Overview: OS: Ubuntu 20.04 with all patches applied Samba + sssd + kerberos (no winbindd) After upgrading samba to 4.13.14 shares are not accessible anymore. Downgrading to 4.11.6 fixes it again. Compared logs from a working and not working setup. 4.11.6 - WORKING [2021/11/18 11:45:52.413922, 3] ../../auth/kerberos/kerberos_pac.c:411(kerberos_decode_pac) Found account name from PAC: DIERCKXK [Koen Dierckx] [2021/11/18 11:45:52.413936, 3] ../../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [DIERCKXK@VITO.LOCAL] [2021/11/18 11:45:52.413964, 5] ../../source3/lib/username.c:181(Get_Pwnam_alloc) Finding user VITO\DIERCKXK 4.13.14 - BROKEN [2021/11/18 11:40:45.076365, 0] ../../source3/auth/auth_generic.c:125(auth3_generate_session_info_pac) auth3_generate_session_info_pac: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS [2021/11/18 11:40:45.076458, 3] ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_LOGON_SERVERS] || at ../../source3/smbd/smb2_sesssetup.c:146
The best suggestion I can make is to run winbindd, but not configure it in nsswitch.comf, Presumably you have been using idmap_sss already, so it should work Make sure to get the patches from bug 14901. The other workarounds will not be as good and involve the username map feature. However the root (pardon the pun) issue that the AD username isn't a very trustworthy thing will remain unless a pure sid-based lookup is done.
Samba Team announced that domain member setups must use winbindd in 4.8.0: https://www.samba.org/samba/history/samba-4.8.0.html in 2018. This means, as Andrew pointed out, that winbindd must be run but it is not necessary to be configured to provide identities for the system, SSSD can do that as well. For more details on how Samba and SSSD interoperate and why winbindd is required, please look at the Red Hat's Knowledge Article I wrote together with Thorsten Scherf: https://access.redhat.com/articles/4355391, it is accessible without any subscription or account requirement.