Samba AD DC and winbindd

Andreas Schneider asn at samba.org
Wed Feb 17 06:59:56 UTC 2016 

On Tuesday 16 February 2016 13:06:35 Jeremy Allison wrote:
> On Mon, Feb 15, 2016 at 03:29:02PM +0100, Andreas Schneider wrote:
> > On Monday 15 February 2016 12:38:26 Rowland Penny wrote:
> > > On 15/02/16 12:19, Stefan Metzmacher wrote:
> > > > Hi Rowland,
> > > > 
> > > >> winbind use default domain = yes
> > > > 
> > > > I think should not be supported on a AD DC, it's ugly enough
> > > > that it exists at all...
> > > 
> > > Well the line works on a domain member and it works on 4.2.x, so either
> > > it should still work on a 4.3.x DC or it should be removed completely
> > > for consistency, if nothing else.
> > > 
> > > > I would guess 4.0 and 4.1 also always report:
> > > > 
> > > > TEST\user1:*:10000:10000::/home/user1:/bin/sh
> > > 
> > > You are probably right, it never worked for me and I only found it
> > > whilst testing something else.
> > 
> > To be honest, I would vote for removing the 'winbind use default domain'
> > option completely. I have a lot of downstream bugs with issues only
> > because of this options.
> > 
> > It creates more trouble than it solves a problem ...
> 
> You won't get any arguments here from me on the problems
> this causes.
> 
> However, it's been out there and widely used for many
> years, and consider what might break if we now remove
> it.
> 
> I think we're stuck with making it work :-(. I'm happy
> to work with you on fixing any upstream bugs you can
> report.

The issue we had several times the last month was that customers user 'winbind 
use default domain = yes' and then create a unix user with the same name (foo) 
as the on in AD.

Then they try to use 'username map' to map AD/foo to foo.

Then they open a bug and complain that it doesn't work. Also username map is 
badly documented, see the bug #11557. The issue is probably always bad 
documentation and we do not explain that a username which appears twice will 
not work.


Cheers,


	-- andreas

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org

More information about the samba-technical mailing list