samba - Nov 2025 - Samba + Winbind help

Hi Roland,

Thanks for the reply.  When I was at a startup, we would never pay for something
we can do for free with OpenSource. Since joining the enterprise,   things work
differently.  As you say,  Linux is flexible.
I agree that NIS is outdated and should not be used anymore. 

Given I must use vas for the domain join, what should I change in smb.conf? We
have multiple domains, so users accounts are in na, eu, mea, etc domains. The
Linux pcs are joined to a domain in their region.

Thanks for the excellent and quick support you give on this list!
Eric 

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny
via samba
Sent: Tuesday, November 18, 2025 11:35 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Samba + Winbind help

WARNING: This email originated from outside of Qualcomm. Please be wary of any
links or attachments, and do not enable macros.

On Tue, 18 Nov 2025 08:35:17 +0000
Eric Gurevitz <gurevitz at qti.qualcomm.com> wrote:
> Hi Roland,
>
> We use vasd in /etc/nsswitch.conf. Vasd did the AD join, and we share 
> the keytab. For Mike, he will use NIS. Neither of us need AD users to 
> login to Linux using nsswitch. The UID and GID come from vasd for me 
> and from NIS for Mike.
While I can sort of understand why you would want to pay some entity for
something you could get for free, I cannot understand anyone who is still using
NIS, especially if that user is using RHEL. When they do finally get around to
upgrading to RHEL 10, they are in for a big shock, NIS has gone.

Remember that this is Linux and there are numerous ways of doing anything, if
you only want Linux users to login to Linux, then you could make them all
members of a group and require membership of that group to logon.

> When someone connects to a samba share, samba authenticates the user.  
> The username map script now strips the domain and has the user to get 
> UID and GID. Works well.
Well yes and no.
In a single NetBIOS domain setup, 'winbind use default domain = yes'
will do what your username map script is doing.
There is a problem with your UIDs & GIDs, you are using the deprecated
'idmap uid' & 'idmap gid', which leads Samba to create these
smb.conf
lines:

idmap config * : backend = tdb
idmap config * : range = 100-2147483647

This means that all your users and groups are ending up in the default domain.

I cannot recommend your setup to anyone.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Tue, 18 Nov 2025 09:52:05 +0000
Eric Gurevitz <gurevitz at qti.qualcomm.com> wrote:
> Hi Roland,
> 
> Thanks for the reply.  When I was at a startup, we would never pay
> for something we can do for free with OpenSource. Since joining the
> enterprise,   things work differently.  As you say,  Linux is
> flexible. I agree that NIS is outdated and should not be used
> anymore. 
> 
> Given I must use vas for the domain join, 
I have never used vas, what does it give you that Samba using 'net ads
join' doesn't ?

> what should I change in
> smb.conf? We have multiple domains, so users accounts are in na, eu,
> mea, etc domains. The Linux pcs are joined to a domain in their
> region. 
It sounds like each region uses its own dns domain i.e. the 'na' region
could be using something like ad.domain.na , but how different are the
dns domains ? Are the clients set to use local DCs as the domain
nameservers ?

If the clients are using just one NetBIOS domain, then you could use
the 'rid' idmap backend and a smb.conf similar to this:

[global]
  workgroup = MEA
  realm = MEA.QUALCOMM.COM
  security = ADS
  server string = %h server (Samba, Ubuntu)

  dedicated keytab file = /etc/krb5.keytab
  sync machine password to keytab =
/etc/krb5.keytab:sync_spns:sync_kvno:machine_password

  winbind use default domain = yes
  winbind expand groups = 2
  winbind refresh tickets = Yes
  disable netbios = yes
  dns proxy = no

  idmap config * : backend = tdb
  idmap config * : range = 3000-7999
  idmap config MEA : backend  = rid
  idmap config MEA : range = 10000-999999
  template shell = /bin/bash

  vfs objects = acl_xattr
  map acl inherit = Yes

  log file = /var/log/samba/log.%m
  max log size = 10000
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  server min protocol = SMB3

That will give you something that your current setup doesn't, the UID &
GID created will be the same on every Unix domain member it is used on.
This is because they will be calculated from the objects RID and the
low 'MEA' range set in the smb.conf (10000) e.g. the GID for Domain
Users will always be 10513. Your setup is using the 'tdb' backend and
this is an allocating backend (first come, first served) and hence the
GID is highly likely to be different on every one of your Linux
machines.

Rowland