[Samba] Samba + Winbind help

Rowland Penny rpenny at samba.org
Tue Nov 18 11:45:01 UTC 2025 

On Tue, 18 Nov 2025 09:52:05 +0000
Eric Gurevitz <gurevitz at qti.qualcomm.com> wrote:

> Hi Roland,
> 
> Thanks for the reply.  When I was at a startup, we would never pay
> for something we can do for free with OpenSource. Since joining the
> enterprise,   things work differently.  As you say,  Linux is
> flexible. I agree that NIS is outdated and should not be used
> anymore. 
> 
> Given I must use vas for the domain join, 

I have never used vas, what does it give you that Samba using 'net ads
join' doesn't ?


> what should I change in
> smb.conf? We have multiple domains, so users accounts are in na, eu,
> mea, etc domains. The Linux pcs are joined to a domain in their
> region. 

It sounds like each region uses its own dns domain i.e. the 'na' region
could be using something like ad.domain.na , but how different are the
dns domains ? Are the clients set to use local DCs as the domain
nameservers ?

If the clients are using just one NetBIOS domain, then you could use
the 'rid' idmap backend and a smb.conf similar to this:

[global]
  workgroup = MEA
  realm = MEA.QUALCOMM.COM
  security = ADS
  server string = %h server (Samba, Ubuntu)

  dedicated keytab file = /etc/krb5.keytab
  sync machine password to keytab = /etc/krb5.keytab:sync_spns:sync_kvno:machine_password

  winbind use default domain = yes
  winbind expand groups = 2
  winbind refresh tickets = Yes
  disable netbios = yes
  dns proxy = no

  idmap config * : backend = tdb
  idmap config * : range = 3000-7999
  idmap config MEA : backend  = rid
  idmap config MEA : range = 10000-999999
  template shell = /bin/bash

  vfs objects = acl_xattr
  map acl inherit = Yes

  log file = /var/log/samba/log.%m
  max log size = 10000
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  server min protocol = SMB3

That will give you something that your current setup doesn't, the UID &
GID created will be the same on every Unix domain member it is used on.
This is because they will be calculated from the objects RID and the
low 'MEA' range set in the smb.conf (10000) e.g. the GID for Domain
Users will always be 10513. Your setup is using the 'tdb' backend and
this is an allocating backend (first come, first served) and hence the
GID is highly likely to be different on every one of your Linux
machines.

Rowland

More information about the samba mailing list