Limited winbind usability with Samba 4

Almost exactly a year ago the first official Samba 4 release saw the light of the world, bringing with it Active Directory Domain Controller support as one of its biggest merits. All relevant Windows APIs had been implemented, thus allowing for all user management to be done through Windows tools such as the “Active Directory Users and Computers” MMC console.

This does of course wake the appetite of moving all users into the AD and let the Linux system authenticate against it as well, a scenario that has been supported through the use of Samba’s winbind for some time now.

As the new “samba” master binary coordinates the other daemons itself, there is no need to start winbindd manually any more. Editing /etc/nsswitch.conf as follows:


passwd: compat winbind
group: compat winbind

makes AD user accounts become visible to the system:


# getent passwd
[...]
vscan:x:65:487:Vscan account:/var/spool/amavis:/bin/false
fetchmail:x:486:2:mail retrieval daemon:/var/lib/fetchmail:/bin/false
BS3\Administrator:*:0:100::/home/%U:/bin/bash
BS3\Guest:*:3000011:3000012::/home/%U:/bin/bash

Note how this output shows two things:

  • “winbind use default domain = yes” does not work: user names are returned including the Samba domain name.
  • Setting “template homedir” does not work: in the example above, it was set to /home/%U, of course, but the “%U” placeholder does not get replaced. Strangely, even if you configure the default values, /home/%D/%U, this won’t work. Comment out the option completely and that very default will work.

Unfortunately, this effectively makes Samba 4 (tested with version 4.1.2 to be precisely) currently quite unusable for the intended purpose.

The first issue has already been reported as Bugzilla #9780. For the second issue there are at least two tickets, Bugzilla #9839 and Bugzilla #9898. According to a comment in the former, the winbindd used in Samba 4 misses support for these placeholders and requires replacement by a combined (Samba 3/Samba 4) winbindd implementation. I do not know of any roadmap for that.

Leave a comment