Samba AD DC and winbindd

Rowland Penny repenny241155 at
Wed Feb 17 08:28:51 UTC 2016

On 17/02/16 06:59, Andreas Schneider wrote:
> On Tuesday 16 February 2016 13:06:35 Jeremy Allison wrote:
>> On Mon, Feb 15, 2016 at 03:29:02PM +0100, Andreas Schneider wrote:
>>> On Monday 15 February 2016 12:38:26 Rowland Penny wrote:
>>>> On 15/02/16 12:19, Stefan Metzmacher wrote:
>>>>> Hi Rowland,
>>>>>> winbind use default domain = yes
>>>>> I think should not be supported on a AD DC, it's ugly enough
>>>>> that it exists at all...
>>>> Well the line works on a domain member and it works on 4.2.x, so either
>>>> it should still work on a 4.3.x DC or it should be removed completely
>>>> for consistency, if nothing else.
>>>>> I would guess 4.0 and 4.1 also always report:
>>>>> TEST\user1:*:10000:10000::/home/user1:/bin/sh
>>>> You are probably right, it never worked for me and I only found it
>>>> whilst testing something else.
>>> To be honest, I would vote for removing the 'winbind use default domain'
>>> option completely. I have a lot of downstream bugs with issues only
>>> because of this options.
>>> It creates more trouble than it solves a problem ...
>> You won't get any arguments here from me on the problems
>> this causes.
>> However, it's been out there and widely used for many
>> years, and consider what might break if we now remove
>> it.
>> I think we're stuck with making it work :-(. I'm happy
>> to work with you on fixing any upstream bugs you can
>> report.
> The issue we had several times the last month was that customers user 'winbind
> use default domain = yes' and then create a unix user with the same name (foo)
> as the on in AD.

Then this is problem with whatever tool they are using to create the 
user or how the user is set up. If I try to create a user on a DC with 
'adduser' and the user already exists in AD, I get this:

root at dc1:~# adduser rowland
adduser: The user `rowland' already exists.

> Then they try to use 'username map' to map AD/foo to foo.
> Then they open a bug and complain that it doesn't work. Also username map is
> badly documented, see the bug #11557. The issue is probably always bad
> documentation and we do not explain that a username which appears twice will
> not work.

This I can agree with.


More information about the samba-technical mailing list