On Wed, Jan 29, 2014 at 11:36:18AM +0000, Rowland Penny
wrote:> OK, I know understand that I should be running winbind and as I have
> always had problems setting it up, I thought that reading the
> manpage would probably be a good idea.
>
> Whilst reading it, I found this:
>
> Even if winbind is not used for nsswitch, it still provides a
> service to smbd, ntlm_auth and the pam_winbind.so PAM module, by
> managing connections to domain controllers. In this configuration
> the idmap config * : range parameter is not required. (This is known
> as `netlogon proxy only mode'.)
>
> So it would seem that I could just run the winbind daemon with
> minimal alterations to smb.conf and continue to use that program I
> must not mention.
>
> I then tried to find information on just what I need to add to
> smb.conf to make it work, you wouldn't believe how many copies of
> the winbind manpage there are out there, but nothing much on the
> netlogon proxy only mode.
>
> The only thing that I could find was when Volker seems to have
> created the mode back in 2004, so can anybody point me to
> documentation about this mode, so that I can try it.
There is not much around because there is not much to say.
If a Samba domain member is joined to a domain, just start
winbind. smbd will automatically use its services, the most
important being much more efficient authentiation due to
less domain controller connection setup overhead. If no
winbind is around, every smbd has to connect to the DC
itself. It's roughly 50 network packets versus just 2 (3 if
you count the TCP ack winbind sends to the DC after the
authentication).
With best regards,
Volker Lendecke
--
SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de