Samba package 4.9.x samba smbd not playing with winbind.

Mon Dec 3 13:20:05 UTC 2018

On Mon, 3 Dec 2018 13:52:12 +0100
"L.P.H. van Belle via samba-technical"
<samba-technical at lists.samba.org> wrote:

> Hai, 
> 
> If i may say..  nased on what i've seen, and i'm only talking
> debian/ubuntu systems. I dont run any RH/Centos. 
> 
> If samba is installed without winbind
> Smbd starts but gets the unable to find Guest message. 
> 
> If samba and winbind are installed together, the installer tries to
> start winbind before smbd. And the installer fails, basicly because
> of the same error. 
> 
> What i suspect are 1 or 2 things causing these, i've not figured this
> out yet. But im not a dev like you guys. 
> 
> 
> The changes in samba-ad-dc are inhereted in samba (smbd/nmbd/winbind) 
> And since samba-ad-dc is starting winbind , i suspect a relation here.
> I've seen some bugs for ID_BOTH are getting adressed now. ( for
> BUILTIN & NT Authority ) I saw a few e-mails on technical about this,
> i dont know the state of them.
> 
> Due to above samba fails to start since its unable to resolve the
> "nobody/nogroup" id's. This is why i added the changes do smb.conf. 
> 
> If one is running a setup with the paramaters already enable, then
> you dont see problems and no changes are done. This is not seen when
> you run a member or AD DC server, since these already use the idmap
> settings. 
> 
> If you install a new server, then its ( in my opinion ) better to
> "See" what changed then added the group mapping in the background.
> And specially when its a workaround.
> 
> In Alexander Bokovoy install example, its shows. 
> idmap config * : backend = tdb
> This is why it starts without problems for him. 

The problem is, he doesn't need to add it, it is one of the default
settings.

> 
> Should we enable the tdb backend by default these days, and if thats
> the case, should this not be one of the new defaults in smb.conf? So
> @Andreas Hasenack, the install you tried, can you add only the line :
> idmap config * : backend = tdb And rerun the install. 

Louis, have you tried a fresh install with your 4.9.3 packages ?
you now, by default, get the two '*' domain lines

> 
> 
> >> is this maybe the relevant change? Using the presence of a running
> >> winbind to make this decision of where to allocate the BUILTIN
> >> guests group, instead of settings smb.conf?

I think this may be a side affect of the changes made in 4.8.0, where a
domain member now requires a running winbind. Could it be, that on a
standalone server, because 'Guest' isn't mapped by smbd (because it
doesn't have the required settings), it tries to get this info from the
running winbind and fails because it isn't a domain member.

Rowland