[Samba] Samba 4 without winbind

Shannon Price pricesw at auburn.edu
Sat Sep 17 15:17:58 UTC 2022


We support our Windows clients via Samba since the 1990s. Our main infrastructure is NIS/NFS to support our servers and Linux clients. We have Samba using ADS for authentication for many years, but our users and groups still come from NIS. Our last Samba server is running on Ubuntu 18 (Samba 4.7.6) and is rock solid using smbd/nmbd.  Our newest Samba server is running on Ubuntu 20.04 (Samba 4.11.6 - we found severe problems with the current versions: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1954342 and have pinned Samba at 4.11.6 for now).  We're running it the same way we always have - the machine is ADS joined (net join ads ....). I experimented with winbind for quite a while, but we don't need AD groups or user attributes, so it seems unnecessary and we couldn't get our NIS groups to work when we did that even trying to monkey with nsswitch.conf using nis for groups.

The problem now is only that I have full access to everything with unqualfied names (\\SERVER\homes<file://SERVER/homes> works), but FQDN (\\server.domain.edu\homes<file://server.domain.edu/homes>) doesn't work and the debug logs show that Samba wants winbind whenever I talk to the server with FQDN.

Logs with FQDN:
[2022/09/17 08:40:16.941558,  0] ../../source3/auth/auth_winbind.c:120(check_winbind_security)
  check_winbind_security: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS
[2022/09/17 08:40:16.943204,  2] ../../source3/auth/auth.c:343(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [USERNAME] -> [USERNAME] FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1
[2022/09/17 08:40:16.943300,  2] ../../auth/auth_log.c:635(log_authentication_event_human_readable)

Logs without FQDN:
  131.204.17.34 (ipv4:131.204.17.34:28915) connect to service USERNAME initially as user USERNAME (uid=12345, gid=123) (pid 454545)
[2022/09/17 10:15:38.595009,  0] ../../source3/param/loadparm.c:3358(process_usershare_file)


Smb.conf

[global]
        # workgroup and naming
        workgroup = DOMAIN
        netbios name = SAMBASERVERNAME

        # server settings
        interfaces = MY IP ADDRESS
        bind interfaces only = yes
        deadtime = 15
        strict locking = no

        # disable server ntlmv1 support
        # require ntlmv2.1 or higher (windows 7 and up)
        server min protocol = SMB2_10
        client max protocol = SMB3
        client min protocol = SMB2_10

        security = ads
        password server = KERBEROS SERVER
        passdb backend = tdbsam
        realm = DOMAIN.EDU
        idmap config * : backend = tdb
        idmap config * : range = 1000000-1999999


        # browsing settings
        domain master = no
        local master = no
        preferred master = no


--
Shannon Price
College of Engineering
Auburn University


More information about the samba mailing list