Main Contents

CentOS 5.2 and Winbind

February 7, 2009

Built a Linux Samba server for a file server this week. It’s in a satellite office connected via OpenVPN to the main office, which hosts Active Directory. Samba is running winbind, which allows transparent access to resources and minimal management on the server. I learned that winbind’s offline logons work for local or ssh logon to the server if Active Directory is unavailable, but it does not allow offline access to the server via network shares; the VPN and Active Directory must be up to initially log on and get drives mapped. Outages during the day do not impact file or printer access. This could be disastrous in certain situations, but considering the bulk of the work this office does is via E-mail or Citrix, an Internet outage means they don’t get any work done anyway.

This setup is very similar to plain ads security mode as described in my earlier post, Configure Samba with Domain Security Mode, but, while a little more complicated to set up, has more features, such as local logon privileges for AD users.

Had a heck of a time getting winbind working on CentOS 5.2. Most everything worked, joined to the domain, wbinfo -u returned users, but getent wasn’t working. `getent passwd` only returned local users. `getent group` returned local groups and only two domain groups, preceded by BUILTIN. Finally figured out I had this in my smb.conf:

winbind trusted domains only = yes

when it should be this:

winbind trusted domains only = no

Just in case it helps anyone else, here’s relevant portions from my config files:



   workgroup = DOMAIN
   password server =
   realm = DOMAIN.COM
   security = ads
   idmap uid = 10000-20000
   idmap gid = 50000-60000
   winbind separator = +
   template homedir = /home/%U
   template shell = /bin/bash
   printing = cups
   printcap name = cups
   load printers = yes
   encrypt passwords = yes
   passdb backend = tdbsam
   server string = MY-SERVER
   os level = 20
   client use spnego = yes
   winbind offline logon = yes
   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes
   winbind trusted domains only = no

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

 default_realm = DOMAIN.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true

   default_domain =
  kdc =
  kdc =
  kdc =
  admin_server =
  default_domain =

[domain_realm] = DOMAIN.COM = DOMAIN.COM

 profile = /var/kerberos/krb5kdc/kdc.conf

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 500 quiet
auth        sufficient use_first_pass
auth        sufficient use_first_pass
auth        required

account     required broken_shadow
account     sufficient uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore]
account     [default=bad success=ok user_unknown=ignore]
account     required

password    requisite try_first_pass retry=3
password    sufficient md5 shadow nullok try_first_pass use_authtok
password    sufficient use_authtok
password    sufficient use_authtok
password    required

session     optional revoke
session     required
session     [success=1 default=ignore] service in crond quiet use_uid
session     required
session     required skel=/etc/skel/ umask=0022
session     optional

passwd:  files winbind
shadow:  files winbind
group:    files winbind


;debug = yes
cached_login = yes
;krb5_auth = yes
;krb5_ccache_type = FILE
;require_membership_of =

In order to get shared documents on the server to act more Windows-like, I had to change the default umask and use ACL’s instead of default file security:


if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then
        umask 002
        umask 002

#========= Share Definitions ========
  create mask = 0770
  force create mode = 0770
  force directory mode = 0770
  force group = DOMAIN+Group_Name

Use chown and chmod to set your domain groups as owners of your shared directories. Should look something like this:

# ls -l
drwxrwx--- 2 root DOMAIN+domain users 4096 Feb  6 15:13 Docs

Then for ACL’s, use setfacl:

# setfacl -d -R -m u::rwx,g::rwx,m::rwx Docs

Use getfacl to confirm. When you ls a directory after that, you’ll see a + sign next to the normal permissions

# ls -l
drwxrwx---+ 2 root DOMAIN+domain users 4096 Feb  6 15:13 Docs

Filed under: Linux, Microsoft, Windows |

Sorry, the comment form is closed at this time.