Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
At work we have a large mixed Windows, Solaris and Linux environment.
We have a couple of samba servers to provide access to various Linux shares from Office PCs. The current Samba servers are running on Scientific Linux 7 / Samba ersion 4.10.16. The current setup is very simple. No Winbind in use. User ID information is provided by NIS and Samba authentication is via Active Directory. The AD user simply maps to the relevant NIS user and everything works beautifully. However, these servers are used on a different part of the network and a need has arisen to create some new Samba servers. As Scientific Linux is end of life and due to the new support cycle of CentOS, we are moving towards Rocky Linux.
The new servers I am setting up are Rocky Linux 8 / Samba 4.15.5. It seems that the simple Samba only config is no longer supported. Whenever I try to to connect without Winbind, authentication fails and I get numerous NT_STATUS_NO_LOGON_SERVERS errors along with various complaints about Winbind not running. I can get this working with Winbind enabled but it allocates UIDs from the range specified. This is not the behaviour I want. I want it to match the username to the user in NIS and use the NIS UID, eg. someuser@pc.mycompany.com = someuser.
There just seems to be no way of achieving the old standalone Samba behaviour through Winbind. It all seems to be oriented around mapping SIDs to UIDs. I cannot find any documentation on this. I'm hoping there is a simple way to do this. So far, Winbind is an utter headache and I've found the documentation to be not very helpful.
Any help appreciated, thanks.
smb.conf is below:
Code:
# Global parameters
[global]
log level = 2 auth:5
workgroup = MYCOMPANY
REALM = PC.MYCOMPANY.COM
security = ads
server string = Samba Server Version %v
mangled names = no
strict locking = no
passdb backend = tdbsam
template shell=/bin/bash
min protocol = SMB3
idmap config PC.MYCOMPANY.COM : backend = nss
idmap config * : range = 1000-999999
; Following is to exclude the domain controller in azure, which we have seen to give us problems
password server = DC1.MYCOMPANY.COM,DC2.MYCOMPANY.COM
; Following to allow wide links and unix extensions
allow insecure wide links = yes
wide links = yes
debug level = 5
load printers = yes
cups options = raw
; Force signed SMB access
server signing = mandatory
; Disable any login with a non-user
map to guest = Never
; Disable recon potential
restrict anonymous = 2
; Prevent shares being accessed by non-user
usershare allow guests = no
guest ok = no
[share1]
[share2]
[share3]
The current setup is very simple. No Winbind in use. User ID information is provided by NIS and Samba authentication is via Active Directory. The AD user simply maps to the relevant NIS user and everything works beautifully. However, these servers are used on a different part of the network and a need has arisen to create some new Samba servers.
Without getting into any Winbind/NIS/AD config, perhaps this is the area that needs some focus?!?!? Am I understanding correctly that you're trying to recreate what you already have working smoothly on one network, just with a different OS/SAMBA versions??? Could it simply be an issue with SAMBA reaching out to NIS/AD on the original network? Perhaps you're going down the Windbind rabbit hole for no reason and driving yourself crazy in the process? Just a thought...
Last edited by JP3; 08-12-2022 at 10:38 PM.
Reason: fixed typo
The new servers I am setting up are Rocky Linux 8 / Samba 4.15.5. It seems that the simple Samba only config is no longer supported. Whenever I try to to connect without Winbind, authentication fails and I get numerous NT_STATUS_NO_LOGON_SERVERS errors along with various complaints about Winbind not running.
I'm not experienced with using samba in a domain environment, so can only offer general advice here. Why were you attempting to run without winbind? In your samba config, you have
I'm not experienced with using samba in a domain environment, so can only offer general advice here. Why were you attempting to run without winbind? In your samba config, you have
Hi. On our older Samba servers, we didn't need Winbind, it just worked and produced the desired behaviour. I compiled an earlier version of Samba, 4.10.18. Whilst this version DOES require Winbind, it does what I want. However my boss doesn't want to be stuck on an older version.
I'm a little bit confused as to what the backend = nss actually does. I was hoping this would produce the desired behaviour.
I can only point you to the documentation, (the main winbind backends are ad, autorid, and rid)... https://wiki.samba.org/index.php/Set..._idmap_backend
The nss backend (NOT mentioned above) is discussed as per the link I provided in post #3. It doesn't appear to be in common use these days. Hopefully others can comment further here.
Let's see if we can get a working config without winbind (not sure if that is viable), and providing the following requirement...
Quote:
I want it to match the username to the user in NIS and use the NIS UID, eg. someuser@pc.mycompany.com = someuser.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.