Hi Roland,
Wow, big problem yesterday on a prod server. I installed updates on Rocky 9 and
got:
smbd --version
Version 4.21.3
I was unable to browse shares at \\server level. I would access at
\\server\share with no problems. It took me 6 hours of troubleshooting and
CoPilot AI gave me a clean smb.conf to try.
It worked! The difference was
username map script = /etc/samba/usermap.sh
was removed.
Adding it back, broke browsing again. With more trial and error and CoPilot AI,
I found the problem was in the usermap.sh script.
I had to add
# Handle machine accounts and 'nobody' (return unchanged)
if [[ "$ACCOUNTNAME" =~ \$ || "$ACCOUNTNAME" =~ nobody ]];
then
echo "$(date '+%Y-%m-%d %H:%M:%S') OUTPUT: $ACCOUNTNAME
(unchanged)" >> "$LOGFILE"
echo "$ACCOUNTNAME"
exit 1
fi
for users
# If DOMAIN\user format, strip domain
if [[ "$ACCOUNTNAME" == *\\* ]]; then
OUTPUT="${ACCOUNTNAME##*\\}"
echo "$(date '+%Y-%m-%d %H:%M:%S') OUTPUT:
$OUTPUT" >> "$LOGFILE"
echo "$OUTPUT"
exit 0
fi
Logging the output of usermap.sh shows these types need come in and not be
changed along with an exit 1:
Domain\PCNAME$
Or
SAMBA-SERVER-NAME\nobody
Why the recent change?
Using " winbind use default domain = yes" does not work. The issue is
UNIX groups. If I have a directory that only group VLSI can access, it will not
let me without the user map script.
Eric
-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny
via samba
Sent: Tuesday, November 18, 2025 1:45 PM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Samba + Winbind help
WARNING: This email originated from outside of Qualcomm. Please be wary of any
links or attachments, and do not enable macros.
On Tue, 18 Nov 2025 09:52:05 +0000
Eric Gurevitz <gurevitz at qti.qualcomm.com> wrote:
> Hi Roland,
>
> Thanks for the reply. When I was at a startup, we would never pay for
> something we can do for free with OpenSource. Since joining the
> enterprise, things work differently. As you say, Linux is
> flexible. I agree that NIS is outdated and should not be used anymore.
>
> Given I must use vas for the domain join,
I have never used vas, what does it give you that Samba using 'net ads
join' doesn't ?
> what should I change in
> smb.conf? We have multiple domains, so users accounts are in na, eu,
> mea, etc domains. The Linux pcs are joined to a domain in their
> region.
It sounds like each region uses its own dns domain i.e. the 'na' region
could be using something like ad.domain.na , but how different are the dns
domains ? Are the clients set to use local DCs as the domain nameservers ?
If the clients are using just one NetBIOS domain, then you could use the
'rid' idmap backend and a smb.conf similar to this:
[global]
workgroup = MEA
realm = MEA.QUALCOMM.COM
security = ADS
server string = %h server (Samba, Ubuntu)
dedicated keytab file = /etc/krb5.keytab
sync machine password to keytab =
/etc/krb5.keytab:sync_spns:sync_kvno:machine_password
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
disable netbios = yes
dns proxy = no
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MEA : backend = rid
idmap config MEA : range = 10000-999999
template shell = /bin/bash
vfs objects = acl_xattr
map acl inherit = Yes
log file = /var/log/samba/log.%m
max log size = 10000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server min protocol = SMB3
That will give you something that your current setup doesn't, the UID &
GID created will be the same on every Unix domain member it is used on.
This is because they will be calculated from the objects RID and the low
'MEA' range set in the smb.conf (10000) e.g. the GID for Domain Users
will always be 10513. Your setup is using the 'tdb' backend and this is
an allocating backend (first come, first served) and hence the GID is highly
likely to be different on every one of your Linux machines.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba