I feel like I’m so close to finished, but always one more thing. We have one server where we share a file system to MacOS users via Samba. Kerberos is configured and working just fine with direct logon, and the shared file systems via NFS work as intended. From the look of things, it’s the winbind service that’s tripping me up all of a sudden.
[2026/04/20 09:40:59.206746, 0] ../../source3/auth/auth_generic.c:128(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS
I’ve never configured winbind on Linux before, and the winbind service doesn’t want to start. Problem is that the error isn’t very useful.
% systemctl status winbind
● winbind.service - Samba Winbind Daemon
Loaded: loaded (/usr/lib/systemd/system/winbind.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Mon 2026-04-20 10:05:56 EDT; 2s ago
Docs: man:winbindd(8)
man:samba(7)
man:smb.conf(5)
Process: 4183676 ExecStart=/usr/sbin/winbindd --foreground --no-process-group $WINBINDOPTIONS (code=exited, status=1/FAILURE)
Main PID: 4183676 (code=exited, status=1/FAILURE)
Status: "Starting process..."
Apr 20 10:05:56 hemlock winbindd[4183676]: [2026/04/20 10:05:56.077324, 0] ../../source3/winbindd/winbindd.c:1443(main)
Apr 20 10:05:56 hemlock winbindd[4183676]: winbindd version 4.19.4 started.
Apr 20 10:05:56 hemlock winbindd[4183676]: Copyright Andrew Tridgell and the Samba Team 1992-2023
Apr 20 10:05:56 hemlock winbindd[4183676]: [2026/04/20 10:05:56.087681, 0] ../../source3/winbindd/winbindd_util.c:1235(init_domain_list)
Apr 20 10:05:56 hemlock winbindd[4183676]: Could not fetch our SID - did we join?
Apr 20 10:05:56 hemlock winbindd[4183676]: [2026/04/20 10:05:56.087734, 0] ../../source3/winbindd/winbindd.c:1178(winbindd_register_handlers)
Apr 20 10:05:56 hemlock winbindd[4183676]: unable to initialize domain list
Apr 20 10:05:56 hemlock systemd[1]: winbind.service: Main process exited, code=exited, status=1/FAILURE
Apr 20 10:05:56 hemlock systemd[1]: winbind.service: Failed with result 'exit-code'.
Apr 20 10:05:56 hemlock systemd[1]: Failed to start Samba Winbind Daemon.
Not quite sure what I still need to configure here to get it working. Any guidance would be useful.
I should add that there is some additional odd behavior. I can confirm I have a current Kerberos ticket. But when I try to connect, it asks me for my password. If I enter it, it fails AND destroys my Kerberos ticket. Not that I don’t mind if that’s a security thing. But we need this to function.
How are you running Samba ? that is, are you running the smbd daemon as well as trying to start winbind ?
What does 'testparm -s ’ output ?
Never needed to run winbind before with our smbd daemon.
% testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!
Server role: ROLE_DOMAIN_MEMBER
# Global parameters
[global]
kerberos encryption types = strong
kerberos method = system keytab
load printers = No
log file = /var/log/samba/%m.log
realm = LCP.NRL.NAVY.MIL
security = ADS
server min protocol = SMB2
server signing = required
idmap config * : backend = tdb
acl map full control = No
map archive = No
vfs objects = fileid
[lcpscratch]
case sensitive = Yes
path = /export/lcpscratch
read only = No
vfs objects = catia fruit streams_xattr
fruit:encoding = native
fruit:locking = netatalk
fruit:metadata = netatalk
fruit:resource = file
I do not run freeipa, I normally run Samba as an AD DC or Unix domain member, but I understand it is much the same.
If you setup the smb.conf with ‘security = ADS’, then since Samba 4.8.0 you must also run winbindd.
Your problem is a bit obvious, you do not have any ‘idmap config’ lines. Before we go any further;
Is this going to just share SMB data ?
Do you have any uidNumber & gidNumber attributes in freeipa ?
Is sssd running ?
We haven’t used idmap configuraton previously. Just sharing the one SMB folder. Yes, we have all the UID / GID and subUID / subGID stuff going in IPA, because it was needed.
Try reading this:
You also didn’t say if sssd was running, I ask because it is a basically a wrapper around winbindd, you do not need both if this is just a Samba fileserver.
Also, this is the same configuration file for Samba that we used for the previous NIS+ implementation we had. Now that we’re migrated to IdM / LDAP, I just need to alter the configuration file to be able to use the new setup. So I’m looking for someone with experience in IdM to assist, not Samba. We know the Samba part works. It’s connecting it and working with IdM.
If you want to use Samba as a fileserver with ‘security = ADS’, then you need to run the smbd daemon for the fileserver part and winbind to talk to the directory server. In case you do not know this, Active Directory is an IDM.