[Samba] Winbind issue after upgrading from 4.7.5 to 4.8.3

Rowland Penny rpenny at samba.org
Tue Aug 7 16:46:50 UTC 2018

On Tue, 7 Aug 2018 12:53:23 +0200
Miguel Sanders via samba <samba at lists.samba.org> wrote:

> Hi
> This is the global section of smb.conf.
> [global]
>          workgroup = DOMAIN
>          realm = DOMAIN.COM
>          netbios name = SAMBA
>          security = ads
>          clustering = yes
>          idmap config * : backend = tdb2
>          idmap config * : range = 30000-50000
>          passdb backend = tdbsam
>          ctdbd socket = /usr/samba/var/run/ctdb/ctdbd.socket
>          winbind separator = +
>          unix extensions = no
>          follow symlinks = yes
>          wide links = yes
>          log level = 2
>          log file = /usr/samba/var/log/log.%m
>          max log size = 500
> I understand your point but this has been the setup for many years
> now (this XYZ Linux user is in fact an LDAP user (not AD)) without
> any issue. We also have other UNIX distributions and therefore we
> have a dedicated LDAP infrastructure for them (hosting users, groups,
> services, sudo roles, ...)

You are using 'security = ads', so I would expect your machine to be a
Unix domain member and joined to the 'DOMAIN' domain.
This means that every one of your AD users is capable of being a
Unix user.
(note if you are using this smb.conf against an LDAP server, I
am not surprised you are having problems)

You are putting all users into the '*' domain, this is usually only
used for the well known SID's.

> Moreover in the past you always had to specify the domain when
> running NSS queries

You still have to, unless you set 'winbind use default domain = yes' is
set in smb.conf

> f.e.
> uid=30001(DOMAIN+XYZ) gid=30004(DOSIM000+domain users)
> This doesn't seem to be needed anymore and is therefore the root
> cause of this I believe.

You set the search order in /etc/nsswitch.conf. This will search for a
user in the order set in the 'passwd' line, the search order will
usually be 'files winbind' (note: files may be 'compat'), this means
that your user will be searched for in /etc/passwd and then, if not
found, in AD. So this means that if user 'XYZ' exists in /etc/passwd,
this user will be used and the AD user ignored, but only on the Unix
> Can this be configured somehow or, if not, any pointer to the source 
> file where I could have a look at?

As to configuring it correctly, then, yes this is possible, you just
need to configure smb.conf to match your setup. If you are using an
ldap backend, then you need to use 'security = user' and configure
around that. If it is a Unix domain member, then you need to configure
it as Unix domain member and use your users from AD.

More information about the samba mailing list