[Samba] Domain member (2k8R2) server, problem mapping Kerberos/NSS users

Rowland Penny rowlandpenny at googlemail.com
Mon Jul 21 10:03:05 MDT 2014

On 21/07/14 16:47, Elias Probst wrote:
> On 07/21/2014 05:38 PM, Rowland Penny wrote:
>> This seems to say that winbind will map the domain users to local users,
>> so I suppose the next question has to be, is winbind running ?
> Looking at [1] I don't think I'd need winbindd, as winbindd is in this
> scenario obsoleted by SSSD.
> [1]
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2604553
>> Winbind is not used; users and groups resolved via NSS:
>> In this situation user and group accounts are treated as if they are
>> local accounts. The only way in which this differs from having local
>> accounts is that the accounts are stored in a repository that can be
>> shared. In practice this means that they will reside in either an
>> NIS-type database or else in LDAP.
>> This configuration may be used with standalone Samba servers, domain
>> member servers [sic!] (NT4 or ADS), and for a PDC that uses either an
>> smbpasswd or a tdbsam-based Samba passdb backend.
> winbind would just duplicate the efforts (talk to LDAP/AD to resolve
> users etc.) already done by SSSD.
> See also: https://www.fedorahosted.org/sssd/wiki/SSSD-vs-Winbind
> - Elias
Hi, but this is what you are doing, samba is providing the shares and 
allowing entry based on what you have in smb.conf on the fileserver but 
authentication is coming via sssd, The user that winbind expects could 
have the ID xxxxxx but sssd is supplying yyyyyyyyyy

The only way that I have found that works is to give every user an 
uidNumber and the groups a gidNumber and then use the winbind ad 
backend, this way you can ensure that the user gets the same ID everywhere.


More information about the samba mailing list