samba - Nov 2014 - Clarification on the appropriate idmap settings for a standalone server

I am trying to increase my understanding of samba. I am running a FreeBSD
server with Samba 4.1.12 configured as a standalone server in a testing
environment.

The documentation here indicates that winbind / the idmap facility is of
little or no use on a standalone server:
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2604490

Is this still the case in Samba4?

My curiosity was piqued because I keep getting the following error message
"winbindd: sam_rids_to_names: possible deadlock - trying to lookup SID
[SID]".

My server has the following parameters in [global] in the smb.conf (which
was default for the appliance):

[global]
    server max protocol = SMB2_24
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 11070
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = Yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    server string = Samba Server
    unix extensions = no
    acl allow execute always = true
    local master = yes
    idmap config *:backend = tdb
    idmap config *:range = 90000000-100000000
    server role = standalone
    netbios name = C_GRINDER
    workgroup = WORKGROUP
    security = user
    pid directory = /var/run/samba
    smb passwd file = /var/etc/private/smbpasswd
    private dir = /var/etc/private
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1

On 15/11/14 16:27, Andrew Walker wrote:
> I am trying to increase my understanding of samba. I am running a FreeBSD
> server with Samba 4.1.12 configured as a standalone server in a testing
> environment.
>
> The documentation here indicates that winbind / the idmap facility is of
> little or no use on a standalone server:
>
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2604490
>
> Is this still the case in Samba4?
>
> My curiosity was piqued because I keep getting the following error message
> "winbindd: sam_rids_to_names: possible deadlock - trying to lookup SID
> [SID]".
>
> My server has the following parameters in [global] in the smb.conf (which
> was default for the appliance):
>
> [global]
>      server max protocol = SMB2_24
>      encrypt passwords = yes
>      dns proxy = no
>      strict locking = no
>      oplocks = yes
>      deadtime = 15
>      max log size = 51200
>      max open files = 11070
>      load printers = no
>      printing = bsd
>      printcap name = /dev/null
>      disable spoolss = yes
>      getwd cache = yes
>      guest account = nobody
>      map to guest = Bad User
>      obey pam restrictions = Yes
>      directory name cache size = 0
>      kernel change notify = no
>      panic action = /usr/local/libexec/samba/samba-backtrace
>      server string = Samba Server
>      unix extensions = no
>      acl allow execute always = true
>      local master = yes
>      idmap config *:backend = tdb
>      idmap config *:range = 90000000-100000000
>      server role = standalone
>      netbios name = C_GRINDER
>      workgroup = WORKGROUP
>      security = user
>      pid directory = /var/run/samba
>      smb passwd file = /var/etc/private/smbpasswd
>      private dir = /var/etc/private
>      create mask = 0666
>      directory mask = 0777
>      client ntlmv2 auth = yes
>      dos charset = CP437
>      unix charset = UTF-8
>      log level = 1
Hi, if you are running samba as a standalone server, it is just as if 
the Unix machine is a standalone windows machine. This means that your 
windows users have to exist on the Unix computer with the same password, 
the same goes for groups. There is nothing for windbind to pull from, so 
there is no need to use it or any of the winbind lines in samba, this 
includes the idmap lines. You can however, map windows groups to Unix 
groups with the 'net groupadd' command.

Rowland