[Samba] Samba + Winbind help

Eric Gurevitz gurevitz at qti.qualcomm.com
Mon Dec 1 10:09:14 UTC 2025 

Hi Rowland,

Sorry, I am used to hitting reply all. I also misspelled your name. Fixed both. 

All we want is AD to authenticate the user and then let nsswitch handle UID and GIDs. 
Vas works by joining the domain with a keytab file. It then looks for AD attrs for UNIX that were added to the user object: 

uidNumber
gidNumber
gecos
homeDirectory
loginShell

Vas looks for UNIX group membership in an OU in AD.  This all works perfectly in Linux. 

Use case:

On my Linux PC, we have /local/mnt/workspace where users work. 
They want to access this as \\pc\workspace. 
I log into Linux PC as gurevitz and my UID is 82629  and Linux knows all my groups as it looks them up in an OU.

Now, from my Windows laptop, I login in as gurevitz and my account is in the mea.qualcomm.com domain.
I connect to \\pc\workspace and the user map script makes mea\gurevitz to gurevitz. Perfect,  this is passed to vasd via /etc/nsswitch.comf. 
My Linux PC now treats samba connections the same way as Linux logins. I am in group VLSI and if the directory only allows VLSI members, both Linux access and samba respect this. 

Eric

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Monday, December 1, 2025 11:53 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Samba + Winbind help

WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros.

On Mon, 1 Dec 2025 08:16:30 +0000
Eric Gurevitz <gurevitz at qti.qualcomm.com> wrote:

> Hi Roland,
>
> Wow, big problem yesterday on a prod server. I installed updates on 
> Rocky 9 and got:
>
> smbd --version
> Version 4.21.3
>
> I was unable to browse shares at \\server level.  I would access at 
> \\server\share with no problems.  It took me 6 hours of 
> troubleshooting and CoPilot AI gave me a clean smb.conf to try. It 
> worked!  The difference was username map script = 
> /etc/samba/usermap.sh
>
> was removed.
>
> Adding it back, broke browsing again.  With more trial and error and 
> CoPilot AI, I found the problem was in the usermap.sh script. I had to 
> add
>
> # Handle machine accounts and 'nobody' (return unchanged) if [[ 
> "$ACCOUNTNAME" =~ \$ || "$ACCOUNTNAME" =~ nobody ]]; then
>             echo "$(date '+%Y-%m-%d %H:%M:%S') OUTPUT: $ACCOUNTNAME 
> (unchanged)" >> "$LOGFILE" echo "$ACCOUNTNAME"
>                     exit 1
> fi
>
> for users
> # If DOMAIN\user format, strip domain
> if [[ "$ACCOUNTNAME" == *\\* ]]; then
>             OUTPUT="${ACCOUNTNAME##*\\}"
>                 echo "$(date '+%Y-%m-%d %H:%M:%S') OUTPUT: $OUTPUT"
> >> "$LOGFILE" echo "$OUTPUT"
>                         exit 0
> fi
>
> Logging the output of usermap.sh shows these types need come in and 
> not be changed along with an exit 1: Domain\PCNAME$ Or 
> SAMBA-SERVER-NAME\nobody
>
> Why the recent change?
>
> Using " winbind use default domain = yes" does not work.  The issue is 
> UNIX groups. If I have a directory that only group VLSI can access, it 
> will not let me without the user map script.
>

I do not think I can help you here.

You are using 'vas', something I have never really considered, because I do not see the point to it. Without going too deep into it, it looks like it doesn't give you anything that winbind doesn't, though I could be wrong.

You appear to be using a mixture of AD users & groups and local users & groups, something that isn't, in my opinion, required. Samba can and will turn AD users & groups into 'local' users and groups. If you have users & groups in /etc/passwd & /etc/group, they will always take precedence over users & groups with the same names in AD.

I run Samba as Unix domain members with the 'rid' idmap backend.
Apart from one 'emergency' local Unix user, all users & groups are in AD, yet the local Unix machine knows them all.

Some examples:

getent passwd rowland
rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash

Running <grep 'rowland' /etc/passwd> returns nothing.

I even have a local group:

getent group 'rowland'
rowland:x:11104:rowland

Running <grep 'rowland' /etc/group> returns nothing.

Finally, ask for the archetypal AD group:

getent group 'Domain Users'
domain users:x:10513:

Running <grep 'Domain Users' /etc/group> returns nothing.

Unless someone can show me just what 'vas' gives over winbind, I cannot see the point in using it. I also cannot see the point in creating users & groups locally on a Unix domain member, it sort of defeats the idea of central management.

Rowland

PS: please do not 'CC' me, just reply to the list.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list