[Samba] Samba winbind getgroups lookup

Satay Epic satayepic at gmail.com
Thu Oct 3 14:05:22 UTC 2019


We have winbind client running on CentOS 7.3.1611 host connected to MS
active directory. It is working normal for local and AD users. However
in the logs, I see that NSS is throwing call to winbind to retrieve
the groups for "root" user. I wonder why it does and what can be done
to make it stop doing that. I believe it should do the lookup only for
the domain/AD users.

[2019/10/02 17:00:01.952225, 3]
../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
getgroups root


samba-winbind-4.4.4-14.el7_3.x86_64


# cat /etc/nsswitch.conf | grep winbind
passwd: files winbind
shadow: files winbind
group: files winbind




cat /etc/samba/smb.conf
[global]

workgroup = DOMAIN
realm = DOMAIN.COM
preferred master = no
server string = Samba Server Version %v
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
winbind max clients = 1000
template shell = /bin/bash

idmap domains = DOMAIN
idmap config DOMAIN:range = 10000 - 49999
idmap config DOMAIN:base_rid = 0
idmap config DOMAIN:backend = rid

################################################
# Required for Samba/Winbind 3.4+
# Note that local tdb idmap backend
# required now for Samba/Winbind 3.4+
idmap backend = tdb
idmap uid = 10000 - 49999
idmap gid = 10000 - 49999
#################################################


Thanks in advance.



More information about the samba mailing list