[Samba] winbind question

Rowland penny rpenny at samba.org
Sat Feb 15 20:39:55 UTC 2020 

On 15/02/2020 19:15, Steve Thompson via samba wrote:
> I could use some input to point out the error in my configuration, 
> which eludes me.
>
> Previously I operated a 225-node cluster with samba 4.3 and sssd on 
> the Linux boxes. Everything worked OK.
>
> Now I am using samba 4.11.6 on CentOS 7.7, patched up to date. 
Have you compiled Samba yourself, or are you using Samba packages and if 
so, where from ?
> The DC, on a KVM VM, is the only node configured so far. I am using 
> winbind in place of sssd (my first experience with winbind). BIND9_DLZ 
> pointing to a DNS hosted on the same virtual box. 
What do you mean by 'DNS hosted on the same virtual box' ?
> The smb.conf is exactly as created by the domain provision, except 
> that I added:
>
>     winbind use default domain = yes
>         winbind nss info = rfc2307
Those two do not work on a DC.
>     template shell = /bin/zsh
>         template homedir = /fs/home/%U
>
> All installation tests seem to work OK. I create a group and a user 
> (username smt) with samba-tool, and add the appropriate loginShell, 
> unixHomeDirectory, uidNumber and gidNumber attributes. The "wbinfo -i 
> smt" command gives:
>
>     VOYAGER\smt:*:1000:100::/fs/home/smt:/bin/zsh

Is there a reason to use such low ID's ?

I know where the '100' is coming from, you haven't given Domain Users a 
gidNumber.

>
> while "getent passwd smt" gives:
>
>     VOYAGER\smt:*:1000:100::/fs/home/smt:/bin/zsh
>
> The things that I don't understand are the absence of gecos, and the 
> (uid,gid) of (1000,100). Both the uid and gid are wrong. I don't know 
> where winbind is getting these values; if I modify the values in the 
> database using ldbmodify and flush the winbind caches, the values 
> returned by wbinfo and getent do not change from those shown above. If 
> I change the template home directory, the value seen by wbinfo and 
> getent do change as expected, since the DB value are evidently not 
> used on a DC. Any pointers?

Yes, do not use the DC as a fileserver ;-)

You cannot use the loginShell, and unixHomeDirectory attributes on a 
Samba AD DC

Rowland

More information about the samba mailing list