[Samba] Samba + Winbind help

Mike Hobbs mhobbs at mtl.mit.edu
Mon Nov 17 18:30:46 UTC 2025 

Hi Everyone,

I've been using Samba at my place of work for over 20 years, never had 
an issue and it's always worked great.  I've used both the built-in 
packages from Red Hat and also compiled from source. Our current 
production server is running 4.7.7, compiled from source.  We are in the 
process of moving our "unix home directory" server to newer hardware and 
operating system so we want to use the latest version of Samba.  We 
realized during the install that Winbind is now required and we have had 
nothing but trouble getting it to work correctly.  We are not running a 
domain controller with Samba, just as a domain member so our Windows 
users can mount shares off of our Linux servers, Unix home directories, 
etc..

My current test environment is Red Hat Enterprise 9.7 (Plow) and Red Hat 
Samba packages 4.22.4-6.  My active directory server is Windows Server 2019.

testparm reports no errors and my server role as: ROLE_DOMAIN_MEMBER
wbinfo -u and wbinfo -g display back my users and groups
getent paswd <user> displays my passwd entry

Everything appears to be normal, until I try and mount my Unix home 
directory it then asks me for my username and password, it shouldn't do 
this, but even if I enter the correct name/pass combo it fails and will 
not mount the share. Also, we need Samba to map to the Unix UID and GID, 
not what is in the Windows server active directory for each user.  Thank 
you for any help that can be provided.  Sorry for the long post.

Info from various log files:

[2025/11/17 12:54:40.982925,  0] 
../../source3/auth/auth_util.c:1945(check_account)
   check_account: Failed to convert SID 
S-1-5-21-3094983005-3443631508-768506439-1116 to a UID 
(dom_user[MYDOM\mhobbs])

[2025/11/17 12:54:50.246842,  5] 
../../source3/lib/username.c:159(Get_Pwnam_internals)
   Get_Pwnam_internals didn't find user [MYDOM\mhobbs]!

[2025/11/17 12:44:33.204773,  2] 
../../source3/auth/token_util.c:758(finalize_local_nt_token)
   WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?

[2025/11/17 12:44:26.636954,  1, traceid=1] 
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
   ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with 
backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': 
No such file or directory

[2025/11/17 12:44:33.203891,  1, traceid=7] 
../../source3/winbindd/idmap_tdb_common.c:65(idmap_tdb_common_allocate_id_action)
   Fatal Error: GID range full!! (max: 499999)
(the above error is odd because no matter what range of numbers I use, 
it tells me the range is full)

My /etc/nsswitch.conf (yes we still use NIS, I know, it's old)
group:      files nis systemd winbind
passwd:     files nis systemd winbind

My smb.conf file:

# Global parameters
[global]
acl allow execute always = true
case sensitive = auto
cups encrypt = auto
deadtime = 15
dont descend = /proc,/dev
#encrypt passwords = yes
enhanced browsing = no
force unknown acl user = yes
hide dot files = yes
hide special files = yes
hosts allow = 127.0.0.1 x.x.x.x/19
idmap config server1.my.domain : backend = tdb
idmap config server1.my.domain : range = 500000 - 1000000
idmap config server2.my.domain : backend = tdb
idmap config server2.my.domain: range = 1000001 - 1999999
idmap config * : backend = tdb
idmap config * : range = 10000 - 499999
lock dir = /var/lib/samba/lock
log level = 5
log file = /var/log/samba/log.%m
log writeable files on exit = yes
map archive = no
max log size = 1000
netbios name = SERVERHOSTNAME
preserve case = yes
printing = CUPS
read raw = yes
realm = MY.WINDOWS.DOMAIN
security = ADS
server string = myserver Samba Server %v
strict locking = no
unix extensions = no
use sendfile = yes
username map = /etc/samba/users.map
wide links = yes
winbind use default domain = yes
winbind refresh tickets = yes
workgroup = MYWINDOMAIN
write raw = yes

[homes]
         comment = Home Directories
         read only = No
         create mask = 0600
         directory mask = 0700
         force create mode = 0600
         force directory mode = 0700
         browseable = No
         path = /homes/%S
         wide links = yes
         map archive = no
         hide dot files = yes
         strict locking = no
         use sendfile = yes

[tmp]
         path=/u/tmp
         read only = No
         comment = Temp storage location
         wide links = yes
         map archive = no
         hide dot files = no
         strict locking = no
         use sendfile = yes

[admin]
         path = /u/admin
         write list = @sys-users
         comment = Admin Tree
         wide links = yes
         map archive = no
         hide dot files = yes
         strict locking = no
         use sendfile = yes

More information about the samba mailing list