[Samba] Samba 4 without winbind

Andrew Bartlett abartlet at samba.org
Sun Sep 18 09:16:01 UTC 2022

On Sat, 2022-09-17 at 15:17 +0000, Shannon Price via samba wrote:
> We support our Windows clients via Samba since the 1990s. Our main
> infrastructure is NIS/NFS to support our servers and Linux clients.
> We have Samba using ADS for authentication for many years, but our
> users and groups still come from NIS. Our last Samba server is
> running on Ubuntu 18 (Samba 4.7.6) and is rock solid using
> smbd/nmbd.  Our newest Samba server is running on Ubuntu 20.04 (Samba
> 4.11.6 - we found severe problems with the current versions: 
> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1954342
>  and have pinned Samba at 4.11.6 for now).  We're running it the same
> way we always have - the machine is ADS joined (net join ads ....). I
> experimented with winbind for quite a while, but we don't need AD
> groups or user attributes, so it seems unnecessary and we couldn't
> get our NIS groups to work when we did that even trying to monkey
> with nsswitch.conf using nis for groups.
> The problem now is only that I have full access to everything with
> unqualfied names (\\SERVER\homes<
> file://SERVER/homes>
>  works), but FQDN (\\server.domain.edu\homes<
> file://server.domain.edu/homes>)
>  doesn't work and the debug logs show that Samba wants winbind
> whenever I talk to the server with FQDN.
> Logs with FQDN:
> [2022/09/17 08:40:16.941558,  0]
> ../../source3/auth/auth_winbind.c:120(check_winbind_security)
>   check_winbind_security: winbindd not running - but required as
> [2022/09/17 08:40:16.943204,  2]
> ../../source3/auth/auth.c:343(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [USERNAME] ->
> authoritative=1
> [2022/09/17 08:40:16.943300,  2]
> ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> Logs without FQDN:
> (ipv4: connect to service
> USERNAME initially as user USERNAME (uid=12345, gid=123) (pid 454545)
> [2022/09/17 10:15:38.595009,  0]
> ../../source3/param/loadparm.c:3358(process_usershare_file)

What you do is still possible, perhaps with some work (see the Nov 2021
security guidance as you have not applied those patches).

Just run winbindd but don't configure it in the smb.conf.  

We recogninise that for some the authentication is via AD but the
authorization is via other methods specified in nsswitch.conf, and we
now have tests specifically aimed at this.

Andrew Bartlett
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list