From bc06e06d34c4a5da1272e1f2eab3e00fe3d7a0d4 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sun, 27 Jan 2002 05:37:23 +0000 Subject: merge from 2.2 and regenerate (This used to be commit 55c53ef08974947cf10a79882b63d6d8e8baad4c) --- docs/htmldocs/Samba-HOWTO-Collection.html | 1025 ++++------------------------- docs/htmldocs/UNIX_INSTALL.html | 18 +- docs/htmldocs/smb.conf.5.html | 120 +++- docs/htmldocs/winbind.html | 2 +- 4 files changed, 262 insertions(+), 903 deletions(-) (limited to 'docs/htmldocs') diff --git a/docs/htmldocs/Samba-HOWTO-Collection.html b/docs/htmldocs/Samba-HOWTO-Collection.html index 870b0ec6e8..5429e4da05 100644 --- a/docs/htmldocs/Samba-HOWTO-Collection.html +++ b/docs/htmldocs/Samba-HOWTO-Collection.html @@ -668,155 +668,101 @@ HREF="#AEN1602" >
9. Storing Samba's User/Machine Account information in an LDAP Directory
9.1. Purpose
9.2. Introduction
9.3. Supported LDAP Servers
9.4. Schema and Relationship to the RFC 2307 posixAccount
9.5. smb.conf LDAP parameters
9.6. Security and sambaAccount
9.7.
9.8. Example LDIF Entries for a sambaAccount
9.9. Comments
10. Unified Logons between Windows NT and UNIX using Winbind
10.1. 9.1. Abstract
10.2. 9.2. Introduction
10.3. 9.3. What Winbind Provides
10.3.1. 9.3.1. Target Uses
10.4. 9.4. How Winbind Works
10.4.1. 9.4.1. Microsoft Remote Procedure Calls
10.4.2. 9.4.2. Name Service Switch
10.4.3. 9.4.3. Pluggable Authentication Modules
10.4.4. 9.4.4. User and Group ID Allocation
10.4.5. 9.4.5. Result Caching
10.5. 9.5. Installation and Configuration
10.5.1. 9.5.1. Introduction
10.5.2. 9.5.2. Requirements
10.5.3. 9.5.3. Testing Things Out
10.5.3.1. 9.5.3.1. Configure and compile SAMBA
10.5.3.2. 9.5.3.2. Configure nsswitch.conf
10.5.3.3. 9.5.3.3. Configure smb.conf
10.5.3.4. 9.5.3.4. Join the SAMBA server to the PDC domain
10.5.3.5. 9.5.3.5. Start up the winbindd daemon and test it!
10.5.3.6. 9.5.3.6. Fix the /etc/rc.d/init.d/smb startup files
10.5.3.7. 9.5.3.7. Configure Winbind and PAM
10.6. 9.6. Limitations
10.7. 9.7. Conclusion
11. 10. OS2 Client HOWTO
11.1. 10.1. FAQs
11.1.1. 10.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?
11.1.2. 10.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?
11.1.3. 10.1.3. Are there any other issues when OS/2 (any version) is used as a client?
11.1.4. 10.1.4. How do I get printer driver download working for OS/2 clients?
12. 11. HOWTO Access Samba source code via CVS
12.1. 11.1. Introduction
12.2. 11.2. CVS Access to samba.org
12.2.1. 11.2.1. Access via CVSweb
12.2.2. 11.2.2. Access via cvs
Index
1.6. Step 5: Starting the smbd and nmbd

You must choose to start smbd and nmbd either +>You must choose to start smbd and nmbd either as daemons or from inetd. Don't try +>. Don't try to do both! Either you can put them in inetd.conf and have them started on demand +> and have them started on demand by inetd /etc/rc.local. See the man pages for details - on the command line options. Take particular care to read - the bit about what user you need to be in order to start +>. See the man pages for details + on the command line options. Take particular care to read + the bit about what user you need to be in order to start Samba. In many cases you must be root.

The main advantage of starting nmbd as a daemon is that they will - respond slightly more quickly to an initial connection - request. This is, however, unlikely to be a problem.

using the recommended daemon method + is that they will respond slightly more quickly to an initial connection + request.

Chapter 9. Storing Samba's User/Machine Account information in an LDAP Directory

9.1. Purpose

This document describes how to use an LDAP directory for storing Samba user -account information normally stored in the smbpasswd(5) file. It is -assumed that the reader already has a basic understanding of LDAP concepts -and has a working directory server already installed. For more information -on LDAP architectures and Directories, please refer to the following sites.

Note that O'Reilly Publishing is working on -a guide to LDAP for System Administrators which has a planned release date of -early summer, 2002.

It may also be helpful to supplement the reading of the HOWTO with -the Samba-PDC-LDAP-HOWTO -maintained by Ignacio Coupeau.

9.2. Introduction

Traditionally, when configuring "encrypt -passwords = yes" in Samba's smb.conf file, user account -information such as username, LM/NT password hashes, password change times, and account -flags have been stored in the smbpasswd(5) file. There are several -disadvantages to this approach for sites with very large numbers of users (counted -in the thousands).

The first is that all lookups must be performed sequentially. Given that -there are approximately two lookups per domain logon (one for a normal -session connection such as when mapping a network drive or printer), this -is non-optimal. What is needed is an indexed approach such as is used in -databases.

The second problem is that administrators who desired to replicate a -smbpasswd file to more than one Samba server were left to use external -tools such as rsync(1) and ssh(1) -and wrote custom, in-house scripts.

And finally, the amount of information which is stored in an -smbpasswd entry leaves no room for additional attributes such as -a home directory, password expiration time, or even a Relative -Identified (RID).

As a result of these defeciencies, a more robust means of storing user attributes -used by smbd was developed. The API which defines access to user accounts -is referred to as the samdb interface (previously this was called the passdb -API, and is still so named in the CVS trees). In Samba 2.2.3, enabling support -for a samdb backend (e.g. --with-ldapsam or ---with-tdbsam) requires compile time support.

When compiling Samba to include the --with-ldapsam autoconf -option, smbd (and associated tools) will store and lookup user accounts in -an LDAP directory. In reality, this is very easy to understand. If you are -comfortable with using an smbpasswd file, simply replace "smbpasswd" with -"LDAP directory" in all the documentation.

There are a few points to stress about what the --with-ldapsam -does not provide. The LDAP support referred to in the this documentation does not -include:

  • A means of retrieving user account information from - an Windows 2000 Active Directory server.

  • A means of replacing /etc/passwd.

The second item can be accomplished by using LDAP NSS and PAM modules. LGPL -versions of these libraries can be obtained from PADL Software -(http://www.padl.com/). However, -the details of configuring these packages are beyond the scope of this document.

9.3. Supported LDAP Servers

The LDAP samdb code in 2.2.3 has been developed and tested using the OpenLDAP -2.0 server and client libraries. The same code should be able to work with -Netscape's Directory Server and client SDK. However, due to lack of testing -so far, there are bound to be compile errors and bugs. These should not be -hard to fix. If you are so inclined, please be sure to forward all patches to -samba-patches@samba.org and -jerry@samba.org.

9.4. Schema and Relationship to the RFC 2307 posixAccount

Samba 2.2.3 includes the necessary schema file for OpenLDAP 2.0 in -examples/LDAP/samba.schema. (Note that this schema -file has been modified since the experimental support initially included -in 2.2.2). The sambaAccount objectclass is given here:

objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
-     DESC 'Samba Account'
-     MUST ( uid $ rid )
-     MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
-            logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
-            displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
-            description $ userWorkstations $ primaryGroupID ))

The samba.schema file has been formatted for OpenLDAP 2.0. The OID's are -owned by the Samba Team and as such is legal to be openly published. -If you translate the schema to be used with Netscape DS, please -submit the modified schema file as a patch to jerry@samba.org

Just as the smbpasswd file is mean to store information which supplements a -user's /etc/passwd entry, so is the sambaAccount object -meant to supplement the UNIX user account information. A sambaAccount is a -STRUCTURAL objectclass so it can be stored individually -in the directory. However, there are several fields (e.g. uid) which overlap -with the posixAccount objectclass outlined in RFC2307. This is by design.

In order to store all user account information (UNIX and Samba) in the directory, -it is necessary to use the sambaAccount and posixAccount objectclasses in -combination. However, smbd will still obtain the user's UNIX account -information via the standard C library calls (e.g. getpwnam(), et. al.). -This means that the Samba server must also have the LDAP NSS library installed -and functioning correctly. This division of information makes it possible to -store all Samba account information in LDAP, but still maintain UNIX account -information in NIS while the network is transitioning to a full LDAP infrastructure.

To include support for the sambaAccount object in an OpenLDAP directory -server, first copy the samba.schema file to slapd's configuration directory.

root# cp samba.schema /etc/openldap/schema/

Next, include the samba.schema file in slapd.conf. -The sambaAccount object contains two attributes which depend upon other schema -files. The 'uid' attribute is defined in cosine.schema and -the 'displayName' attribute is defined in the inetorgperson.schema -file. Bother of these must be included before the samba.schema file.

## /etc/openldap/slapd.conf
-
-## schema files (core.schema is required by default)
-include	           /etc/openldap/schema/core.schema
-
-## needed for sambaAccount
-include            /etc/openldap/schema/cosine.schema
-include            /etc/openldap/schema/inetorgperson.schema
-include            /etc/openldap/schema/samba.schema
-
-## uncomment this line if you want to support the RFC2307 (NIS) schema
-## include         /etc/openldap/schema/nis.schema
-
-....

9.5. smb.conf LDAP parameters

The following parameters are available in smb.conf only with --with-ldapsam -was included with compiling Samba.

These are described in the smb.conf(5) man -page and so will not be repeated here. However, a sample smb.conf file for -use with an LDAP directory could appear as

## /usr/local/samba/lib/smb.conf
-[global]
-     security = user
-     encrypt passwords = yes
-
-     netbios name = TASHTEGO
-     workgroup = NARNIA
-
-     # ldap related parameters
-
-     # define the DN to use when binding to the directory servers
-     # The password for this DN is not stored in smb.conf.  Rather it
-     # must be set by using 'smbpasswd -w secretpw' to store the
-     # passphrase in the secrets.tdb file.  If the "ldap admin dn" values
-     # changes, this password will need to be reset.
-     ldap admin dn = "cn=Manager,dc=samba,dc=org"
-
-     #  specify the LDAP server's hostname (defaults to locahost)
-     ldap server = ahab.samba.org
-
-     # Define the SSL option when connecting to the directory
-     # ('off', 'start tls', or 'on' (default))
-     ldap ssl = start tls
-
-     # define the port to use in the LDAP session (defaults to 636 when
-     # "ldap ssl = on")
-     ldap port = 389
-
-     # specify the base DN to use when searching the directory
-     ldap suffix = "ou=people,dc=samba,dc=org"
-
-     # generally the default ldap search filter is ok
-     # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"

9.6. Security and sambaAccount

There are two important points to remember when discussing the security -of sambaAccount entries in the directory.

  • Never retrieve the lmPassword or - ntPassword attribute values over an unencrypted LDAP session.

  • Never allow non-admin users to - view the lmPassword or ntPassword attribute values.

These password hashes are clear text equivalents and can be used to impersonate -the user without deriving the original clear text strings.

To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults -to require an encrypted session (ldap ssl = on) using -the default port of 636 -when contacting the directory server. When using an OpenLDAP 2.0 server, it -is possible to use the use the StartTLS LDAP extended operation in the place of -LDAPS. In either case, you are strongly discouraged to disable this security -(ldap ssl = off).

The second security precaution is to prevent non-administrative users from -harvesting password hashes from the directory. This can be done using the -following ACL in slapd.conf:

## allow users to update their own password, but not to browse others
-access to attrs=userPassword,lmPassword,ntPassword
-     by self write
-     by * auth

You may of course, add in write access to administrative DN's as necessary.

9.7.

There are currently four sambaAccount attributes which map directly onto -smb.conf parameters.

  • smbHome -> "logon home"

  • profilePath -> "logon path"

  • homeDrive -> "logon drive"

  • scriptPath -> "logon script"

First of all, these parameters are only used when Samba is acting as a -PDC or a domain (refer to the Samba-PDC-HOWTO -for details on how to configure Samba as a Primary Domain Controller). -Furthermore, these attributes are only stored with the sambaAccount entry if -the values are non-default values. For example, assume TASHTEGO has now been -configured as a PDC and that logon home = \\%L\%u was defined in -its smb.conf file. When a user named "becky" logons to the domain, -the logon home string is expanded to \\TASHTEGO\becky.

If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org", -this value is used. However, if this attribute does not exist, then the value -of the logon home parameter is used in its place. Samba -will only write the attribute value to the directory entry is the value is -something other than the default (e.g. \\MOBY\becky).

9.8. Example LDIF Entries for a sambaAccount

The following is a working LDIF with the inclusion of the posixAccount objectclass:

dn: uid=guest2, ou=people,dc=plainjoe,dc=org
-ntPassword: 878D8014606CDA29677A44EFA1353FC7
-pwdMustChange: 2147483647
-primaryGroupID: 1201
-lmPassword: 552902031BEDE9EFAAD3B435B51404EE
-pwdLastSet: 1010179124
-logonTime: 0
-objectClass: sambaAccount
-uid: guest2
-kickoffTime: 2147483647
-acctFlags: [UX         ]
-logoffTime: 2147483647
-rid: 19006
-pwdCanChange: 0

The following is an LDIF entry for using both the sambaAccount and -posixAccount objectclasses:

dn: uid=gcarter, ou=people,dc=plainjoe,dc=org
-logonTime: 0
-displayName: Gerald Carter
-lmPassword: 552902031BEDE9EFAAD3B435B51404EE
-primaryGroupID: 1201
-objectClass: posixAccount
-objectClass: sambaAccount
-acctFlags: [UX         ]
-userPassword: {crypt}BpM2ej8Rkzogo
-uid: gcarter
-uidNumber: 9000
-cn: Gerald Carter
-loginShell: /bin/bash
-logoffTime: 2147483647
-gidNumber: 100
-kickoffTime: 2147483647
-pwdLastSet: 1010179230
-rid: 19000
-homeDirectory: /home/tashtego/gcarter
-pwdCanChange: 0
-pwdMustChange: 2147483647
-ntPassword: 878D8014606CDA29677A44EFA1353FC7

9.9. Comments

Please mail all comments regarding this HOWTO to jerry@samba.org. This documents was -last updated to reflect the Samba 2.2.3 release.

Chapter 10. Unified Logons between Windows NT and UNIX using WinbindChapter 9. Unified Logons between Windows NT and UNIX using Winbind

10.1. Abstract9.1. Abstract

Integration of UNIX and Microsoft Windows NT through @@ -8599,8 +7864,8 @@ CLASS="SECT1" >

10.2. Introduction9.2. Introduction

It is well known that UNIX and Microsoft Windows NT have @@ -8653,8 +7918,8 @@ CLASS="SECT1" >

10.3. What Winbind Provides9.3. What Winbind Provides

Winbind unifies UNIX and Windows NT account management by @@ -8695,8 +7960,8 @@ CLASS="SECT2" >

10.3.1. Target Uses9.3.1. Target Uses

Winbind is targeted at organizations that have an @@ -8719,8 +7984,8 @@ CLASS="SECT1" >

10.4. How Winbind Works9.4. How Winbind Works

The winbind system is designed around a client/server @@ -8739,8 +8004,8 @@ CLASS="SECT2" >

10.4.1. Microsoft Remote Procedure Calls9.4.1. Microsoft Remote Procedure Calls

Over the last two years, efforts have been underway @@ -8765,8 +8030,8 @@ CLASS="SECT2" >

10.4.2. Name Service Switch9.4.2. Name Service Switch

The Name Service Switch, or NSS, is a feature that is @@ -8845,8 +8110,8 @@ CLASS="SECT2" >

10.4.3. Pluggable Authentication Modules9.4.3. Pluggable Authentication Modules

Pluggable Authentication Modules, also known as PAM, @@ -8894,8 +8159,8 @@ CLASS="SECT2" >

10.4.4. User and Group ID Allocation9.4.4. User and Group ID Allocation

When a user or group is created under Windows NT @@ -8920,8 +8185,8 @@ CLASS="SECT2" >

10.4.5. Result Caching9.4.5. Result Caching

An active system can generate a lot of user and group @@ -8943,8 +8208,8 @@ CLASS="SECT1" >

10.5. Installation and Configuration9.5. Installation and Configuration

Many thanks to John Trostel

10.5.1. Introduction9.5.1. Introduction

This HOWTO describes the procedures used to get winbind up and @@ -9013,8 +8278,8 @@ CLASS="SECT2" >

10.5.2. Requirements9.5.2. Requirements

If you have a samba configuration file that you are currently @@ -9071,8 +8336,8 @@ CLASS="SECT2" >

10.5.3. Testing Things Out9.5.3. Testing Things Out

Before starting, it is probably best to kill off all the SAMBA @@ -9116,8 +8381,8 @@ CLASS="SECT3" >

10.5.3.1. Configure and compile SAMBA9.5.3.1. Configure and compile SAMBA

The configuration and compilation of SAMBA is pretty straightforward. @@ -9191,8 +8456,8 @@ CLASS="SECT3" >

10.5.3.2. Configure 9.5.3.2. Configure nsswitch.conf and the @@ -9281,8 +8546,8 @@ CLASS="SECT3" >

10.5.3.3. Configure smb.conf9.5.3.3. Configure smb.conf

Several parameters are needed in the smb.conf file to control @@ -9365,8 +8630,8 @@ CLASS="SECT3" >

10.5.3.4. Join the SAMBA server to the PDC domain9.5.3.4. Join the SAMBA server to the PDC domain

Enter the following command to make the SAMBA server join the @@ -9411,8 +8676,8 @@ CLASS="SECT3" >

10.5.3.5. Start up the winbindd daemon and test it!9.5.3.5. Start up the winbindd daemon and test it!

Eventually, you will want to modify your smb startup script to @@ -9481,7 +8746,7 @@ CEO+TsInternetUserObviously, I have named my domain 'CEO' and my winbindd +>winbind separator is '+'.

10.5.3.6. Fix the 9.5.3.6. Fix the /etc/rc.d/init.d/smb startup files

10.5.3.7. Configure Winbind and PAM9.5.3.7. Configure Winbind and PAM

If you have made it this far, you know that winbindd and samba are working @@ -9904,8 +9169,8 @@ CLASS="SECT1" >

10.6. Limitations9.6. Limitations

Winbind has a number of limitations in its current @@ -9945,8 +9210,8 @@ CLASS="SECT1" >

10.7. Conclusion9.7. Conclusion

The winbind system, through the use of the Name Service @@ -9962,23 +9227,23 @@ CLASS="CHAPTER" >

Chapter 11. OS2 Client HOWTOChapter 10. OS2 Client HOWTO

11.1. FAQs10.1. FAQs

11.1.1. How can I configure OS/2 Warp Connect or +NAME="AEN1965" +>10.1.1. How can I configure OS/2 Warp Connect or OS/2 Warp 4 as a client for Samba?

11.1.2. How can I configure OS/2 Warp 3 (not Connect), +NAME="AEN1980" +>10.1.2. How can I configure OS/2 Warp 3 (not Connect), OS/2 1.2, 1.3 or 2.x for Samba?

11.1.3. Are there any other issues when OS/2 (any version) +NAME="AEN1989" +>10.1.3. Are there any other issues when OS/2 (any version) is used as a client?

11.1.4. How do I get printer driver download working +NAME="AEN1993" +>10.1.4. How do I get printer driver download working for OS/2 clients?

Chapter 12. HOWTO Access Samba source code via CVSChapter 11. HOWTO Access Samba source code via CVS

12.1. Introduction11.1. Introduction

Samba is developed in an open environment. Developers use CVS @@ -10189,8 +9454,8 @@ CLASS="SECT1" >

12.2. CVS Access to samba.org11.2. CVS Access to samba.org

The machine samba.org runs a publicly accessible CVS @@ -10202,8 +9467,8 @@ CLASS="SECT2" >

12.2.1. Access via CVSweb11.2.1. Access via CVSweb

You can access the source code via your @@ -10223,8 +9488,8 @@ CLASS="SECT2" >

12.2.2. Access via cvs11.2.2. Access via cvs

You can also access the source code via a @@ -10329,7 +9594,7 @@ CLASS="COMMAND" >

Index

Step 5: Starting the smbd and nmbd

You must choose to start smbd and nmbd either +>You must choose to start smbd and nmbd either as daemons or from inetd. Don't try +>. Don't try to do both! Either you can put them in inetd.conf and have them started on demand +> and have them started on demand by inetd /etc/rc.local. See the man pages for details - on the command line options. Take particular care to read - the bit about what user you need to be in order to start +>. See the man pages for details + on the command line options. Take particular care to read + the bit about what user you need to be in order to start Samba. In many cases you must be root.

The main advantage of starting nmbd as a daemon is that they will - respond slightly more quickly to an initial connection - request. This is, however, unlikely to be a problem.

using the recommended daemon method + is that they will respond slightly more quickly to an initial connection + request.

parameters in this section apply to the server as a whole, or are defaults for sections which do not - specifically define certain items. See the notes + specifically define certain items. See the notes under PARAMETERS for more information.

A similar process occurs if the requested section name is "homes", except that the share name is not - changed to that of the requesting user. This method of using + changed to that of the requesting user. This method of using the [homes] section works well if different users share a client PC.

When a connection request is made, the existing sections are scanned. If a match is found, it is used. If no match is found, but a [homes] section exists, it is used as described - above. Otherwise, the requested section name is treated as a + above. Otherwise, the requested section name is treated as a printer name and the appropriate printcap file is scanned to see if the requested section name is a valid printer share name. If a match is found, a new printer share is created by cloning @@ -493,7 +493,7 @@ NAME="AEN102" the default behavior for all services.

parameters are arranged here in alphabetical order - this may - not create best bedfellows, but at least you can find them! Where + not create best bedfellows, but at least you can find them! Where there are synonyms, the preferred synonym is described, others refer to the preferred synonym.

  • unix extensions

  • COMPLETE LIST OF SERVICE PARAMETERS

  • default devmode

  • EXPLANATION OF EACH PARAMETER

    • default devmode (S)

    This parameter is only applicable to printable services. When smbd is serving + Printer Drivers to Windows NT/2k/XP clients, each printer on the Samba + server has a Device Mode which defines things such as paper size and + orientation and duplex settings. The device mode can only correctly be + generated by the printer driver itself (which can only be executed on a + Win32 platform). Because smbd is unable to execute the driver code + to generate the device mode, the default behavior is to set this field + to NULL. +

    Most problems with serving printer drivers to Windows NT/2k/XP clients + can be traced to a problem with the generated device mode. Certain drivers + will do things such as crashing the client's Explorer.exe with a NULL devmode. + However, other printer drivers can cause the client's spooler service + (spoolsv.exe) to die if the devmode was not created by the driver itself + (i.e. smbd generates a default devmode). +

    This parameter should be used with care and tested with the printer + driver in question. It is better to leave the device mode to NULL + and let the Windows client set the correct values. Because drivers do not + do this all the time, setting default devmode = yes + will instruct smbd to generate a default one. +

    For more information on Windows NT/2k printing and Device Modes, + see the MSDN documentation. +

    Default: default devmode = no

    default service (G)

    This parameter specifies the name of a service - which will be connected to if the service actually requested cannot +>This parameter specifies the name of a service + which will be connected to if the service actually requested cannot be found. Note that the square brackets are NOT +> given in the parameter value (see example below).

    There is no default value for this parameter. If this @@ -17684,6 +17759,25 @@ CLASS="COMMAND" >

    unix extensions(G)

    This boolean parameter controls whether Samba + implments the CIFS UNIX extensions, as defined by HP. These + extensions enable CIFS to server UNIX clients to UNIX servers + better, and allow such things as symbolic links, hard links etc. + These extensions require a similarly enabled client, and are of + no current use to Windows clients.

    Default: unix extensions = no

    unix password sync (G)

    WARNINGS

    VERSION

    SEE ALSO

    AUTHOR

    Obviously, I have named my domain 'CEO' and my winbindd +>winbind separator is '+'.