> On 6 Dec 2018, at 15:45, Gilbert E. Detillieux <[log in to unmask]> wrote:
> 
> What I'm now trying to set up is a working winbindd-based configuration to essentially do what smbd used to do directly (communicating with the AD server) before they took that functionality away, with as little fuss (and opportunity for breakage) as possible.

We run Samba 4.7 on FreeBSD on our storage servers and hit the same issue with the winbind requirement when testing 4.8. The problem is that not all AD setups are alike. We store unix attributes in AD because we mix Samba and NFS. The following works in our setup. YMMV.

  idmap config * : backend = tdb
  idmap config * : range = 9000-9999
  winbind enum users = yes 
  winbind enum groups = yes 
  winbind use default domain = yes 
  winbind nss info = rfc2307
  winbind expand groups = 3 
  idmap config <domain>:default = yes
  idmap config <domain>:backend = ad
  idmap config <domain>:range = 10000-60000
  idmap config <domain>:schema_mode = rfc2307

Change <domain> to your AD domain and change the range to the uid range of the unix attributes given to your AD accounts. This must not overlap with the range used by the tdb backend (which as I understand it should not overlap local accounts). You then need to run "net ads join -U <user>" where "<user>" has rights to join a machine to the domain. You can test using "wbinfo -u" which should list all your users. The command "wbinfo -i <user>" will show info for a user. We found that we needed to give the "Domain Users" group unix attributes or winbind will fail to do lookups properly. We also find that winbind uses pre-w2k group names. Our AD domain was an add-on to our setup (and we didn't really know what we were doing) so these names can differ on our AD.

The University of St Andrews is a charity registered in Scotland, No. SC013532.