[Samba] winbind question

Rowland penny rpenny at samba.org
Sat Feb 15 22:02:24 UTC 2020

On 15/02/2020 21:31, Steve Thompson via samba wrote:
> On Sat, 15 Feb 2020, Rowland penny via samba wrote:
>> On 15/02/2020 19:15, Steve Thompson via samba wrote:
>>>  Now I am using samba 4.11.6 on CentOS 7.7, patched up to date. 
>> Have you compiled Samba yourself, or are you using Samba packages and 
>> if so, where from ?
>>>  The DC, on a KVM VM, is the only node configured so far. I am using
>>>  winbind in place of sssd (my first experience with winbind). BIND9_DLZ
>>>  pointing to a DNS hosted on the same virtual box. 
>> What do you mean by 'DNS hosted on the same virtual box' ?
>>>  The smb.conf is exactly as created by the domain provision, except 
>>> that I
>>>  added:
>>>  ????winbind use default domain = yes
>>>  ??????? winbind nss info = rfc2307
>> Those two do not work on a DC.
> OK, I removed them.
>>>  All installation tests seem to work OK. I create a group and a user
>>>  (username smt) with samba-tool, and add the appropriate loginShell,
>>>  unixHomeDirectory, uidNumber and gidNumber attributes. The "wbinfo 
>>> -i smt"
>>>  command gives:
>>>  ????VOYAGER\smt:*:1000:100::/fs/home/smt:/bin/zsh
>> Is there a reason to use such low ID's ?
> UID's and GID's are already assigned (via file ownerships) for 2500 
> users across many fileservers, and I do not really want to change them.
That is a good enough reason ;-)
>> I know where the '100' is coming from, you haven't given Domain Users 
>> a gidNumber.
> I assigned a gidNumber to Domain Users, and now both wbinfo and getent 
> return that number for the user's gid instead of the user's gidNumber 
> from the database. This is wrong is it not? And it doesn't explain why 
> the
> uid was incorrect also.

OK, on a DC, by default, the user & group ID's are allocated in 
idmap.ldb (xidNumbers in the 3000000 range), but if you give a user a 
uidNumber, this will be used instead of the xidNumber. The same goes for 
a group, give it a gidNumber and this will be used instead of the 
xidNumber. You can give every AD user a gidNumber attribute (which must 
the gidNumber of an existing group) and it will be ignored on a DC.

If you want to use that users gidNumber, there is only one way, create a 
Unix domain member running Samba >= 4.6.0 using idmap_ad and use 'idmap 
config SAMDOM:unix_primary_group = yes' in smb.conf

>> Yes, do not use the DC as a fileserver ;-)
> I understand this.
>> You cannot use the loginShell, and unixHomeDirectory attributes on a 
>> Samba AD DC
> I understand this too. I don't understand why this should be a 
> limitation, though. I realize it was coded this way, but why?
I am with you, but there are numerous other reasons not to use a DC as a 


More information about the samba mailing list