[Samba] setup-sysvol-bidirectional.sh unable to id administrator

Rowland penny rpenny at samba.org
Mon Apr 4 11:56:04 UTC 2016

On 04/04/16 10:07, mathias dufresne wrote:
> I expect Winbind on DC do NOT retrieve home dir, by design.

Well, not by design, the code to do this hasn't been written yet :-)

> DC are not meant to be used by AD users, no session from standard users on
> DC, never.
> DC are meant to discuss with Windows clients and with tools as SSSD,

sssd isn't a Samba tool and the fact they work with a DC is down to the 
work done by sssd devs.

> Winbind or nslcd which use AD as a users database. This tools are
> configurable enough to use the database to make what we want on member
> servers.
> Winbind generates users from AD using "primaryGroupID" for GID and
> something else for UID (I still don't know exactly how is chosen that UID)

It all depends on where winbind is running and secondly on what winbind 
backend is being used. On a DC, you can only use idmap.ldb and this 
assigns IDs on a first come basis.
On a domain member there are numerous backends available and each has 
their own manpage.


> because of ACL on SysVol. SysVol is accessed by Windows clients and that's
> the only moment there is an interaction between user-from-AD and
> system-hosting-Samba-AD. To match Windows user information during ACL check
> on SysVol Winbind uses Windows information from AD to generate users.
> I hope I was clear but that's not sure at all :D
> Anyway, I tried ;)
> Cheers,
> mathias
> 2016-04-01 2:16 GMT+02:00 niya levi <niyalevi at gmail.com>:
>> hi Louis
>> thank for the suggestion.
>> first i tried switching back to winbind in nsswitch.conf
>> then getent an id worked as they should
>> so i've cornered the problem down to sssd
>> but i had another problem with the winbind solution
>> the home dir was not being pulled from AD,
>> with a bit of net searching i found this from the samba mail archives
>> S├ębastien Le Ray says
>> in smb.conf idmap_ldb:use rfc2307 = yes is used to pull down UNIX
>> information from active directory
>> (namely uid, gid, homedir, shell).
>> Support is partial on domain controller since shell & homedir can only
>> be set through * template parameters in
>> smb.conf despite rfc2307 being used.
>> Shell & homedir are correctly fetched on member servers.
>> does this still apply to winbindd as i run arch linux with the latest
>> samba,
>> if there is a way to use winbind on th dc's and be able to retrieve home
>> dirs from the AD
>> then i would permently use winbindd
>> if not i'll have to start hitting sssd with a hammer and getting on
>> their mailing list until it works.
>> as for your replication script it works perfecly,
>> the cronjob keeps my mailbox busy but will do something about that once
>> i've sorted out my current issues
>> shadrock
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list