Q: winbindd, unqualfied users, & name conflicts (a.k.a "Death to 'winbind use default domain'!")

simo idra at samba.org
Thu Jul 20 16:58:40 GMT 2006


On Thu, 2006-07-20 at 11:35 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Volker,
> 
> Assume I have a member server named LINUX joined to a
> domain name AD.  Now assume I have a local user named foo
> in my passdb and a user named foo in the domain as well.
> I'm modifying winbindd_util.c:parse_domain_user() to do
> a lookup_name() to try to figure out which domain to prepend
> to the username rather than just assuming its a domain user.
> But this means that we'll always choose the local user
> (due to the order of an isolated search in lookup_name()).
> 
> The main problem is the use default domain abomination
> will confuse local and domain users of the same name and
> possibly return incorrect group membership.
> 
> I am about a 1/2 inch from marking the smb.conf option
> as deprecated and adding similar option to pam_winbind.conf.
> This option just cannot work reliably.
> 
> Do you have any suggestions?

I would just document that local users will always take precendence.

Winbind use default domain is too valuable to be removed imho.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org



More information about the samba-technical mailing list