Hi Everyone, I've been using Samba at my place of work for over 20 years, never had an issue and it's always worked great.? I've used both the built-in packages from Red Hat and also compiled from source. Our current production server is running 4.7.7, compiled from source.? We are in the process of moving our "unix home directory" server to newer hardware and operating system so we want to use the latest version of Samba.? We realized during the install that Winbind is now required and we have had nothing but trouble getting it to work correctly.? We are not running a domain controller with Samba, just as a domain member so our Windows users can mount shares off of our Linux servers, Unix home directories, etc.. My current test environment is Red Hat Enterprise 9.7 (Plow) and Red Hat Samba packages 4.22.4-6.? My active directory server is Windows Server 2019. testparm reports no errors and my server role as: ROLE_DOMAIN_MEMBER wbinfo -u and wbinfo -g display back my users and groups getent paswd <user> displays my passwd entry Everything appears to be normal, until I try and mount my Unix home directory it then asks me for my username and password, it shouldn't do this, but even if I enter the correct name/pass combo it fails and will not mount the share. Also, we need Samba to map to the Unix UID and GID, not what is in the Windows server active directory for each user.? Thank you for any help that can be provided.? Sorry for the long post. Info from various log files: [2025/11/17 12:54:40.982925,? 0] ../../source3/auth/auth_util.c:1945(check_account) ? check_account: Failed to convert SID S-1-5-21-3094983005-3443631508-768506439-1116 to a UID (dom_user[MYDOM\mhobbs]) [2025/11/17 12:54:50.246842,? 5] ../../source3/lib/username.c:159(Get_Pwnam_internals) ? Get_Pwnam_internals didn't find user [MYDOM\mhobbs]! [2025/11/17 12:44:33.204773,? 2] ../../source3/auth/token_util.c:758(finalize_local_nt_token) ? WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? [2025/11/17 12:44:26.636954,? 1, traceid=1] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug) ? ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such file or directory [2025/11/17 12:44:33.203891,? 1, traceid=7] ../../source3/winbindd/idmap_tdb_common.c:65(idmap_tdb_common_allocate_id_action) ? Fatal Error: GID range full!! (max: 499999) (the above error is odd because no matter what range of numbers I use, it tells me the range is full) My /etc/nsswitch.conf (yes we still use NIS, I know, it's old) group:? ? ? files nis systemd winbind passwd:? ? ?files nis systemd winbind My smb.conf file: # Global parameters [global] acl allow execute always = true case sensitive = auto cups encrypt = auto deadtime = 15 dont descend = /proc,/dev #encrypt passwords = yes enhanced browsing = no force unknown acl user = yes hide dot files = yes hide special files = yes hosts allow = 127.0.0.1 x.x.x.x/19 idmap config server1.my.domain : backend = tdb idmap config server1.my.domain : range = 500000 - 1000000 idmap config server2.my.domain : backend = tdb idmap config server2.my.domain: range = 1000001 - 1999999 idmap config * : backend = tdb idmap config * : range = 10000 - 499999 lock dir = /var/lib/samba/lock log level = 5 log file = /var/log/samba/log.%m log writeable files on exit = yes map archive = no max log size = 1000 netbios name = SERVERHOSTNAME preserve case = yes printing = CUPS read raw = yes realm = MY.WINDOWS.DOMAIN security = ADS server string = myserver Samba Server %v strict locking = no unix extensions = no use sendfile = yes username map = /etc/samba/users.map wide links = yes winbind use default domain = yes winbind refresh tickets = yes workgroup = MYWINDOMAIN write raw = yes [homes] ? ? ? ? comment = Home Directories ? ? ? ? read only = No ? ? ? ? create mask = 0600 ? ? ? ? directory mask = 0700 ? ? ? ? force create mode = 0600 ? ? ? ? force directory mode = 0700 ? ? ? ? browseable = No ? ? ? ? path = /homes/%S ? ? ? ? wide links = yes ? ? ? ? map archive = no ? ? ? ? hide dot files = yes ? ? ? ? strict locking = no ? ? ? ? use sendfile = yes [tmp] ? ? ? ? path=/u/tmp ? ? ? ? read only = No ? ? ? ? comment = Temp storage location ? ? ? ? wide links = yes ? ? ? ? map archive = no ? ? ? ? hide dot files = no ? ? ? ? strict locking = no ? ? ? ? use sendfile = yes [admin] ? ? ? ? path = /u/admin ? ? ? ? write list = @sys-users ? ? ? ? comment = Admin Tree ? ? ? ? wide links = yes ? ? ? ? map archive = no ? ? ? ? hide dot files = yes ? ? ? ? strict locking = no ? ? ? ? use sendfile = yes
On Mon, 17 Nov 2025 13:30:46 -0500 Mike Hobbs via samba <samba at lists.samba.org> wrote:> Hi Everyone, > > I've been using Samba at my place of work for over 20 years, never > had an issue and it's always worked great.? I've used both the > built-in packages from Red Hat and also compiled from source. Our > current production server is running 4.7.7, compiled from source.? We > are in the process of moving our "unix home directory" server to > newer hardware and operating system so we want to use the latest > version of Samba.? We realized during the install that Winbind is now > required and we have had nothing but trouble getting it to work > correctly.? We are not running a domain controller with Samba, just > as a domain member so our Windows users can mount shares off of our > Linux servers, Unix home directories, etc.. > > My current test environment is Red Hat Enterprise 9.7 (Plow) and Red > Hat Samba packages 4.22.4-6.? My active directory server is Windows > Server 2019. > > testparm reports no errors and my server role as: ROLE_DOMAIN_MEMBER > wbinfo -u and wbinfo -g display back my users and groups > getent paswd <user> displays my passwd entry > > Everything appears to be normal, until I try and mount my Unix home > directory it then asks me for my username and password, it shouldn't > do this, but even if I enter the correct name/pass combo it fails and > will not mount the share. Also, we need Samba to map to the Unix UID > and GID, not what is in the Windows server active directory for each > user.? Thank you for any help that can be provided.? Sorry for the > long post. > > Info from various log files: > > [2025/11/17 12:54:40.982925,? 0] > ../../source3/auth/auth_util.c:1945(check_account) > ? check_account: Failed to convert SID > S-1-5-21-3094983005-3443631508-768506439-1116 to a UID > (dom_user[MYDOM\mhobbs]) > > [2025/11/17 12:54:50.246842,? 5] > ../../source3/lib/username.c:159(Get_Pwnam_internals) > ? Get_Pwnam_internals didn't find user [MYDOM\mhobbs]! > > [2025/11/17 12:44:33.204773,? 2] > ../../source3/auth/token_util.c:758(finalize_local_nt_token) > ? WARNING: Failed to create BUILTIN\Users group! Can Winbind > allocate gids? > > [2025/11/17 12:44:26.636954,? 1, traceid=1] > ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug) > ? ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' > with backend 'tdb': Unable to open tdb > '/var/lib/samba/private/secrets.ldb': No such file or directory > > [2025/11/17 12:44:33.203891,? 1, traceid=7] > ../../source3/winbindd/idmap_tdb_common.c:65(idmap_tdb_common_allocate_id_action) > ? Fatal Error: GID range full!! (max: 499999) > (the above error is odd because no matter what range of numbers I > use, it tells me the range is full) > > My /etc/nsswitch.conf (yes we still use NIS, I know, it's old) > group:? ? ? files nis systemd winbind > passwd:? ? ?files nis systemd winbind > > My smb.conf file: > > # Global parameters > [global] > acl allow execute always = true > case sensitive = auto > cups encrypt = auto > deadtime = 15 > dont descend = /proc,/dev > #encrypt passwords = yes > enhanced browsing = no > force unknown acl user = yes > hide dot files = yes > hide special files = yes > hosts allow = 127.0.0.1 x.x.x.x/19 > idmap config server1.my.domain : backend = tdb > idmap config server1.my.domain : range = 500000 - 1000000 > idmap config server2.my.domain : backend = tdb > idmap config server2.my.domain: range = 1000001 - 1999999 > idmap config * : backend = tdb > idmap config * : range = 10000 - 499999 > lock dir = /var/lib/samba/lock > log level = 5 > log file = /var/log/samba/log.%m > log writeable files on exit = yes > map archive = no > max log size = 1000 > netbios name = SERVERHOSTNAME > preserve case = yes > printing = CUPS > read raw = yes > realm = MY.WINDOWS.DOMAIN > security = ADS > server string = myserver Samba Server %v > strict locking = no > unix extensions = no > use sendfile = yes > username map = /etc/samba/users.map > wide links = yes > winbind use default domain = yes > winbind refresh tickets = yes > workgroup = MYWINDOMAIN > write raw = yes > > [homes] > ? ? ? ? comment = Home Directories > ? ? ? ? read only = No > ? ? ? ? create mask = 0600 > ? ? ? ? directory mask = 0700 > ? ? ? ? force create mode = 0600 > ? ? ? ? force directory mode = 0700 > ? ? ? ? browseable = No > ? ? ? ? path = /homes/%S > ? ? ? ? wide links = yes > ? ? ? ? map archive = no > ? ? ? ? hide dot files = yes > ? ? ? ? strict locking = no > ? ? ? ? use sendfile = yes > > [tmp] > ? ? ? ? path=/u/tmp > ? ? ? ? read only = No > ? ? ? ? comment = Temp storage location > ? ? ? ? wide links = yes > ? ? ? ? map archive = no > ? ? ? ? hide dot files = no > ? ? ? ? strict locking = no > ? ? ? ? use sendfile = yes > > [admin] > ? ? ? ? path = /u/admin > ? ? ? ? write list = @sys-users > ? ? ? ? comment = Admin Tree > ? ? ? ? wide links = yes > ? ? ? ? map archive = no > ? ? ? ? hide dot files = yes > ? ? ? ? strict locking = no > ? ? ? ? use sendfile = yes > >Lets start by discussing these lines: workgroup = MYWINDOMAIN idmap config * : backend = tdb idmap config * : range = 10000 - 499999 idmap config server1.my.domain : backend = tdb idmap config server1.my.domain : range = 500000 - 1000000 idmap config server2.my.domain : backend = tdb idmap config server2.my.domain: range = 1000001 - 1999999 Do you have two domains ? If you do not and want Samba to map your users & groups from the RID, then I would expect idmap config lines something like these: idmap config * : backend = tdb idmap config * : range = 3000 - 7999 idmap config MYWINDOMAIN : backend = rid idmap config MYWINDOMAIN : range = 10000 - 9999999 NOTE: you will probably have to run 'net cache flush' after you change the smb.conf and restarted Samba. I would also suggest you do two things: 1) open a copy of the smb.conf manpage (man smb.conf) in a terminal and read about the other parameters you are using, there are others that you could remove. 2) Turn NIS off, it is dead and you very probably do not need it. Rowland
Mike,
I run a very similar setup. I see a few things missing. Where is your AD info
for the join to the domain?
In /etc/nsswitch.conf there is no need for winbind if you are not going to use
AD for auth on Linux. I only use AD to authenticate the users coming in via
samba and then Linux UID and GID determine the access.
If you want samba to use Linux UID and GID, I use a user map script:
username map script = /etc/samba/usermap.sh
cat /etc/samba/usermap.sh
#!/bin/bash
ACCOUNTNAME="$1"
echo "${ACCOUNTNAME}" | sed -e 's/[^\\]*\\//'
exit 0
Last time I sent the info, Roland here told me this. I have not tried this.
'winbind use default domain = yes' in your smb.conf, it will give you
the same effect as your script.
Eric
-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Mike Hobbs via
samba
Sent: Monday, November 17, 2025 8:31 PM
To: samba at lists.samba.org
Subject: [Samba] Samba + Winbind help
WARNING: This email originated from outside of Qualcomm. Please be wary of any
links or attachments, and do not enable macros.
Hi Everyone,
I've been using Samba at my place of work for over 20 years, never had an
issue and it's always worked great. I've used both the built-in
packages from Red Hat and also compiled from source. Our current production
server is running 4.7.7, compiled from source. We are in the process of moving
our "unix home directory" server to newer hardware and operating
system so we want to use the latest version of Samba. We realized during the
install that Winbind is now required and we have had nothing but trouble getting
it to work correctly. We are not running a domain controller with Samba, just
as a domain member so our Windows users can mount shares off of our Linux
servers, Unix home directories, etc..
My current test environment is Red Hat Enterprise 9.7 (Plow) and Red Hat Samba
packages 4.22.4-6. My active directory server is Windows Server 2019.
testparm reports no errors and my server role as: ROLE_DOMAIN_MEMBER wbinfo -u
and wbinfo -g display back my users and groups getent paswd <user>
displays my passwd entry
Everything appears to be normal, until I try and mount my Unix home directory it
then asks me for my username and password, it shouldn't do this, but even if
I enter the correct name/pass combo it fails and will not mount the share. Also,
we need Samba to map to the Unix UID and GID, not what is in the Windows server
active directory for each user. Thank you for any help that can be provided.
Sorry for the long post.
Info from various log files:
[2025/11/17 12:54:40.982925, 0]
../../source3/auth/auth_util.c:1945(check_account)
check_account: Failed to convert SID
S-1-5-21-3094983005-3443631508-768506439-1116 to a UID
(dom_user[MYDOM\mhobbs])
[2025/11/17 12:54:50.246842, 5]
../../source3/lib/username.c:159(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [MYDOM\mhobbs]!
[2025/11/17 12:44:33.204773, 2]
../../source3/auth/token_util.c:758(finalize_local_nt_token)
WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
[2025/11/17 12:44:26.636954, 1, traceid=1]
../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with
backend 'tdb': Unable to open tdb
'/var/lib/samba/private/secrets.ldb':
No such file or directory
[2025/11/17 12:44:33.203891, 1, traceid=7]
../../source3/winbindd/idmap_tdb_common.c:65(idmap_tdb_common_allocate_id_action)
Fatal Error: GID range full!! (max: 499999) (the above error is odd because
no matter what range of numbers I use, it tells me the range is full)
My /etc/nsswitch.conf (yes we still use NIS, I know, it's old)
group: files nis systemd winbind
passwd: files nis systemd winbind
My smb.conf file:
# Global parameters
[global]
acl allow execute always = true
case sensitive = auto
cups encrypt = auto
deadtime = 15
dont descend = /proc,/dev
#encrypt passwords = yes
enhanced browsing = no
force unknown acl user = yes
hide dot files = yes
hide special files = yes
hosts allow = 127.0.0.1 x.x.x.x/19
idmap config server1.my.domain : backend = tdb idmap config server1.my.domain :
range = 500000 - 1000000 idmap config server2.my.domain : backend = tdb idmap
config server2.my.domain: range = 1000001 - 1999999 idmap config * : backend =
tdb idmap config * : range = 10000 - 499999 lock dir = /var/lib/samba/lock log
level = 5 log file = /var/log/samba/log.%m log writeable files on exit = yes map
archive = no max log size = 1000 netbios name = SERVERHOSTNAME preserve case =
yes printing = CUPS read raw = yes realm = MY.WINDOWS.DOMAIN security = ADS
server string = myserver Samba Server %v strict locking = no unix extensions =
no use sendfile = yes username map = /etc/samba/users.map wide links = yes
winbind use default domain = yes winbind refresh tickets = yes workgroup =
MYWINDOMAIN write raw = yes
[homes]
comment = Home Directories
read only = No
create mask = 0600
directory mask = 0700
force create mode = 0600
force directory mode = 0700
browseable = No
path = /homes/%S
wide links = yes
map archive = no
hide dot files = yes
strict locking = no
use sendfile = yes
[tmp]
path=/u/tmp
read only = No
comment = Temp storage location
wide links = yes
map archive = no
hide dot files = no
strict locking = no
use sendfile = yes
[admin]
path = /u/admin
write list = @sys-users
comment = Admin Tree
wide links = yes
map archive = no
hide dot files = yes
strict locking = no
use sendfile = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba