Hi,
After I upgraded my test system from 25.10.0.1 to 25.10.1/25.10.2 AD users disappeared. I even tested to upgrade to the latest 26.04 build with same results. Everything worked just fine before the upgrade. wbinfo -u and -g can see users and groups but getent passwd and group don’t. Using RID backed is not an option as users and groups have a special UID and GID information in use. Any ideas how to get things back to work?
- Marko
We saw the same issue back when we first tested in early January, but haven’t had a lot of time to troubleshoot yet. A couple of clues we found back then:
During a failed getent, we see the following in log.winbindd (SIDs intentionally redacted):
[2026/01/05 13:29:14.763433, 1, traceid=15560] ../../source3/winbindd/wb_queryuser.c:129(wb_queryuser_got_uid)
XID type is 0, should be ID_TYPE_UID or ID_TYPE_BOTH.
[2026/01/05 13:29:14.763505, 1, traceid=15560] ../../source3/winbindd/winbindd_getpwnam.c:146(winbindd_getpwnam_recv)
Could not convert sid <sid redacted>: NT_STATUS_NO_SUCH_USER
[2026/01/05 13:31:18.423735, 1, traceid=15562] ../../source3/winbindd/wb_getgrsid.c:395(wb_getgrsid_recv)
Failed with NT_STATUS_NONE_MAPPED.
[2026/01/05 13:31:18.423840, 1, traceid=15562] ../../source3/winbindd/winbindd_getgrnam.c:185(winbindd_getgrnam_recv)
Could not convert sid <sid redacted>: NT_STATUS_NONE_MAPPED
If we join the domain from 25.10.1 and specify “enable_account_cache”: true, no users or groups are cached from AD. Under 25.10.0.1 and earlier, this caches our ~165k users and ~20k groups which takes over a hour.
I honestly can’t remember right now whether we tried changing idmap to RID, which is an option in our environment.
I’m hoping to get time soon to dig into this more and will post what I find.
I had a little time to look at this today and traced it down to the “create krb5 conf” parameter. This is hard-set to False in the middleware since this pull #17708 in November 2025. (Looks like I can’t add a link to this)
You can change this “on the fly” by editing /etc/smb4.conf to change this parameter to True and then restarting winbind with systemctl restart winbind.service. But, be warned that this is not a permanent solution - the middleware will overwrite this whenever it touches the samba config.
Although the smb.conf man page indicates a configuration like this should work, it looks like idmap_ad doesn’t actually have a fallback to the system /etc/krb5.conf, so this won’t work with the config options the way TrueNAS sets them. Whether this is a samba bug or a TrueNAS implementation problem is debatable, but it looks like reverting to RID is going to be the only workable solution for this currently.
Thank you very much. That option change did the trick! I think I need to create a real ticket to the development to get permanent fix for this.
Edit: Created Jira
THANK YOU!! Worked for me.