Samba package 4.9.x samba smbd not playing with winbind.

Alexander Bokovoy ab at
Tue Sep 25 12:37:18 UTC 2018

On ti, 25 syys 2018, L.P.H. van Belle via samba-technical wrote:
> Hello Alexander.
> Thank you for your reply also.. 
> I had to push off Rowland first..   ;-) 
> > There is a change 0b261dc4e3f2 in 4.9 that requires to have 
> > BUILTIN\Guests group always
> > to be mapped. We would map it automatically if our default 
> > idmap backend
> > is writable but if both group mapping and allocating IDs in a default
> > backend failed, we fail hard.
> Isnt it an option to add something like 
> If "server role" = "standalone" then 
> 	Deal with the COMPUTERNAME\Guests
> 	And not BUILTIN\Guests 
> I know the following. 
> A domain joined member has BUILTIN\
> Not domain joined server has COMPUTERNAME\
> Not domain joined client (win7/win10) has COMPUTERNAME\
> Samba Stand Alone (server/client) uses COMPUTERNAME ( at least should )
> But again im not a dev, i just hope this helps you guys fixing it. 
> Do note, 
> This is in my opionon a major problem, because of the risk that smbd stops running. 
The behavior with failing when idmap configuration is incorrect was
first introduced in 4.6.0:
ID Mapping
We discovered that the majority of users have an invalid or incorrect
ID mapping configuration. We implemented checks in the 'testparm' tool to
validate the ID mapping configuration. You should run it and check if it prints
any warnings or errors after upgrading! If it does you should fix them. See the
'IDENTITY MAPPING CONSIDERATIONS' section in the smb.conf manpage.
There are some ID mapping backends which are not allowed to be used for the
default backend. Winbind will no longer start if an invalid backend is
configured as the default backend.

With 4.8.0 we demand working winbindd for 'security = domain|ads'
Domain member setups require winbindd

Setups with "security = domain" or "security = ads" require a
running 'winbindd' now. The fallback that smbd directly contacts
domain controllers is gone.

With 4.9.0 we expanded guest handling to differentiate between anonymous
and guest sessions. This required a proper handling of BUILTIN\Guests and
thus is now forces to be able to have either writable backend or aliases
configured properly.

Question is mostly what defaults we should have for BUILTIN\Guests.
Perhaps, we should always do the groupmap rule I added...

/ Alexander Bokovoy

More information about the samba-technical mailing list