_winbind.so PAM module, by
>> managing connections to domain controllers. In this configuration
>> the idmap config * : range parameter is not required. (This is known
>> as `netlogon proxy only mode'.)
>> So it would seem that I could just run the winbind daemon with
>> minimal alterations to smb.conf and continue to use that program I
>> must not mention.
>> I then tried to find information on just what I need to add to
>> smb.conf to make it work, you wouldn't believe how many copies of
>> the winbind manpage there are out there, but nothing much on the
>> netlogon proxy only mode.
>> The only thing that I could find was when Volker seems to have
>> created the mode back in 2004, so can anybody point me to
>> documentation about this mode, so that I can try it.
> There is not much around because there is not much to say.
> If a Samba domain member is joined to a domain, just start
> winbind. smbd will automatically use its services, the most
> important being much more efficient authentiation due to
> less domain controller connection setup overhead. If no
> winbind is around, every smbd has to connect to the DC
> itself. It's roughly 50 network packets versus just 2 (3 if
> you count the TCP ack winbind sends to the DC after the
> authentication).
> With best regards,
> Volker Lendecke
So I do not actually need to add anything to smb.conf, none of the usual 
winbind lines etc, just install and start winbind?

Thanks again


More information about the samba mailing list