[Samba] Samba 4.2 AD, DC and winbindd

Jacky Chan jacky at jesstech.com
Tue Jun 2 22:57:18 MDT 2015 

Hi,

I am using samba 4.2.1 and want to clarify that do i need to start the 
winbindd service in AD and DC?

Read form the doc https://wiki.samba.org/index.php/RFC2307_backend, it 
said that:

     Users having a „server services“ line in their DC smb.conf, need to 
replace the „winbind“ entry by „winbindd“:
     [global]
     server services = ....., winbind, winbindd

     Users not having a „server services“ line (default values), need to 
add the parameter „winbindd“:
     [global]
     server services = +winbind, -winbindd

Does it means that we need to enable winbindd service in DC, the first 
one is clear, but the second one making me confused.

     1) server services = ....., winbind, winbindd
     is that means remove winbind and add winbindd service?

     2)server services = +winbind, -winbindd
     is that means add winbind and remove winbindd service?

What is the different between winbind and winbindd service?

I tried:
With "server services = +winbind, -winbindd", the winbindd daemon will 
not start.
Without "server services = +winbind, -winbindd", the winbindd daemon 
will start.
(That means the default is start winbindd service)

Also, when winbindd is started in DC, uid and gid cannot synchronize 
with AD.
Without starting the winbindd in DC, the uid and gid of AD and DC are 
synchronized.

It does not affect the uid and gid in AD with or without winbindd.

By the way, I got a uncaught exception error when using samba-tool ntacl 
sysvolcheck:

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: DB ACL on GPO directory 
/var/lib/samba/sysvol/lan-domain.xxxxxx.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} 
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
does not match expected value 
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
from GPO object
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 
249, in run
     lp)
   File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
1730, in checksysvolacl
     direct_db_access)
   File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
1681, in check_gpos_acl
     domainsid, direct_db_access)
   File 
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
1628, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
path, fsacl_sddl, acl))

Run samba-tool ntacl sysvolreset and it finished without error, but 
sysvolcheck still give the above error.
Is it a bug or I messed something up?

Thanks,

Jacky

More information about the samba mailing list