Winbindd fixes for SAMBA_2_2

Tim Potter tpot at
Wed Aug 15 01:54:10 GMT 2001

Alexander Bokovoy writes:

> 1. Workgroup-fixes.patch fixes some problems with default domain and user
> validation in Winbind and Smbd. Currently, smbd/password.c fetches machine
> trust account using default workgroup set up in [global] section and
> ignores domain name passed to it in domain_client_validate().

I'm assuming you have at least one trusted domain in your setup
here.  Let's call them DOM1 and DOM2 where DOM1 is the primary
domain samba is a member of.  What should be happening is there
should only be one trust account password, for DOM1 in
secrets.tdb.  When authentication is required for user DOM2/foo
the request should be made to a dc in DOM1, which then passes the request
on (using the trust account password between the DOM1 and DOM2)
to a dc in DOM2.

So for this situation I don't think your patches are necessary.
If you don't have any trusted domains let me know what your
domain setup is.

> Unfortunately, Winbind does not set up this global workgroup name
> (global_myworkgroup) so it is empty and domain_client_validate() simply
> fails to fetch machine trust account.

This is probably a bug but I don't think the global_myworkgroup
variable is used anywhere in winbindd.

> I've fixed this and also added support for omitting domain name for users
> from the default domain (global_myworkgroup) as it was suggested by
> Schlomo on samba-ntdom@ mailing list. Now Winbindd recognizes both
> DOM+user and user if DOM is the value of 'workgroup' parameter from
> smb.conf.
> 2. Second patch provides fixes in documentation for winbindd(8)
> (man/html/sgml) which currently refers to outdated 'samedit' tool
> unavailable in Samba 2.2.x (replaced by the similar functionality in
> smbpasswd).

I've applied these patches to the 2.2 documentation - thanks!



More information about the samba-technical mailing list