[Samba] intermittent pam_winbind authentication failure
Rowland Penny
rpenny at samba.org
Wed Jun 11 13:53:01 UTC 2025
On Wed, 11 Jun 2025 14:22:54 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> > We didn't (obviously) have a need for BUILTIN for just winbind,
> > there are no shares or printing etc. We felt that the
> > idmap_autorid was more suitable for our environment as it does not
> > require a database which needs to be managed. The ranges are large
> > to reduce the chances of a collision in the autorid scheme.
>
> Yes, I can understand using 'autorid', just not with 'rid' at the same
> time. I have never set up Samba in the way you have, but I presume
> that 'rid' is mapping your 'DOMAIN' users and I have no idea if
> 'autorid' is doing anything because you have stopped it from mapping
> the BUILTIN domain and, yes, you do need the BUILTIN domain.
>
I should have read the code (sometimes it is better than the
documentation) and I would have found that 'ignore builtin' was added
in 2012 and it doesn't do what it sounds like it does. 'autorid' always
ignores BUILTIN and passes it to passdb to be handled, unless passdb
does not know about a SID, in which case, 'autorid' creates a range for
BUILTIN and maps it, 'ignore builtin' turns off this fall back
behaviour. This means (as far as I understand it) that your BUILTIN
users & groups are being handled by 'autorid' except for any BUILTIN
SIDs that are unknown (which do not get mapped) and your 'DOMAIN' users
& groups are being mapped by the 'rid' idmap backend. I stand by my
suggestion to replace 'autorid' in your smb.conf with 'tdb'.
You could just remove the 'DOMAIN' idmap config lines (along with
'ignore builtin') and use 'autorid', but this would mean your
'DOMAIN' users & groups would very probably get new IDs.
Rowland
More information about the samba
mailing list