Configuring Winbindd on a Samba AD DC

Revision as of 12:53, 5 January 2017 by Hortimech (talk | contribs) (/* removed a line that shouldn't have been there in the first place)


The Winbindd service enables you to:

  • Use domain users and groups in local commands, such as chown and chgrp.
  • Display domain users and groups in local command's output, such as ls.

Configuring Winbindd on a Samba Active Directory (AD) domain controller (DC) is different than on a domain member. To configure the service on a domain member, see Setting up Samba as a Domain Member.

The Difference Between the Winbind and Winbindd Service

Samba 4.0 and 4.1 used a new Winbind implementation built into the samba command. However, this implementation never worked correctly. For this reason, Samba 4.2 enabled the winbindd utility to be used on domain controllers (DC). If you run a Samba version prior 4.2, update to a supported version before using Winbindd. For details, see Updating Samba.

Identity Mapping on a Samba Domain Controller

Identity Mapping works different on a Samba domain controller (DC) than on a domain member. For example, setting up an ID mapping back end, such as ad (RFC2307) or rid, in the smb.conf file is not supported an can cause the samba service to fail. For details, see Accessing Shares on Domain Controllers Having idmap config Parameters Set in the smb.conf File Fails.

On a Samba Active Directory DC, Winbindd always reads reads the user IDs (UID) and group IDs (GID) from the values set in the uidNumber and gidNumber attributes set in the AD objects. For users and groups not having a UID or GID assigned, an ID is generated locally on the DC and stored in the /usr/local/samba/private/idmap.ldb file.

Setting Winbindd Parameters in the smb.conf File

To run Winbindd on a Samba Active Directory (AD) domain controller (DC), in most cases no configuration in the smb.conf file is required.

User and group IDs, are loaded from Active Directory (AD) or automatically generated locally. For details, see Identity Mapping on a Samba Domain Controller.

On a Samba DC, only the winbind template mode is supported. In this mode, all users get:

  • The home directory path assigned, set in the template homedir parameter. This defaults to /home/%D/%U
  • The shell assigned, set in the template shell parameter. This defaults to /bin/false

To assign the /bin/bash shell and the /home/%U path as home directory path to all domain users provided by Winbindd:

  • Add the following parameters to the [global] section of your smb.conf file:
template shell = /bin/bash
template homedir = /home/%U
For details, see the smb.conf(5) man page.
  • Restart the samba service.

Configuring the Name Service Switch

To enable the name service switch (NSS) library to make domain users and groups available to the local system:

  • Append the winbind entry to the following databases in the /etc/nsswitch.conf file:
passwd: files winbind
group:  files winbind
  • Keep the files entry as first source for both databases. This enables NSS to look up domain users and groups from the /etc/passwd and /etc/group files before querying the Winbind service.
  • Do not add the winbind entry to the NSS shadow database. This can cause the wbinfo utility fail.
  • If you compiled Samba, add symbolic links from the libnss_winbind library to the operating system's library path. For details, see libnss_winbind Links. If you used packages to install Samba, the link is usually created automatically.

The winbindd Service

Do not start the winbindd Service manually on a Samba Active Directory (AD) domain controller (DC). The service is started automatically as a sub-process of the samba process. To verify, enter:

# ps axf
2156 ?        Ss     0:00 /usr/local/samba/sbin/samba -D
2158 ?        S      0:00  \_ /usr/local/samba/sbin/samba -D
2172 ?        R      0:00      \_ /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes --foreground

Testing the Winbindd Connectivity

See Testing the Winbindd Connectivity.

Authenticating Domain Users Using PAM

See Authenticating Domain Users Using PAM.