[Samba] Samba winbind getgroups lookup

Rowland penny rpenny at samba.org
Fri Oct 4 14:50:37 UTC 2019

On 04/10/2019 15:16, Satay Epic wrote:
> Ok. Wondering if it fix  by changing the idmap backend to "ad" ?
If your only problem is that you are getting a message in your logs 
about checking for groups for 'root', then I would not worry it. The 
advantage of using the 'ad' backend is that you get the same Unix ID 
everywhere (including on Samba AD DCs) and get to use RFC2307 attributes 
on Unix domain members. However, you will still need to map 
Administrator to root.
> Is "ad" backend a better option than "rid" since we have MS AD or otherwise ?
See above.
> My next task is to ensure PAM is setup correctly with winbind. I'm
> going to validate the PAM configs.
Pity you are not using Debian, just installing the correct packages does 
this for you, not sure if this happens on Centos.
> Do you have any recommendations of PAM / winbind settings?
Not really, I use Devuan
> We also having "nscd" running for the DNS host lookup. Is it right to
> have "nscd" running beside "winbind"?

If nscd is only caching dns, then you can run it on a Unix domain 
member, but I would rather run a caching/forwarding nameserver on the 
unix domain members.


More information about the samba mailing list