[Samba] previous working smb.conf without winbind, now fails with samba 4.15.8 and winbind running

Bob Green wood.green.robert at gmail.com
Sat Feb 18 00:20:13 UTC 2023

On Fri, Feb 17, 2023 at 2:29 PM Rowland Penny via samba
<samba at lists.samba.org> wrote:
> On 17/02/2023 22:09, Bob Green via samba wrote:
> > Apparently winbind is required to be running.  Once winbind is running,
> > samba reports failing to convert SID XXXXX to a UID.  It seems samba is
> > unable to offload uid/gid lookups to the kernel getpwent/getgrent functions.
> Well it wouldn't, you need to add the 'idmap config' lines to your
> smb.conf , so winbind knows what to map the Windows users to.
> > What smb.conf parameters should I consider in order to get samba-4.15.8
> > working in a similar fashion as samba-4.10.5 on sles12sp5?
> Start by reading this:
> https://wiki.samba.org/index.php/Idmap_config_rid
> Though other idmap backends are available.

idmap config rid will map my SID to a UID, but it's a different UID
than what "getent passwd $USER" reports on the samba server. In my
scenario most files being served by samba are created by Linux
accounts, whose linux group IDs are not rationalized in AD. I was
hoping idmap_nss might "offload/ignore" the SID information, and that
samba could simply map the kerberos principal name in the
authentication to what the samba server OS knows about the matching
account name including extended group membership, perhaps similar to
how openssh or some other kerberized application might try to map a
principalname to local account.

Can I configure samba to allow kerberized authentications while not
having it attempt to do any uid or gid mapping?  Perhaps I should try
security = user or security = domain?

More information about the samba mailing list