Q: winbindd, unqualfied users, & name conflicts (a.k.a "Deathto 'winbind use default domain'!")

Dave Daugherty dave.daugherty at centrify.com
Thu Jul 20 18:38:07 GMT 2006 

My opinion:

Local users should always take precedence. 

People should specifically refer to local users as
<SambaHostName>\localuser, if that is the form the SMB client insists on
sending.

Tacking on default domains and/or stripping domains to/from user names
and "trying them out" is playing fast and loose with user identity and
is a breeding ground for potential security holes.

Dave Daugherty


-----Original Message-----
From:
samba-technical-bounces+dave.daugherty=centrify.com at lists.samba.org
[mailto:samba-technical-bounces+dave.daugherty=centrify.com at lists.samba.
org] On Behalf Of simo
Sent: Thursday, July 20, 2006 9:59 AM
To: Gerald (Jerry) Carter
Cc: Volker Lendecke; samba at samba.org; samba-technical at samba.org
Subject: Re: Q: winbindd, unqualfied users, & name conflicts (a.k.a
"Deathto 'winbind use default domain'!")

On Thu, 2006-07-20 at 11:35 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Volker,
> 
> Assume I have a member server named LINUX joined to a
> domain name AD.  Now assume I have a local user named foo
> in my passdb and a user named foo in the domain as well.
> I'm modifying winbindd_util.c:parse_domain_user() to do
> a lookup_name() to try to figure out which domain to prepend
> to the username rather than just assuming its a domain user.
> But this means that we'll always choose the local user
> (due to the order of an isolated search in lookup_name()).
> 
> The main problem is the use default domain abomination
> will confuse local and domain users of the same name and
> possibly return incorrect group membership.
> 
> I am about a 1/2 inch from marking the smb.conf option
> as deprecated and adding similar option to pam_winbind.conf.
> This option just cannot work reliably.
> 
> Do you have any suggestions?

I would just document that local users will always take precendence.

Winbind use default domain is too valuable to be removed imho.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org

More information about the samba-technical mailing list