On Mon, 17 Nov 2025 13:30:46 -0500
Mike Hobbs via samba <samba at lists.samba.org> wrote:
> Hi Everyone,
>
> I've been using Samba at my place of work for over 20 years, never
> had an issue and it's always worked great.? I've used both the
> built-in packages from Red Hat and also compiled from source. Our
> current production server is running 4.7.7, compiled from source.? We
> are in the process of moving our "unix home directory" server to
> newer hardware and operating system so we want to use the latest
> version of Samba.? We realized during the install that Winbind is now
> required and we have had nothing but trouble getting it to work
> correctly.? We are not running a domain controller with Samba, just
> as a domain member so our Windows users can mount shares off of our
> Linux servers, Unix home directories, etc..
>
> My current test environment is Red Hat Enterprise 9.7 (Plow) and Red
> Hat Samba packages 4.22.4-6.? My active directory server is Windows
> Server 2019.
>
> testparm reports no errors and my server role as: ROLE_DOMAIN_MEMBER
> wbinfo -u and wbinfo -g display back my users and groups
> getent paswd <user> displays my passwd entry
>
> Everything appears to be normal, until I try and mount my Unix home
> directory it then asks me for my username and password, it shouldn't
> do this, but even if I enter the correct name/pass combo it fails and
> will not mount the share. Also, we need Samba to map to the Unix UID
> and GID, not what is in the Windows server active directory for each
> user.? Thank you for any help that can be provided.? Sorry for the
> long post.
>
> Info from various log files:
>
> [2025/11/17 12:54:40.982925,? 0]
> ../../source3/auth/auth_util.c:1945(check_account)
> ? check_account: Failed to convert SID
> S-1-5-21-3094983005-3443631508-768506439-1116 to a UID
> (dom_user[MYDOM\mhobbs])
>
> [2025/11/17 12:54:50.246842,? 5]
> ../../source3/lib/username.c:159(Get_Pwnam_internals)
> ? Get_Pwnam_internals didn't find user [MYDOM\mhobbs]!
>
> [2025/11/17 12:44:33.204773,? 2]
> ../../source3/auth/token_util.c:758(finalize_local_nt_token)
> ? WARNING: Failed to create BUILTIN\Users group! Can Winbind
> allocate gids?
>
> [2025/11/17 12:44:26.636954,? 1, traceid=1]
> ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
> ? ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb'
> with backend 'tdb': Unable to open tdb
> '/var/lib/samba/private/secrets.ldb': No such file or directory
>
> [2025/11/17 12:44:33.203891,? 1, traceid=7]
>
../../source3/winbindd/idmap_tdb_common.c:65(idmap_tdb_common_allocate_id_action)
> ? Fatal Error: GID range full!! (max: 499999)
> (the above error is odd because no matter what range of numbers I
> use, it tells me the range is full)
>
> My /etc/nsswitch.conf (yes we still use NIS, I know, it's old)
> group:? ? ? files nis systemd winbind
> passwd:? ? ?files nis systemd winbind
>
> My smb.conf file:
>
> # Global parameters
> [global]
> acl allow execute always = true
> case sensitive = auto
> cups encrypt = auto
> deadtime = 15
> dont descend = /proc,/dev
> #encrypt passwords = yes
> enhanced browsing = no
> force unknown acl user = yes
> hide dot files = yes
> hide special files = yes
> hosts allow = 127.0.0.1 x.x.x.x/19
> idmap config server1.my.domain : backend = tdb
> idmap config server1.my.domain : range = 500000 - 1000000
> idmap config server2.my.domain : backend = tdb
> idmap config server2.my.domain: range = 1000001 - 1999999
> idmap config * : backend = tdb
> idmap config * : range = 10000 - 499999
> lock dir = /var/lib/samba/lock
> log level = 5
> log file = /var/log/samba/log.%m
> log writeable files on exit = yes
> map archive = no
> max log size = 1000
> netbios name = SERVERHOSTNAME
> preserve case = yes
> printing = CUPS
> read raw = yes
> realm = MY.WINDOWS.DOMAIN
> security = ADS
> server string = myserver Samba Server %v
> strict locking = no
> unix extensions = no
> use sendfile = yes
> username map = /etc/samba/users.map
> wide links = yes
> winbind use default domain = yes
> winbind refresh tickets = yes
> workgroup = MYWINDOMAIN
> write raw = yes
>
> [homes]
> ? ? ? ? comment = Home Directories
> ? ? ? ? read only = No
> ? ? ? ? create mask = 0600
> ? ? ? ? directory mask = 0700
> ? ? ? ? force create mode = 0600
> ? ? ? ? force directory mode = 0700
> ? ? ? ? browseable = No
> ? ? ? ? path = /homes/%S
> ? ? ? ? wide links = yes
> ? ? ? ? map archive = no
> ? ? ? ? hide dot files = yes
> ? ? ? ? strict locking = no
> ? ? ? ? use sendfile = yes
>
> [tmp]
> ? ? ? ? path=/u/tmp
> ? ? ? ? read only = No
> ? ? ? ? comment = Temp storage location
> ? ? ? ? wide links = yes
> ? ? ? ? map archive = no
> ? ? ? ? hide dot files = no
> ? ? ? ? strict locking = no
> ? ? ? ? use sendfile = yes
>
> [admin]
> ? ? ? ? path = /u/admin
> ? ? ? ? write list = @sys-users
> ? ? ? ? comment = Admin Tree
> ? ? ? ? wide links = yes
> ? ? ? ? map archive = no
> ? ? ? ? hide dot files = yes
> ? ? ? ? strict locking = no
> ? ? ? ? use sendfile = yes
>
>
Lets start by discussing these lines:
workgroup = MYWINDOMAIN
idmap config * : backend = tdb
idmap config * : range = 10000 - 499999
idmap config server1.my.domain : backend = tdb
idmap config server1.my.domain : range = 500000 - 1000000
idmap config server2.my.domain : backend = tdb
idmap config server2.my.domain: range = 1000001 - 1999999
Do you have two domains ?
If you do not and want Samba to map your users & groups from the RID,
then I would expect idmap config lines something like these:
idmap config * : backend = tdb
idmap config * : range = 3000 - 7999
idmap config MYWINDOMAIN : backend = rid
idmap config MYWINDOMAIN : range = 10000 - 9999999
NOTE: you will probably have to run 'net cache flush' after you change
the smb.conf and restarted Samba.
I would also suggest you do two things:
1) open a copy of the smb.conf manpage (man smb.conf) in a terminal and
read about the other parameters you are using, there are others that
you could remove.
2) Turn NIS off, it is dead and you very probably do not need it.
Rowland