[Samba] Samba forces domain members to use winbind now

Vaughan, Robert J vaughar2 at gdls.com
Fri Mar 4 17:43:52 UTC 2022

Before the winbind requirement, our Samba (ads member) worked I suppose something along these lines ..

Windows user authenticated by AD and then DOMAIN\user reduced to 'user' by Samba and found a match in our UNIX LDAP (via nsswitch sss or ldap entry) because we have all our Samba users setup in our UNIX LDAP with the same (matching) userid to get the UNIX uid and gid info

Now we must use winbind to authenticate with AD and winbind needs to be configured as to how it gets the UNIX uid/gid info (either by generating them, or looking them up in some backend facility)

So I want to use our UNIX LDAP as that backend facility

It seems to work fairly well with a config like this ..

        idmap config * : backend = tdb
        idmap config * : range = 1000000-1999999
        idmap config XXX : backend = nss
        idmap config XXX : range = 400-199999

but I have seen where a test user (and me too) who could map a share one day be unable to map it the next with this error ..

create_connection_session_info: user 'my userid' (from session setup) not permitted to access this share

If I stop smb and winbind at that point, delete tdb files, restart smb and winbind it starts working again

So I feel like I am close to something that works for us


This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information.  No one else may read, print, store, copy, forward or act in reliance on it or its attachments.  If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.

More information about the samba mailing list