[Samba] samba 4 in AD 2008R2 without winbind

Daniele Bernazzi daniele at ao-siena.toscana.it
Wed May 24 10:45:58 UTC 2017

On 05/24/2017 09:04 AM, Rowland Penny via samba wrote:
> On Wed, 24 May 2017 08:25:57 +0200 (CEST)
> Daniele Bernazzi via samba <samba at lists.samba.org> wrote:
>> Hi all, my goal is to have samba (ubuntu 16.04 samba 4.3.11)
>> validating internal user (just the user presents on /etc/passwd) on
>> an existing AD 2008R2. I am making a fresh install and I did it using
>> winbind, but this component puzzle me with id mapping, so I am trying
>> to avoid the use of winbind. Unfortunately, when I stop winbind I got
>> always NT_STATUS_NO_LOGON_SERVERS; it seems like samba is not able to
>> reach the PDC; digging with tcpdump shows the usage of only port 445
>> by samba, while winbind use also 135 and 88 ... Any clue? thank you.
>> Daniele Bernazzi
> Not sure I understand what you are saying, but you seem to be saying
> you have a Windows 2008R2 server running as an AD DC, is this correct ?
> If this is correct, your plan to validate users that are in /etc/passwd
> isn't going to work. You cannot have users in /etc/passwd and AD, if
> they are in /etc/passwd they are local users and have nothing to do
> with AD and if they are in AD, they are AD users but can also be local
> users.
> If your computer is joined to the domain, you need to use winbind, so
> just what problems did you have ?
> Rowland

Thank you Rowland for your prompt reply. For what I read is possible to
use samba without winbind:

There is this note in that doc:
If winbindd is not running, smbd (which calls winbindd) will fall back
to using purely local information from /etc/passwd and /etc/group and no
dynamic mapping will be used. On an operating system that has been
enabled with the NSS, the resolution of user and group information will
be accomplished via NSS.

I whish to restrict access just to users presents in /etc/passwd. With
winbind I have to adopt some workarounds to meet the unix uid with
windows sid and I am trying to avoid it


More information about the samba mailing list