samba - Dec 2025 - Samba + Winbind help

On Mon, 1 Dec 2025 08:16:30 +0000
Eric Gurevitz <gurevitz at qti.qualcomm.com> wrote:
> Hi Roland,
> 
> Wow, big problem yesterday on a prod server. I installed updates on
> Rocky 9 and got:
> 
> smbd --version
> Version 4.21.3
> 
> I was unable to browse shares at \\server level.  I would access at
> \\server\share with no problems.  It took me 6 hours of
> troubleshooting and CoPilot AI gave me a clean smb.conf to try. It
> worked!  The difference was username map script > /etc/samba/usermap.sh
> 
> was removed. 
> 
> Adding it back, broke browsing again.  With more trial and error and
> CoPilot AI, I found the problem was in the usermap.sh script. I had
> to add 
> 
> # Handle machine accounts and 'nobody' (return unchanged)
> if [[ "$ACCOUNTNAME" =~ \$ || "$ACCOUNTNAME" =~ nobody
]]; then
>             echo "$(date '+%Y-%m-%d %H:%M:%S') OUTPUT:
$ACCOUNTNAME
> (unchanged)" >> "$LOGFILE" echo
"$ACCOUNTNAME"
>                     exit 1
> fi
> 
> for users
> # If DOMAIN\user format, strip domain
> if [[ "$ACCOUNTNAME" == *\\* ]]; then
>             OUTPUT="${ACCOUNTNAME##*\\}"
>                 echo "$(date '+%Y-%m-%d %H:%M:%S') OUTPUT:
$OUTPUT"
> >> "$LOGFILE" echo "$OUTPUT"
>                         exit 0
> fi
> 
> Logging the output of usermap.sh shows these types need come in and
> not be changed along with an exit 1: Domain\PCNAME$
> Or
> SAMBA-SERVER-NAME\nobody
> 
> Why the recent change? 
> 
> Using " winbind use default domain = yes" does not work.  The
issue
> is UNIX groups. If I have a directory that only group VLSI can
> access, it will not let me without the user map script. 
> 
I do not think I can help you here.

You are using 'vas', something I have never really considered, because
I do not see the point to it. Without going too deep into it, it looks
like it doesn't give you anything that winbind doesn't, though I could
be wrong.

You appear to be using a mixture of AD users & groups and local
users & groups, something that isn't, in my opinion, required. Samba
can and will turn AD users & groups into 'local' users and groups.
If
you have users & groups in /etc/passwd & /etc/group, they will always
take precedence over users & groups with the same names in AD.

I run Samba as Unix domain members with the 'rid' idmap backend.
Apart from one 'emergency' local Unix user, all users & groups are
in
AD, yet the local Unix machine knows them all.

Some examples:

getent passwd rowland
rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash

Running <grep 'rowland' /etc/passwd> returns nothing.

I even have a local group:

getent group 'rowland'
rowland:x:11104:rowland

Running <grep 'rowland' /etc/group> returns nothing.

Finally, ask for the archetypal AD group:

getent group 'Domain Users'
domain users:x:10513:

Running <grep 'Domain Users' /etc/group> returns nothing.

Unless someone can show me just what 'vas' gives over winbind, I cannot
see the point in using it. I also cannot see the point in creating
users & groups locally on a Unix domain member, it sort of defeats the
idea of central management.

Rowland

PS: please do not 'CC' me, just reply to the list.

Hi Rowland,

Sorry, I am used to hitting reply all. I also misspelled your name. Fixed both. 

All we want is AD to authenticate the user and then let nsswitch handle UID and
GIDs.
Vas works by joining the domain with a keytab file. It then looks for AD attrs
for UNIX that were added to the user object:

uidNumber
gidNumber
gecos
homeDirectory
loginShell

Vas looks for UNIX group membership in an OU in AD.  This all works perfectly in
Linux.

Use case:

On my Linux PC, we have /local/mnt/workspace where users work. 
They want to access this as \\pc\workspace. 
I log into Linux PC as gurevitz and my UID is 82629  and Linux knows all my
groups as it looks them up in an OU.

Now, from my Windows laptop, I login in as gurevitz and my account is in the
mea.qualcomm.com domain.
I connect to \\pc\workspace and the user map script makes mea\gurevitz to
gurevitz. Perfect,  this is passed to vasd via /etc/nsswitch.comf.
My Linux PC now treats samba connections the same way as Linux logins. I am in
group VLSI and if the directory only allows VLSI members, both Linux access and
samba respect this.

Eric

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny
via samba
Sent: Monday, December 1, 2025 11:53 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Samba + Winbind help

WARNING: This email originated from outside of Qualcomm. Please be wary of any
links or attachments, and do not enable macros.

On Mon, 1 Dec 2025 08:16:30 +0000
Eric Gurevitz <gurevitz at qti.qualcomm.com> wrote:
> Hi Roland,
>
> Wow, big problem yesterday on a prod server. I installed updates on 
> Rocky 9 and got:
>
> smbd --version
> Version 4.21.3
>
> I was unable to browse shares at \\server level.  I would access at 
> \\server\share with no problems.  It took me 6 hours of 
> troubleshooting and CoPilot AI gave me a clean smb.conf to try. It 
> worked!  The difference was username map script = 
> /etc/samba/usermap.sh
>
> was removed.
>
> Adding it back, broke browsing again.  With more trial and error and 
> CoPilot AI, I found the problem was in the usermap.sh script. I had to 
> add
>
> # Handle machine accounts and 'nobody' (return unchanged) if [[ 
> "$ACCOUNTNAME" =~ \$ || "$ACCOUNTNAME" =~ nobody ]];
then
>             echo "$(date '+%Y-%m-%d %H:%M:%S') OUTPUT:
$ACCOUNTNAME
> (unchanged)" >> "$LOGFILE" echo
"$ACCOUNTNAME"
>                     exit 1
> fi
>
> for users
> # If DOMAIN\user format, strip domain
> if [[ "$ACCOUNTNAME" == *\\* ]]; then
>             OUTPUT="${ACCOUNTNAME##*\\}"
>                 echo "$(date '+%Y-%m-%d %H:%M:%S') OUTPUT:
$OUTPUT"
> >> "$LOGFILE" echo "$OUTPUT"
>                         exit 0
> fi
>
> Logging the output of usermap.sh shows these types need come in and 
> not be changed along with an exit 1: Domain\PCNAME$ Or 
> SAMBA-SERVER-NAME\nobody
>
> Why the recent change?
>
> Using " winbind use default domain = yes" does not work.  The
issue is
> UNIX groups. If I have a directory that only group VLSI can access, it 
> will not let me without the user map script.
>
I do not think I can help you here.

You are using 'vas', something I have never really considered, because I
do not see the point to it. Without going too deep into it, it looks like it
doesn't give you anything that winbind doesn't, though I could be wrong.

You appear to be using a mixture of AD users & groups and local users &
groups, something that isn't, in my opinion, required. Samba can and will
turn AD users & groups into 'local' users and groups. If you have
users & groups in /etc/passwd & /etc/group, they will always take
precedence over users & groups with the same names in AD.

I run Samba as Unix domain members with the 'rid' idmap backend.
Apart from one 'emergency' local Unix user, all users & groups are
in AD, yet the local Unix machine knows them all.

Some examples:

getent passwd rowland
rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash

Running <grep 'rowland' /etc/passwd> returns nothing.

I even have a local group:

getent group 'rowland'
rowland:x:11104:rowland

Running <grep 'rowland' /etc/group> returns nothing.

Finally, ask for the archetypal AD group:

getent group 'Domain Users'
domain users:x:10513:

Running <grep 'Domain Users' /etc/group> returns nothing.

Unless someone can show me just what 'vas' gives over winbind, I cannot
see the point in using it. I also cannot see the point in creating users &
groups locally on a Unix domain member, it sort of defeats the idea of central
management.

Rowland

PS: please do not 'CC' me, just reply to the list.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba