> On 6 Dec 2018, at 15:45, Gilbert E. Detillieux <gede...@cs.umanitoba.ca> > wrote: > > What I'm now trying to set up is a working winbindd-based configuration to > essentially do what smbd used to do directly (communicating with the AD > server) before they took that functionality away, with as little fuss (and > opportunity for breakage) as possible.
We run Samba 4.7 on FreeBSD on our storage servers and hit the same issue with the winbind requirement when testing 4.8. The problem is that not all AD setups are alike. We store unix attributes in AD because we mix Samba and NFS. The following works in our setup. YMMV. idmap config * : backend = tdb idmap config * : range = 9000-9999 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nss info = rfc2307 winbind expand groups = 3 idmap config <domain>:default = yes idmap config <domain>:backend = ad idmap config <domain>:range = 10000-60000 idmap config <domain>:schema_mode = rfc2307 Change <domain> to your AD domain and change the range to the uid range of the unix attributes given to your AD accounts. This must not overlap with the range used by the tdb backend (which as I understand it should not overlap local accounts). You then need to run "net ads join -U <user>" where "<user>" has rights to join a machine to the domain. You can test using "wbinfo -u" which should list all your users. The command "wbinfo -i <user>" will show info for a user. We found that we needed to give the "Domain Users" group unix attributes or winbind will fail to do lookups properly. We also find that winbind uses pre-w2k group names. Our AD domain was an add-on to our setup (and we didn't really know what we were doing) so these names can differ on our AD. The University of St Andrews is a charity registered in Scotland, No. SC013532.
