[Samba] Samba + Winbind help

Rowland Penny rpenny at samba.org
Mon Dec 1 09:52:42 UTC 2025 

On Mon, 1 Dec 2025 08:16:30 +0000
Eric Gurevitz <gurevitz at qti.qualcomm.com> wrote:

> Hi Roland,
> 
> Wow, big problem yesterday on a prod server. I installed updates on
> Rocky 9 and got:
> 
> smbd --version
> Version 4.21.3
> 
> I was unable to browse shares at \\server level.  I would access at
> \\server\share with no problems.  It took me 6 hours of
> troubleshooting and CoPilot AI gave me a clean smb.conf to try. It
> worked!  The difference was username map script =
> /etc/samba/usermap.sh
> 
> was removed. 
> 
> Adding it back, broke browsing again.  With more trial and error and
> CoPilot AI, I found the problem was in the usermap.sh script. I had
> to add 
> 
> # Handle machine accounts and 'nobody' (return unchanged)
> if [[ "$ACCOUNTNAME" =~ \$ || "$ACCOUNTNAME" =~ nobody ]]; then
>             echo "$(date '+%Y-%m-%d %H:%M:%S') OUTPUT: $ACCOUNTNAME
> (unchanged)" >> "$LOGFILE" echo "$ACCOUNTNAME"
>                     exit 1
> fi
> 
> for users
> # If DOMAIN\user format, strip domain
> if [[ "$ACCOUNTNAME" == *\\* ]]; then
>             OUTPUT="${ACCOUNTNAME##*\\}"
>                 echo "$(date '+%Y-%m-%d %H:%M:%S') OUTPUT: $OUTPUT"
> >> "$LOGFILE" echo "$OUTPUT"
>                         exit 0
> fi
> 
> Logging the output of usermap.sh shows these types need come in and
> not be changed along with an exit 1: Domain\PCNAME$
> Or
> SAMBA-SERVER-NAME\nobody
> 
> Why the recent change? 
> 
> Using " winbind use default domain = yes" does not work.  The issue
> is UNIX groups. If I have a directory that only group VLSI can
> access, it will not let me without the user map script. 
> 

I do not think I can help you here.

You are using 'vas', something I have never really considered, because
I do not see the point to it. Without going too deep into it, it looks
like it doesn't give you anything that winbind doesn't, though I could
be wrong.

You appear to be using a mixture of AD users & groups and local
users & groups, something that isn't, in my opinion, required. Samba
can and will turn AD users & groups into 'local' users and groups. If
you have users & groups in /etc/passwd & /etc/group, they will always
take precedence over users & groups with the same names in AD.

I run Samba as Unix domain members with the 'rid' idmap backend.
Apart from one 'emergency' local Unix user, all users & groups are in
AD, yet the local Unix machine knows them all.

Some examples:

getent passwd rowland
rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash

Running <grep 'rowland' /etc/passwd> returns nothing.

I even have a local group:

getent group 'rowland'
rowland:x:11104:rowland

Running <grep 'rowland' /etc/group> returns nothing.

Finally, ask for the archetypal AD group:

getent group 'Domain Users'
domain users:x:10513:

Running <grep 'Domain Users' /etc/group> returns nothing.

Unless someone can show me just what 'vas' gives over winbind, I cannot
see the point in using it. I also cannot see the point in creating
users & groups locally on a Unix domain member, it sort of defeats the
idea of central management.

Rowland

PS: please do not 'CC' me, just reply to the list.

More information about the samba mailing list