[Samba] Clarification on the appropriate idmap settings for a standalone server

Rowland Penny rowlandpenny at googlemail.com
Sat Nov 15 10:52:55 MST 2014 

On 15/11/14 16:27, Andrew Walker wrote:
> I am trying to increase my understanding of samba. I am running a FreeBSD
> server with Samba 4.1.12 configured as a standalone server in a testing
> environment.
>
> The documentation here indicates that winbind / the idmap facility is of
> little or no use on a standalone server:
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2604490
>
> Is this still the case in Samba4?
>
> My curiosity was piqued because I keep getting the following error message
> "winbindd: sam_rids_to_names: possible deadlock - trying to lookup SID
> [SID]".
>
> My server has the following parameters in [global] in the smb.conf (which
> was default for the appliance):
>
> [global]
>      server max protocol = SMB2_24
>      encrypt passwords = yes
>      dns proxy = no
>      strict locking = no
>      oplocks = yes
>      deadtime = 15
>      max log size = 51200
>      max open files = 11070
>      load printers = no
>      printing = bsd
>      printcap name = /dev/null
>      disable spoolss = yes
>      getwd cache = yes
>      guest account = nobody
>      map to guest = Bad User
>      obey pam restrictions = Yes
>      directory name cache size = 0
>      kernel change notify = no
>      panic action = /usr/local/libexec/samba/samba-backtrace
>      server string = Samba Server
>      unix extensions = no
>      acl allow execute always = true
>      local master = yes
>      idmap config *:backend = tdb
>      idmap config *:range = 90000000-100000000
>      server role = standalone
>      netbios name = C_GRINDER
>      workgroup = WORKGROUP
>      security = user
>      pid directory = /var/run/samba
>      smb passwd file = /var/etc/private/smbpasswd
>      private dir = /var/etc/private
>      create mask = 0666
>      directory mask = 0777
>      client ntlmv2 auth = yes
>      dos charset = CP437
>      unix charset = UTF-8
>      log level = 1
Hi, if you are running samba as a standalone server, it is just as if 
the Unix machine is a standalone windows machine. This means that your 
windows users have to exist on the Unix computer with the same password, 
the same goes for groups. There is nothing for windbind to pull from, so 
there is no need to use it or any of the winbind lines in samba, this 
includes the idmap lines. You can however, map windows groups to Unix 
groups with the 'net groupadd' command.

Rowland

More information about the samba mailing list