[Samba] previous working smb.conf without winbind, now fails with samba 4.15.8 and winbind running

Rowland Penny rpenny at samba.org
Fri Feb 17 22:28:31 UTC 2023 


On 17/02/2023 22:09, Bob Green via samba wrote:
> I need a CIFS server to provide access to Linux files to Windows clients. I
> am able to accomplish this on SLES12 SP5, running kernel-4.12.14, with
> samba 4.10.5 using the following smb.conf

I am surprised this worked with Samba 4.10.x

> 
> [global]
>          dedicated keytab file = /etc/samba/samba.keytab
>          domain master = No
>          kerberos method = dedicated keytab
>          load printers = No
>          local master = No
>          ntlm auth = disabled
>          os level = 0
>          preferred master = No
>          printcap name = dev/null
>          realm = AD.DOMAIN.COM
>          security = ADS
>          show add printer wizard = No
>          unix extensions = No
>          workgroup = AD
>          idmap config * : backend = tdb
>          include = /etc/samba/smb.conf.shares
>          inherit permissions = Yes
>          invalid users = daemon root
> 
> Windbind is not being run in this setup.  

The need for winbind when Samba is run with 'security = ADS' in smb.conf 
came in at 4.8.0

> Clients connect via kerberos
> authentication, and the data users can access is enforced by extended group
> file permissions, which the samba servers are configured to see via
> nsswitch.conf. The group information (gidnumber) does not exist in AD.
> samba.keytab contains cifs service principals for every samba server in a
> DNS cluster so that connecting via smbclient --use-krb5-ccache=KCM:1000 can
> be done against both the DNS round robin alias //samba.ad.domain.com as
> well as against each individual samba server in the DNS RR cluster e.g
> //samba_node_1 and //samba_node_2, etc.
> 
> The above breaks when I try to move to SLES15 SP4, kernel 5.14.21,
> samba-4.15.8.
> 
> Apparently winbind is required to be running.  Once winbind is running,
> samba reports failing to convert SID XXXXX to a UID.  It seems samba is
> unable to offload uid/gid lookups to the kernel getpwent/getgrent functions.

Well it wouldn't, you need to add the 'idmap config' lines to your 
smb.conf , so winbind knows what to map the Windows users to.

> 
> What smb.conf parameters should I consider in order to get samba-4.15.8
> working in a similar fashion as samba-4.10.5 on sles12sp5?

Start by reading this:

https://wiki.samba.org/index.php/Idmap_config_rid

Though other idmap backends are available.

Rowland

More information about the samba mailing list