[Samba] Strange problem with winbind on linux domain member (works for 2 minutes...)
Rowland Penny
rpenny at samba.org
Thu Feb 5 16:29:13 UTC 2026
On Thu, 5 Feb 2026 16:15:34 +0100
Jakob Curdes via samba <samba at lists.samba.org> wrote:
Please see inline comments:
>
> Hello Rowland, here ist the entire smb.conf (some identical shares
> omitted for length)
>
> Load smb config files from /etc/samba/smb.conf
> lpcfg_do_global_parameter: WARNING: The "server schannel" option is
> deprecated
I take it that because testparm has
warned about the server schannel parameter and it isn't in the smb.conf
below. that you have:
server schannel = yes
in the actual smb.conf file, if this is the case, then I suggest you
remove it, it is the default and will stop the testparm warning in
future.
> Loaded services file OK.
> Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility
> fallback)
>
> Server role: ROLE_DOMAIN_MEMBER
>
> # Global parameters
> [global]
> bind interfaces only = Yes
> dedicated keytab file = /etc/krb5.keytab
> disable spoolss = Yes
> interfaces = lo AAA.BBB.CCC.DDD
> kerberos method = secrets and keytab
> load printers = No
> log file = /var/log/samba/%m.log
> printcap name = /dev/null
> realm = XX.YYYYY.LOCAL
> security = ADS
> template homedir = /home/%U
> template shell = /bin/nologin
There is no real reason for the above, the default is:
template shell = /bin/false
and it means the same, a user cannot logon localy.
> winbind enum groups = Yes
> winbind enum users = Yes
Is there a reason why you need to enumerate all users and groups ? It
just slows everything down.
> winbind expand groups = 4
'4' is a bit excessive, again it will just slow things down
> winbind refresh tickets = Yes
> workgroup = WW
> recycle:minsize = 167
> recycle:exclude =
> *.tmp,*.temp,*.o,*.obj,~$*,*.~??,~*.*,*.TMP,*.TEMP,lock.*,.~lock.*,LOCK.*,*.lock,*.~lock,*.LNK,*.lnk,*.ldb,
> ~s*, Backup*, AUTOBACKUP*
> recycle:exclude_dir = /tmp /temp /cache /.Cache /.cache
> recycle:versions = yes
> recycle:keeptree = no
> recycle:subdir_mode = 0700
> recycle:directory_mode = 0770
> idmap config ov : range = 300000-400000
> idmap config ov : backend = rid
The workgroup above is 'WW', but the 'idmap config' domain is 'ov', is
this just bad sanitisation ?
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> access based share enum = Yes
> hide files = /.*/
Why set the above two parameters ? You reset them them in the shares.
> map readonly = yes
> printing = bsd
> store dos attributes = No
> veto files = /lost+found/
> vfs objects = recycle
You might want to consider adding 'acl_xattr' to the 'vfs objects'
line, this will get you better acl control with your Windows clients.
If you do add it, then I would further suggest removing the 'map
readonly' and 'store dos attributes' lines.
>
>
> [xyz]
> access based share enum = No
I can only assume that testparm is showing the above line because it is
set to 'yes' in the 'global' section, this is because it defaults to
'no', so if the line is in every share, there doesn't seem much point
in setting it at all.
> create mask = 0770
> directory mask = 0770
> force group = WW\ww-staff
> hide files = /._moved/*._moved/
> path = /xxxxxxxxx
> read only = No
> valid users = @WW\ww-staff
Again, if you use 'acl_xattr', you can set who is allowed access etc
from Windows and would not require the 'valid users' line.
By default, the minimum SMB version is now SMBv2 and you only need the
'nmbd' deamon if you use NetBIOS, which requires SMBv1, so you might
want to consider setting:
disable netbios = yes
smb ports = 445
in the 'global part of your smb.conf file and stopping the 'nmbd' deamon.
There doesn't seem to be anything really wrong with your smb.conf
(apart from the different workgroup/domain names and I think this is
probably bad sanitisation), so is anything else running on this Samba
fileserver ?
Rowland
More information about the samba
mailing list