Your message dated Wed, 27 May 2026 14:58:01 +0200
with message-id <[email protected]>
and subject line close bug
has caused the Debian Bug report #1135081,
regarding samba: login brakes after upgrade to Version 4.22.8-Debian
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135081: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135081
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: samba
Version: 2:4.22.8+dfsg-0+deb13u1
Severity: normal
X-Debbugs-Cc: [email protected]
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
Upgrade from samba Version 4.22.6 to Version 4.22.8
* What exactly did you do (or not do) that was effective (or
ineffective)?
update / upgrade
* What was the outcome of this action?
login manager seems to be losing the username:
Apr 27 13:07:34 r610pc01 gnome-shell[1568]: ActUserManager: user (null) has no
username (uid: -1)
Apr 27 13:07:34 r610pc01 gdm-password][2187]: accountsservice: ActUserManager:
user (null) has no username (uid: -1)
Apr 27 13:07:34 r610pc01 gdm-password][2187]:
pam_succeed_if(gdm-password:auth): requirement "user ingroup nopasswdlogin" not
met by user "brg.schueler"
Apr 27 13:07:37 r610pc01 gdm-password][2187]: pam_unix(gdm-password:auth):
check pass; user unknown
Apr 27 13:07:37 r610pc01 gdm-password][2187]: pam_unix(gdm-password:auth):
authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost=
Apr 27 13:07:37 r610pc01 gdm-password][2187]: pam_winbind(gdm-password:auth):
getting password (0x00000388)
Apr 27 13:07:37 r610pc01 gdm-password][2187]: pam_winbind(gdm-password:auth):
pam_get_item returned a password
Apr 27 13:07:39 r610pc01 systemd[1]: systemd-localed.service: Deactivated
successfully.
Apr 27 13:07:39 r610pc01 systemd[1]: systemd-hostnamed.service: Deactivated
successfully.
Apr 27 13:07:43 r610pc01 gdm-password][2202]: accountsservice: ActUserManager:
user (null) has no username (uid: -1)
we tried to remove mdns4_minimal in line "hosts" in nsswitch.conf - without
access
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd winbind
group: files systemd winbind
shadow: files systemd
gshadow: files systemd
hosts: files myhostname mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
we also tried upgrading samba on a working client, after that login brakes
* What outcome did you expect instead?
working login
*** End of the template - remove these template lines ***
-- Package-specific info:
* /etc/samba/smb.conf present, and attached
-- System Information:
Debian Release: 13.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.74+deb13+1-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8),
LANGUAGE=de_AT:de
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages samba depends on:
ii init-system-helpers 1.69~deb13u1
ii libbsd0 0.12.2-2
ii libc6 2.41-12+deb13u2
ii libcups2t64 2.4.10-3+deb13u2
ii libdbus-1-3 1.16.2-2
ii libgnutls30t64 3.8.9-3+deb13u2
ii libldap2 2.6.10+dfsg-1
ii libldb2 2:2.11.0+samba4.22.8+dfsg-0+deb13u1
ii libpopt0 1.19+dfsg-2
ii libtalloc2 2:2.4.3+samba4.22.8+dfsg-0+deb13u1
ii libtasn1-6 4.20.0-2
ii libtdb1 2:1.4.13+samba4.22.8+dfsg-0+deb13u1
ii libtevent0t64 2:0.16.2+samba4.22.8+dfsg-0+deb13u1
ii libtirpc3t64 1.3.6+ds-1
ii liburing2 2.9-1
ii passwd 1:4.17.4-2
ii procps 2:4.0.4-9
ii samba-common 2:4.22.8+dfsg-0+deb13u1
ii samba-common-bin 2:4.22.8+dfsg-0+deb13u1
ii samba-libs [libndr6] 2:4.22.8+dfsg-0+deb13u1
Versions of packages samba recommends:
ii attr 1:2.5.2-3
ii python3-samba 2:4.22.8+dfsg-0+deb13u1
ii samba-ad-dc 2:4.22.8+dfsg-0+deb13u1
Versions of packages samba suggests:
pn ctdb <none>
pn samba-vfs-ceph <none>
pn samba-vfs-glusterfs <none>
pn ufw <none>
ii winbind 2:4.22.8+dfsg-0+deb13u1
-- no debconf information
[global]
workgroup = APP
security = ADS
realm = APP.TSN
# we MUST set winbind use default domain = yes
# to drop APP before username listed
# by winbindd to keep idmapd working for NFS4 & krb5
# APP\username instead username will break
# name -> uid -> name for idmapd
winbind use default domain = yes
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# Setting the default back end is mandatory.
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the APP domain
idmap config APP : backend = ad
idmap config APP : schema_mode = rfc2307
# we have to avoid the internal used range: 3 000 000 - 4 000 000
# and start with 5 000 000
# and end with: 2 147 483 647 = 2^31 - 1
# for uids created from IPs: 10.3.12.105 -> 2 003 012 105 have to stay
beyond 10.147. !
# https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
idmap config APP : range = 5000000-2147483647
idmap config APP : unix_nss_info = yes
idmap config APP : unix_primary_group = yes
# If you are creating a new smb.conf on an unjoined machine and add these
lines,
# a keytab will be created during the join:
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# To disable printing completely, add these lines:
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
--- End Message ---
--- Begin Message ---
We could stop our breaking logins into Samba-AD, with fixing the start
dependencies for winbind.
It has to be ensured, that systemd starts winbindd after the network
is online.
Following steps will do this:
## create directory for override-file
/etc/systemd/system/winbind.service.d
## create file /etc/systemd/system/winbind.service.d/override.conf
## with following content
[Unit]
After=network-online.target
Wants=network-online.target
--- End Message ---
