Configuring Winbindd on a Samba AD DC
- 1 Introduction
- 2 Setting Winbindd Parameters in the smb.conf File
- 3 Configuring the Name Service Switch
- 4 The winbindd Service
- 5 Testing the Winbindd Connectivity
- 6 Authenticating Domain Users Using PAM
Winbindd service enables you to:
- Use domain users and groups in local commands, such as
- Display domain users and groups in local command's output, such as
Winbindd on a Samba Active Directory (AD) domain controller (DC) is different than on a domain member. To configure the service on a domain member, see Setting up Samba as a Domain Member.
The Difference Between the
Samba 4.0 and 4.1 used a new
Winbind implementation built into the
samba command. However, this implementation never worked correctly. For this reason, Samba 4.2 enabled the
winbindd utility to be used on domain controllers (DC). If you run a Samba version prior 4.2, update to a supported version before using
Winbindd. For details, see Updating Samba.
Identity Mapping on a Samba Domain Controller
Identity Mapping works different on a Samba domain controller (DC) than on a domain member. For example, setting up an ID mapping back end, such as
ad (RFC2307) or
rid, in the
smb.conf file is not supported an can cause the
samba service to fail. For details, see Accessing Shares on Domain Controllers Having idmap config Parameters Set in the smb.conf File Fails.
On a Samba Active Directory DC,
Winbindd always reads reads the user IDs (UID) and group IDs (GID) from the values set in the
gidNumber attributes set in the AD objects. For users and groups not having a UID or GID assigned, an ID is generated locally on the DC and stored in the
|If you set an ID in the AD object's properties after a local ID was generated, |
Winbindd Parameters in the smb.conf File
Winbindd on a Samba Active Directory (AD) domain controller (DC), in most cases no configuration in the
smb.conf file is required.
User and group IDs, are loaded from Active Directory (AD) or automatically generated locally. For details, see Identity Mapping on a Samba Domain Controller.
On a Samba DC, only the winbind template mode is supported. In this mode, all users get:
- The home directory path assigned, set in the
template homedirparameter. This defaults to
- The shell assigned, set in the
template shellparameter. This defaults to
To assign the
/bin/bash shell and the
/home/%U path as home directory path to all domain users provided by
- Add the following parameters to the
[global]section of your
template shell = /bin/bash template homedir = /home/%U
- For details, see the
- Restart the
|On a Samba AD DC, not all of the |
Configuring the Name Service Switch
To enable the name service switch (NSS) library to make domain users and groups available to the local system:
- Append the
winbindentry to the following databases in the
passwd: files winbind group: files winbind
- Keep the
filesentry as first source for both databases. This enables NSS to look up domain users and groups from the
/etc/groupfiles before querying the Winbind service.
- Keep the
- Do not add the
winbindentry to the NSS
shadowdatabase. This can cause the
- Do not add the
Do not use the same user names in the local
/etc/passwdfile as in the domain.
- If you compiled Samba, add symbolic links from the
libnss_winbindlibrary to the operating system's library path. For details, see libnss_winbind Links. If you used packages to install Samba, the link is usually created automatically.
Do not start the
winbindd Service manually on a Samba Active Directory (AD) domain controller (DC). The service is started automatically as a sub-process of the
samba process. To verify, enter:
# ps axf ... 2156 ? Ss 0:00 /usr/local/samba/sbin/samba -D 2158 ? S 0:00 \_ /usr/local/samba/sbin/samba -D 2172 ? R 0:00 \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground ...
Testing the Winbindd Connectivity