[Samba] Several questions about winbind[d]
Rowland Penny
rowlandpenny241155 at gmail.com
Tue Jun 30 04:42:14 MDT 2015
On 30/06/15 11:17, mathias dufresne wrote:
> @Andrew: I expect these lines came from RDP issue workaround which should
> be happening with previous Samba version. I removed all these lines as now,
> with 4.2.2 Samba version RDP and RSAT are working well without them.
>
> I removed also each and every idmap lines, commented most of winbind lines
> too and now my smb.conf is:
> ------------------------------------------------------------
> [global]
> workgroup = AD.DOMAIN
> realm = ad.domain.tld
> netbios name = DC01
> server role = active directory domain controller
>
> dns forwarder = 10.0.0.240
>
> wins support = yes
> winbind nss info = rfc2307
The 'winbind nss info = rfc2307' line should be 'idmap_ldb:use rfc2307 =
yes' on a DC
>
> [netlogon]
> path = /var/lib/samba/sysvol/ad.domain.tld/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> ------------------------------------------------------------
>
> There is still something I don't understand:
> "wbinfo -i some.user" does not show configured homeDirectory nor loginShell
> nor for gidNumber
> For loginShell it displays "/bin/false" rather than configured "/bin/bash"
> For homeDirectory it displays "/home/AD.DOMAIN/some.user" rather configured
> "/home/some.user"
> For gidNumber it displays "100" rather than content of "gidNumber".
This is one of the reasons why it is not recommended to use a DC as a
fileserver, whilst from version 4.2.0, samba uses the same 'winbindd'
daemon as on a member server, it still doesn't use all its capabilities.
You can set 'template homedir' and 'template shell' in smb.conf, see
'man smb.conf, but note these will affect *all* users, you cannot set
individual user homedir paths and shells.
To get the users 'gidNumber' attribute shown by 'getent' etc , you need
to ensure that 'Domain Users' has a 'gidNumber' attribute.
>
> SSSD can easily be configured on non-DC to replace winbind and it gives
> possibility to configure which LDB attributes are retrieved.
> On DC I'm still facing incompatibility between Sernet's Samba and SSSD
> package (on Centos 6 & 7 and Debian 8) so initially I planned to use
> winbind in nsswitch.conf and pam.d/* on DC to be able to check ACLs on
> sysvol folder but the fact using winbind all users have "Domain users" as
> primary group seems to me an issue to agree with that solution...
This is yet another reason not to use a DC as a fileserver. The 'Domain
users' problem can be fixed, but it can cause more problems than what it
fixes, because to change the users primaryGroupID attribute means
removing the user from the 'Domain Users' group and windows expects all
users to be a member of 'Domain Users'.
> As far I understand wbinfo fill user's primary group according to
> "primaryGroup" value.
>
> Is there a way to configure winbind to fill user's primary group using
> "gidNumber" rather than "primaryGroup"?
On a DC, no. On a member server this is not a problem.
Rowland
> Cheers,
>
> mathias
>
>
> 2015-06-29 11:18 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
>
>> On Thu, 2015-06-25 at 16:27 +0200, mathias dufresne wrote:
>>> Hi all,
>>>
>>> I'm wondering about winbind[d] behaviour.
>>> I tried the following with:
>>> auth methods = sam winbindd
>>> and the same with only one d:
>>> auth methods = sam winbind
>> Please never set these manually.
>>
>> There are almost no situations where these need to be manually managed,
>> the defaults based on the server role will behave correctly and as
>> expected.
>>
>> Thanks,
>>
>> Andrew Bartlett
>>
>> --
>> Andrew Bartlett http://samba.org/~abartlet/
>> Authentication Developer, Samba Team http://samba.org
>> Samba Developer, Catalyst IT
>> http://catalyst.net.nz/services/samba
>>
>>
>>
More information about the samba
mailing list