[Samba] Cannot browse mode 0700 directories from Windows with security=ads

Ian Collier Ian.Collier at cs.ox.ac.uk
Fri Apr 15 21:09:08 UTC 2016

rpenny at samba.org writes:
> If your computer is joined to an AD domain, is running Samba with 'security
> = ADS' and winbindd is running, the line in /etc/nsswitch should be 'passwd:
> files winbind' (the group line should be 'group: files winbind')

> Your users should not be in /etc/passwd, they should only be in AD (as
> should your groups)

Sorry but we certainly won't be doing this.  The group memberships
we want to obey are Unix groups, not AD groups.  We have whole labs
full of machines running sssd and we're not about to make Winbind the
primary authentication system on those machines.  We're sharing Unix
files owned by Unix users, *but* the people accessing these files are
generally on Windows so we want the AD authentication they already have
on their client Windows system to allow them into the Samba server.
This was all working until earlier this week.

> >OK I will look at that in detail later, but it mentions putting winbind
> >in nsswitch.conf which I don't think we want to do.

> Oh you do, you really do, If not, either run 'sssd' (which will do what
> running winbind does) and replace 'ldap' in /etc/nsswitch.conf with 'sss',
> or turn Samba off.

"Turn Samba off" is not helpful, and the only reason why we started Winbind
on this server this week is that the Badlock patches broke our previous
Winbind-less configuration and the answer from Samba to this appears to
be that running Winbind is the only way to fix this in the short term.

I am certainly willing to consider starting up sssd if you think it
will help - but it's done this way because we have a conflict between
the Kerberos realm that sssd wants and the one that Windows AD wants.

But as I say, "getent" works perfectly well to retrieve the password
and group files, so I'm not sure what benefit sssd would bring.

What we need is a translation between the Unix usernames on the server
and the (identical) usernames in the Windows AD domain, which works so
that your Unix group memberships will allow you to access files that
have group permissions.  Certain online resources gave me the impression
that "username map script = /bin/echo" does this; but that fixes one
problem and introduces another.

Ian Collier.

More information about the samba mailing list