[Samba] Samba 4.1 Member Server and Winbind

Peter Ross Peter.Ross at alumni.tu-berlin.de
Wed Apr 22 00:14:16 MDT 2015

Hello everybody,

for a while I am running a Samba 4.1 AD server under FreeBSD (from the 
FreeBSD ports). At thw moment the domain has ca. 20 Windows 7 desktops.

I wanted to add a Samba 4.1 file server as a member server, was able to 
joint the domain and see AD users via "winbind -u"

but "getent password" or "id <user>" does not work.

The smb4.conf is following


I added RFC2307 attributes to the AD server according to


and installed RSAT on a Windows 7 desktop. I can see and manipulate "Unix 
Attributes" (giving UIDs/GIDs from 10000 upwards) and see them in the LDAP 

In /etc/nsswitch.conf I have

passwd: compat winbind
group: compat winbind

To the library.. the port installed


but it did not appear in "ldconfig -r".. Just for the purpose of testing I 
moved it to


so ldconfig finds it.. Is this a bug? Someting to do with 
https://bugzilla.samba.org/show_bug.cgi?id=9704 ?

Anyway, no getent entries, no id..

Here the smb4.conf:


    workgroup = DOMAIN
    security = ADS
    realm = DOMAIN.FDA
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    idmap config DOMAIN:backend = ad
    idmap config DOMAIN:schema_mode = rfc2307
    idmap config DOMAIN:range = 10000-99999

    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes
    winbind refresh tickets = Yes
    winbind expand groups = 4
    winbind normalize names = Yes


Do you have any advice which could help me to get it working?


More information about the samba mailing list