[Samba] 'winbind' on the 'shadow' line in nsswitch.conf

Alexey A Nikitin nikitin at amazon.com
Tue Feb 26 18:10:22 UTC 2019

On Tuesday, 26 February 2019 00:49:50 PST Rowland Penny via samba wrote:
> You don't need to add 'winbind' to the shadow line mainly because it
> isn't needed and as you have said, there have been reports of strange
> things happening in wbinfo if it is added.

I understand that I don't need to add 'winbind' to the 'shadow' line. I also understand that it would be a potential mistake too, since Winbind doesn't implement 'shadow' database (according to the docs, anyway). Problem is, we already got several thousand machines in production with 'winbind' in the 'shadow' line, and they (mostly) appear to be working OK, except for about 2-4% that have intermittent failures of getpwnam() and/or authentication failures. Changing the configuration in those production machines is definitely possible, but I'm trying to understand what's the exact risk of leaving existing machines as-is, and whether there may be any connection between those intermittent auth/getpwnam failures and this config option. Any insight into the system behavior with unimplemented 'shadow' database in nsswitch.conf is appreciated.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba/attachments/20190226/e208afff/signature.sig>

More information about the samba mailing list