[Samba] Samba + Winbind help

Eric Gurevitz gurevitz at qti.qualcomm.com
Mon Dec 1 08:16:30 UTC 2025 

Hi Roland,

Wow, big problem yesterday on a prod server. I installed updates on Rocky 9 and got:

smbd --version
Version 4.21.3

I was unable to browse shares at \\server level.  I would access at \\server\share with no problems.  It took me 6 hours of troubleshooting and CoPilot AI gave me a clean smb.conf to try.
It worked!  The difference was 
username map script = /etc/samba/usermap.sh

was removed. 

Adding it back, broke browsing again.  With more trial and error and CoPilot AI, I found the problem was in the usermap.sh script. 
I had to add 

# Handle machine accounts and 'nobody' (return unchanged)
if [[ "$ACCOUNTNAME" =~ \$ || "$ACCOUNTNAME" =~ nobody ]]; then
            echo "$(date '+%Y-%m-%d %H:%M:%S') OUTPUT: $ACCOUNTNAME (unchanged)" >> "$LOGFILE"
                echo "$ACCOUNTNAME"
                    exit 1
fi

for users
# If DOMAIN\user format, strip domain
if [[ "$ACCOUNTNAME" == *\\* ]]; then
            OUTPUT="${ACCOUNTNAME##*\\}"
                echo "$(date '+%Y-%m-%d %H:%M:%S') OUTPUT: $OUTPUT" >> "$LOGFILE"
                    echo "$OUTPUT"
                        exit 0
fi

Logging the output of usermap.sh shows these types need come in and not be changed along with an exit 1:
Domain\PCNAME$
Or
SAMBA-SERVER-NAME\nobody

Why the recent change? 

Using " winbind use default domain = yes" does not work.  The issue is UNIX groups. If I have a directory that only group VLSI can access, it will not let me without the user map script. 

Eric


-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Tuesday, November 18, 2025 1:45 PM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Samba + Winbind help

WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros.

On Tue, 18 Nov 2025 09:52:05 +0000
Eric Gurevitz <gurevitz at qti.qualcomm.com> wrote:

> Hi Roland,
>
> Thanks for the reply.  When I was at a startup, we would never pay for 
> something we can do for free with OpenSource. Since joining the
> enterprise,   things work differently.  As you say,  Linux is
> flexible. I agree that NIS is outdated and should not be used anymore.
>
> Given I must use vas for the domain join,

I have never used vas, what does it give you that Samba using 'net ads join' doesn't ?


> what should I change in
> smb.conf? We have multiple domains, so users accounts are in na, eu, 
> mea, etc domains. The Linux pcs are joined to a domain in their 
> region.

It sounds like each region uses its own dns domain i.e. the 'na' region could be using something like ad.domain.na , but how different are the dns domains ? Are the clients set to use local DCs as the domain nameservers ?

If the clients are using just one NetBIOS domain, then you could use the 'rid' idmap backend and a smb.conf similar to this:

[global]
  workgroup = MEA
  realm = MEA.QUALCOMM.COM
  security = ADS
  server string = %h server (Samba, Ubuntu)

  dedicated keytab file = /etc/krb5.keytab
  sync machine password to keytab = /etc/krb5.keytab:sync_spns:sync_kvno:machine_password

  winbind use default domain = yes
  winbind expand groups = 2
  winbind refresh tickets = Yes
  disable netbios = yes
  dns proxy = no

  idmap config * : backend = tdb
  idmap config * : range = 3000-7999
  idmap config MEA : backend  = rid
  idmap config MEA : range = 10000-999999
  template shell = /bin/bash

  vfs objects = acl_xattr
  map acl inherit = Yes

  log file = /var/log/samba/log.%m
  max log size = 10000
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  server min protocol = SMB3

That will give you something that your current setup doesn't, the UID & GID created will be the same on every Unix domain member it is used on.
This is because they will be calculated from the objects RID and the low 'MEA' range set in the smb.conf (10000) e.g. the GID for Domain Users will always be 10513. Your setup is using the 'tdb' backend and this is an allocating backend (first come, first served) and hence the GID is highly likely to be different on every one of your Linux machines.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list