samba - Feb 2023 - previous working smb.conf without winbind, now fails with samba 4.15.8 and winbind running

I need a CIFS server to provide access to Linux files to Windows clients. I
am able to accomplish this on SLES12 SP5, running kernel-4.12.14, with
samba 4.10.5 using the following smb.conf

[global]
        dedicated keytab file = /etc/samba/samba.keytab
        domain master = No
        kerberos method = dedicated keytab
        load printers = No
        local master = No
        ntlm auth = disabled
        os level = 0
        preferred master = No
        printcap name = dev/null
        realm = AD.DOMAIN.COM
        security = ADS
        show add printer wizard = No
        unix extensions = No
        workgroup = AD
        idmap config * : backend = tdb
        include = /etc/samba/smb.conf.shares
        inherit permissions = Yes
        invalid users = daemon root

Windbind is not being run in this setup.  Clients connect via kerberos
authentication, and the data users can access is enforced by extended group
file permissions, which the samba servers are configured to see via
nsswitch.conf. The group information (gidnumber) does not exist in AD.
samba.keytab contains cifs service principals for every samba server in a
DNS cluster so that connecting via smbclient --use-krb5-ccache=KCM:1000 can
be done against both the DNS round robin alias //samba.ad.domain.com as
well as against each individual samba server in the DNS RR cluster e.g
//samba_node_1 and //samba_node_2, etc.

The above breaks when I try to move to SLES15 SP4, kernel 5.14.21,
samba-4.15.8.

Apparently winbind is required to be running.  Once winbind is running,
samba reports failing to convert SID XXXXX to a UID.  It seems samba is
unable to offload uid/gid lookups to the kernel getpwent/getgrent functions.

What smb.conf parameters should I consider in order to get samba-4.15.8
working in a similar fashion as samba-4.10.5 on sles12sp5?

Thank you

On 17/02/2023 22:09, Bob Green via samba wrote:
> I need a CIFS server to provide access to Linux files to Windows clients. I
> am able to accomplish this on SLES12 SP5, running kernel-4.12.14, with
> samba 4.10.5 using the following smb.conf
I am surprised this worked with Samba 4.10.x
> 
> [global]
>          dedicated keytab file = /etc/samba/samba.keytab
>          domain master = No
>          kerberos method = dedicated keytab
>          load printers = No
>          local master = No
>          ntlm auth = disabled
>          os level = 0
>          preferred master = No
>          printcap name = dev/null
>          realm = AD.DOMAIN.COM
>          security = ADS
>          show add printer wizard = No
>          unix extensions = No
>          workgroup = AD
>          idmap config * : backend = tdb
>          include = /etc/samba/smb.conf.shares
>          inherit permissions = Yes
>          invalid users = daemon root
> 
> Windbind is not being run in this setup.  
The need for winbind when Samba is run with 'security = ADS' in smb.conf
came in at 4.8.0
> Clients connect via kerberos
> authentication, and the data users can access is enforced by extended group
> file permissions, which the samba servers are configured to see via
> nsswitch.conf. The group information (gidnumber) does not exist in AD.
> samba.keytab contains cifs service principals for every samba server in a
> DNS cluster so that connecting via smbclient --use-krb5-ccache=KCM:1000 can
> be done against both the DNS round robin alias //samba.ad.domain.com as
> well as against each individual samba server in the DNS RR cluster e.g
> //samba_node_1 and //samba_node_2, etc.
> 
> The above breaks when I try to move to SLES15 SP4, kernel 5.14.21,
> samba-4.15.8.
> 
> Apparently winbind is required to be running.  Once winbind is running,
> samba reports failing to convert SID XXXXX to a UID.  It seems samba is
> unable to offload uid/gid lookups to the kernel getpwent/getgrent
functions.
Well it wouldn't, you need to add the 'idmap config' lines to your 
smb.conf , so winbind knows what to map the Windows users to.
> 
> What smb.conf parameters should I consider in order to get samba-4.15.8
> working in a similar fashion as samba-4.10.5 on sles12sp5?
Start by reading this:

https://wiki.samba.org/index.php/Idmap_config_rid

Though other idmap backends are available.

Rowland