[Samba] Users created in last few years cannot login after 4.7 -> 4.8 + winbind

Rowland Penny rpenny at samba.org
Wed Jan 9 15:06:58 UTC 2019

On Wed, 9 Jan 2019 09:42:49 -0500 (EST)
Paul Raines <raines at nmr.mgh.harvard.edu> wrote:

> I think that is fair to say about my old accounts where names and IDs
> do not match.  But the crazy thing is it is those accounts which work
> fine and it is the new accounts where I did make the names and IDs
> match where things do not work!
> I am still confused about the supplemental groups thing.  Are you
> saying Samba will not support a mode where 'security = ads' for
> authentication against AD but there are groups defined "locally" (and
> not in AD) that can be used in smb.conf for things like 'valid users'
> and 'force group'?

Yes, because they are local groups
> Does using 'security = ads' actually REQUIRE that winbind also be used
> in NIS (nsswitch.conf/pam) now?


> I have tried 'security = domain' as the smb.conf man page mostly
> describes this as what I want but using this always results in
> Checking NTLMSSP password for MYDOMAIN\user failed:

Your Domain controller is Active Directory, 'security = domain' is
meant to be used with a NT4-style Primary Domain Controller (PDC)

> for any user login without winbind running.  When I run winbind,
> winbind hangs and can only be killed by a kill -9 signal. Even
> 'wbinfo --own-domain' just hangs forever.  Runing winbind in the
> foreground with -d 10 it seems to be constantly trying to connect to
> the DC and failing with
> Connecting to at port 445
> fcntl_lock 25 6 0 1 0
> fcntl_lock: fcntl lock gave errno 11 (Resource temporarily
> unavailable) fcntl_lock: lock failed at offset 0 count 1 op 6 type 0
> (Resource temporarily unavailable)

Is the computer joined to the domain ?

I think you need to accept that what you are trying to do will never
work correctly, if at all. If you do, somehow, manage to get it
working, it will be a nightmare to administrate.

You need to amalgamate all users into AD, renaming some it would
seem, recreate the ownership of everything you have with the new
You will then be able to use the rfc2307 attributes that are standard
in AD with your Unix domain members etc. If you don't want to add
anything to AD, use the winbind 'rid' backend.

When 'corporate' complains that this is going to cost a lot of time
and money, just tell them it is all their fault, they should have
thought of this before they started, but then, what do you expect
from a University, they do not live in the real world.


More information about the samba mailing list