Hi Roland,
We use vasd in /etc/nsswitch.conf. Vasd did the AD join, and we share the
keytab. For Mike, he will use NIS. Neither of us need AD users to login to Linux
using nsswitch.
The UID and GID come from vasd for me and from NIS for Mike. When someone
connects to a samba share, samba authenticates the user. The username map
script now strips the domain and has the user to get UID and GID. Works well.
Here is my smb.conf
[global]
min protocol = SMB3
max protocol = SMB3
create krb5 conf = no
server string = %h server (Samba, Ubuntu)
dns proxy = no
syslog = 0
log file = /var/log/samba/log.%m
max log size = 10000
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:* %nn
*passwordsupdatedssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = no
guest account = nobody
restrict anonymous = 1
workgroup = MEA
realm = MEA.QUALCOMM.COM
security = ads
domain master = no
domain logons = no
machine password timeout = 0
kerberos method = dedicated keytab
dedicated keytab file = /etc/opt/quest/vas/host.keytab
username map script = /etc/samba/usermap.sh
idmap uid = 100-2147483647
idmap gid = 100-2147483647
template shell = /bin/bash
winbind use default domain = No
winbind nested groups = No
-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny
via samba
Sent: Monday, November 17, 2025 9:59 PM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Samba + Winbind help
WARNING: This email originated from outside of Qualcomm. Please be wary of any
links or attachments, and do not enable macros.
On Mon, 17 Nov 2025 19:14:49 +0000
Eric Gurevitz via samba <samba at lists.samba.org> wrote:
> Mike,
>
> I run a very similar setup. I see a few things missing. Where is your
> AD info for the join to the domain? In /etc/nsswitch.conf there is no
> need for winbind if you are not going to use AD for auth on Linux.
You need winbind for authentication if you are running Samba as a Unix domain
member.
> I only use AD to authenticate the users coming in via samba and then
> Linux UID and GID determine the access.
Where do get the UID & GIDs from ?
>
> If you want samba to use Linux UID and GID, I use a user map script:
>
> username map script = /etc/samba/usermap.sh
Ah, there, next question, WHY ?>
> cat /etc/samba/usermap.sh
> #!/bin/bash
> ACCOUNTNAME="$1"
> echo "${ACCOUNTNAME}" | sed -e 's/[^\\]*\\//'
> exit 0
I use the 'rid' idmap backend and I just use Samba (with winbind) and
Unix knows who I am:
getent passwd rowland
rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash
No usermap!
>
> Last time I sent the info, Roland here told me this. I have not tried
> this. 'winbind use default domain = yes' in your smb.conf, it will
> give you the same effect as your script.
Yes 'winbind use default domain = yes' will remove the NetBIOS domain
name from the username, but it is only usable with a single domain setup.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba