Samba AD DC and winbindd

mathias dufresne infractory at gmail.com
Fri Feb 26 14:27:05 UTC 2016


Sorry to come into but removing a potentially useful option because of lack
of documentation on some other part of Samba seems to me a strange
decision...

2016-02-17 9:28 GMT+01:00 Rowland Penny <repenny241155 at gmail.com>:

> On 17/02/16 06:59, Andreas Schneider wrote:
>
>> On Tuesday 16 February 2016 13:06:35 Jeremy Allison wrote:
>>
>>> On Mon, Feb 15, 2016 at 03:29:02PM +0100, Andreas Schneider wrote:
>>>
>>>> On Monday 15 February 2016 12:38:26 Rowland Penny wrote:
>>>>
>>>>> On 15/02/16 12:19, Stefan Metzmacher wrote:
>>>>>
>>>>>> Hi Rowland,
>>>>>>
>>>>>> winbind use default domain = yes
>>>>>>>
>>>>>> I think should not be supported on a AD DC, it's ugly enough
>>>>>> that it exists at all...
>>>>>>
>>>>> Well the line works on a domain member and it works on 4.2.x, so either
>>>>> it should still work on a 4.3.x DC or it should be removed completely
>>>>> for consistency, if nothing else.
>>>>>
>>>>> I would guess 4.0 and 4.1 also always report:
>>>>>>
>>>>>> TEST\user1:*:10000:10000::/home/user1:/bin/sh
>>>>>>
>>>>> You are probably right, it never worked for me and I only found it
>>>>> whilst testing something else.
>>>>>
>>>> To be honest, I would vote for removing the 'winbind use default domain'
>>>> option completely. I have a lot of downstream bugs with issues only
>>>> because of this options.
>>>>
>>>> It creates more trouble than it solves a problem ...
>>>>
>>> You won't get any arguments here from me on the problems
>>> this causes.
>>>
>>> However, it's been out there and widely used for many
>>> years, and consider what might break if we now remove
>>> it.
>>>
>>> I think we're stuck with making it work :-(. I'm happy
>>> to work with you on fixing any upstream bugs you can
>>> report.
>>>
>> The issue we had several times the last month was that customers user
>> 'winbind
>> use default domain = yes' and then create a unix user with the same name
>> (foo)
>> as the on in AD.
>>
>
> Then this is problem with whatever tool they are using to create the user
> or how the user is set up. If I try to create a user on a DC with 'adduser'
> and the user already exists in AD, I get this:
>
> root at dc1:~# adduser rowland
> adduser: The user `rowland' already exists.
>
>
>> Then they try to use 'username map' to map AD/foo to foo.
>>
>> Then they open a bug and complain that it doesn't work. Also username map
>> is
>> badly documented, see the bug #11557. The issue is probably always bad
>> documentation and we do not explain that a username which appears twice
>> will
>> not work.
>>
>
> This I can agree with.
>
>
> Rowland
>
>
>


More information about the samba-technical mailing list