How do I configure the Winbind service to authenticate itself so it is compatible with Windows domain controllers that restrict anonymous access to us

The Winbind service communicates with Domain Controllers (DC's) using anonymous (non-authenticated) connections by default, to properly emulate the behavior of legacy Windows clients such as NT and Win9x when requesting user and group data from DC's.

This behavior can cause problems for Winbind if the domain uses DC's which are set up to restrict anonymous access. For example, if the Windows admin selected the "Permissions compatible with Windows 2000 servers only" option when adding the DC role to a Windows 2000 or Windows 2003 server. Although Winbind may be configured as recommended by Red Hat, the service may still fail to work properly because the DC's are refusing to service anonymous requests.

If this option was chosen during DC setup or other security policy changes have been made to the DC afterwards - perhaps even by the installation of a Windows service pack - the DC will refuse to provide the user and group information requested by Winbind if the service has not been configured to authenticate itself with a valid domain user account. As noted above, Winbind will use anonymous connections until configured to do otherwise.

The --set-auth-user option of the wbinfo command can be used to set a domain user account and password for the Winbind service to use. The user account specified needs to exist on the domain, but any regular user account should suffice -- it should not be necessary to specify a Domain Admin account unless security policies and/or user rights have been extensively modified on the DC's.

Many system administrators will create a user on the domain named winbind for the Winbind service to use, so that Winbind's activities can be monitored or audited on the DC. The example command shown below assumes such a user exists on the domain.

When running wbinfo --set-auth-user, it is not necessary to provide the password for the specified domain user on the command line. wbinfo will prompt for the specified user's password and using the command in this manner prevents the user's password from being stored in the root user's command history:

# wbinfo --set-auth-user winbind
Password:
The username and password provided will be stored for future use. Care should be taken to type the user's password correctly when prompted, because no error message will be displayed if the password is entered incorrectly.

The command can be run again whenever necessary to change the username and/or password the Winbind service should use.

wbinfo --get-auth-user can be run to view the username and password currently set for the Winbind service:

# wbinfo --get-auth-user
TESTDOMAIN+winbind%thispassword
In the example output shown above, TESTDOMAIN is the example domain's "short" domain name and the string following the percent symbol - thispassword in this example - is the password set for the winbind user.

For more information regarding Winbind and Samba configuration, we would recommend the following sources of information:

The wbinfo man page, viewable by running the command man wbinfo.
The smb.conf man page, viewable by running the command man smb.conf.
The Samba documentation contained in /usr/share/doc/samba-, on any Red Hat system with the base samba RPM installed. Complete illustrated reference manuals are provided in both PDF and HTML formats in this directory.