[Samba] Samba 3.6.6, ADS, Winbind, no local Unix account

francis picabia fpicabia at gmail.com
Thu Jan 22 11:19:38 MST 2015

We run AD on Windows servers and have Linux systems
authenticate against AD with pam, for shares, cyrus mail, or shell logins.
For shares on a Linux system we often have no local account.

We've had success with Samba 3.5.10 and prior versions using
security = ads with winbind, pam, nsswitch.conf, krb5.conf
while there is no local Unix account.

Starting after this version, possibly 3.6.0 and above, I can only get
shares to work by using an AD account and auth
which maps to a local shell account name.

Here are very minimal settings, not ideal, just trying to get this to


auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so
account     required      pam_permit.so


passwd:         files winbind
group:          files winbind
shadow:         files winbind

If I use an account having a local shell and the AD password, the
share works.  If I use another AD account which does appear
in wbinfo -u output, it cannot login to the share.  If I add the
AD user with a shell of /bin/false the login works.

I've gone through many howtos trying for a formula, but the unmatched
user issue remains.  Here is the last attempt in smb.conf:

   security = ads
   password server = adc2.mydom.ca
   loglevel = 3
   template shell = /bin/false
   encrypt passwords = yes

   realm = AD.MYDOM.CA
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

  idmap config * : backend = tdb
  idmap config * : range = 2000-9999
  idmap config MYDOM:backend = ad
  idmap config MYDOM:schema_mode = rfc2307
  idmap config MYDOM:range=10000-19000000

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes
   winbind refresh tickets = Yes

I've only changed the actual domain to mydom in that config.

krb5.conf must be alright otherwise my shell account user
would fail to login to the share with the AD credentials.

I had a thought on how to make non-local accounts access
the share by using map to guest = Bad Uid
but the comments in man page for smb.conf make it sound
like I still shouldn't need that with winbind and nsswitch.

If anyone has seen a sample for non-local accounts and Samba 3.6
it might be useful.

More information about the samba mailing list