Configuring Winbindd on a Samba AD DC
Introduction
The Winbindd
service enables you to:
- Use domain users and groups in local commands, such as
chown
andchgrp
. - Display domain users and groups in local command's output, such as
ls
.
Configuring Winbindd
on a Samba Active Directory (AD) domain controller (DC) is different than on a domain member. To configure the service on a domain member, see Setting up Samba as a Domain Member.
The Difference Between the Winbind
and Winbindd
Service
Samba 4.0 and 4.1 used a new Winbind
implementation built into the samba
command. However, this implementation never worked correctly. For this reason, Samba 4.2 enabled the winbindd
utility to be used on domain controllers (DC). If you run a Samba version prior 4.2, update to a supported version before using Winbindd
. For details, see Updating Samba.
Identity Mapping on a Samba Domain Controller
Identity Mapping works different on a Samba domain controller (DC) than on a domain member. For example, setting up an ID mapping back end, such as ad
(RFC2307) or rid
, in the smb.conf
file is not supported an can cause the samba
service to fail. For details, see Accessing Shares on Domain Controllers Having idmap config Parameters Set in the smb.conf File Fails.
On a Samba Active Directory DC, Winbindd
always reads reads the user IDs (UID) and group IDs (GID) from the values set in the uidNumber
and gidNumber
attributes set in the AD objects. For users and groups not having a UID or GID assigned, an ID is generated locally on the DC and stored in the /usr/local/samba/private/idmap.ldb
file.
If you set an ID in the AD object's properties after a local ID was generated, Winbindd uses the value from the directory after the winbindd cache expires or you manually ran net cache flush . The operating system manages file ownerships using IDs. You must manually reset the permissions on files to enable the user to access the files using the new ID. |
Setting Winbindd
Parameters in the smb.conf File
To run Winbindd
on a Samba Active Directory (AD) domain controller (DC), in most cases no configuration in the smb.conf
file is required.
User and group IDs, are loaded from Active Directory (AD) or automatically generated locally. For details, see Identity Mapping on a Samba Domain Controller.
On a Samba DC, only the winbind template mode is supported. In this mode, all users get:
- The home directory path assigned, set in the
template homedir
parameter. This defaults to/home/%D/%U
- The shell assigned, set in the
template shell
parameter. This defaults to/bin/false
To assign the /bin/bash
shell and the /home/%U
path as home directory path to all domain users provided by Winbindd
:
- Add the following parameters to the
[global]
section of yoursmb.conf
file:
template shell = /bin/bash template homedir = /home/%U
- For details, see the
smb.conf(5)
man page.
- Restart the
samba
service.
On a Samba AD DC, not all of the Winbindd -related parameters described in the smb.conf(5) man page are supported. Additionally, some of the parameters, such as idmap config , can cause the samba service to fail. Currently, the man page does not highlight parameters supported on a DC. Thus it is suggested that you keep the defaults or only use the parameters described in this section. |
Configuring the Name Service Switch
To enable the name service switch (NSS) library to make domain users and groups available to the local system:
- Append the
winbind
entry to the following databases in the/etc/nsswitch.conf
file:
passwd: files winbind group: files winbind
- Keep the
files
entry as first source for both databases. This enables NSS to look up domain users and groups from the/etc/passwd
and/etc/group
files before querying the Winbind service.
- Keep the
- Do not add the
winbind
entry to the NSSshadow
database. This can cause thewbinfo
utility fail.
- Do not add the
Do not use the same user names in the local /etc/passwd
file as in the domain.
- If you compiled Samba, add symbolic links from the
libnss_winbind
library to the operating system's library path. For details, see libnss_winbind Links. If you used packages to install Samba, the link is usually created automatically.
The winbindd
Service
Do not start the winbindd
Service manually on a Samba Active Directory (AD) domain controller (DC). The service is started automatically as a sub-process of the samba
process. To verify, enter:
# ps axf ... 2156 ? Ss 0:00 /usr/local/samba/sbin/samba -D 2158 ? S 0:00 \_ /usr/local/samba/sbin/samba -D 2172 ? R 0:00 \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ...
Testing the Winbindd Connectivity
See Testing the Winbindd Connectivity.