samba - Feb 2023 - previous working smb.conf without winbind, now fails with samba 4.15.8 and winbind running

On 17/02/2023 22:09, Bob Green via samba wrote:
> I need a CIFS server to provide access to Linux files to Windows clients. I
> am able to accomplish this on SLES12 SP5, running kernel-4.12.14, with
> samba 4.10.5 using the following smb.conf
I am surprised this worked with Samba 4.10.x
> 
> [global]
>          dedicated keytab file = /etc/samba/samba.keytab
>          domain master = No
>          kerberos method = dedicated keytab
>          load printers = No
>          local master = No
>          ntlm auth = disabled
>          os level = 0
>          preferred master = No
>          printcap name = dev/null
>          realm = AD.DOMAIN.COM
>          security = ADS
>          show add printer wizard = No
>          unix extensions = No
>          workgroup = AD
>          idmap config * : backend = tdb
>          include = /etc/samba/smb.conf.shares
>          inherit permissions = Yes
>          invalid users = daemon root
> 
> Windbind is not being run in this setup.  
The need for winbind when Samba is run with 'security = ADS' in smb.conf
came in at 4.8.0
> Clients connect via kerberos
> authentication, and the data users can access is enforced by extended group
> file permissions, which the samba servers are configured to see via
> nsswitch.conf. The group information (gidnumber) does not exist in AD.
> samba.keytab contains cifs service principals for every samba server in a
> DNS cluster so that connecting via smbclient --use-krb5-ccache=KCM:1000 can
> be done against both the DNS round robin alias //samba.ad.domain.com as
> well as against each individual samba server in the DNS RR cluster e.g
> //samba_node_1 and //samba_node_2, etc.
> 
> The above breaks when I try to move to SLES15 SP4, kernel 5.14.21,
> samba-4.15.8.
> 
> Apparently winbind is required to be running.  Once winbind is running,
> samba reports failing to convert SID XXXXX to a UID.  It seems samba is
> unable to offload uid/gid lookups to the kernel getpwent/getgrent
functions.
Well it wouldn't, you need to add the 'idmap config' lines to your 
smb.conf , so winbind knows what to map the Windows users to.
> 
> What smb.conf parameters should I consider in order to get samba-4.15.8
> working in a similar fashion as samba-4.10.5 on sles12sp5?
Start by reading this:

https://wiki.samba.org/index.php/Idmap_config_rid

Though other idmap backends are available.

Rowland

On Fri, Feb 17, 2023 at 2:29 PM Rowland Penny via samba
<samba at lists.samba.org> wrote:
>
>
>
> On 17/02/2023 22:09, Bob Green via samba wrote:
> > Apparently winbind is required to be running.  Once winbind is
running,
> > samba reports failing to convert SID XXXXX to a UID.  It seems samba
is
> > unable to offload uid/gid lookups to the kernel getpwent/getgrent
functions.
>
> Well it wouldn't, you need to add the 'idmap config' lines to
your
> smb.conf , so winbind knows what to map the Windows users to.
>
> > What smb.conf parameters should I consider in order to get
samba-4.15.8
> > working in a similar fashion as samba-4.10.5 on sles12sp5?
>
> Start by reading this:
>
> https://wiki.samba.org/index.php/Idmap_config_rid
>
> Though other idmap backends are available.

idmap config rid will map my SID to a UID, but it's a different UID
than what "getent passwd $USER" reports on the samba server. In my
scenario most files being served by samba are created by Linux
accounts, whose linux group IDs are not rationalized in AD. I was
hoping idmap_nss might "offload/ignore" the SID information, and that
samba could simply map the kerberos principal name in the
authentication to what the samba server OS knows about the matching
account name including extended group membership, perhaps similar to
how openssh or some other kerberized application might try to map a
principalname to local account.

Can I configure samba to allow kerberized authentications while not
having it attempt to do any uid or gid mapping?  Perhaps I should try
security = user or security = domain?