wbinfo -i output domain realm vs. ntdomain before login

Heiner Lesaar heiner.lesaar at googlemail.com
Wed Apr 18 16:31:01 UTC 2018

Dear all,

I have posted on samba at lists before and got a hint towards a change of
winbind behaviour since samba 4.7 from a kind subscriber, but unfortunately
the hint towards a change in group membership calculation does not really
(seem to) relate to my question.

I would like to be able to get a consistent result when running wbinfo -i
so that it does not differ between user creation and after first login.

For reference, please see my original request below and thanks a lot for
your help and suggestions!


On CentOs7 based linux w. different versions of Samba (4.6.x from CentOS
repos, but also Sernet-Samba-4.7.4 and also compiled from source), "wbinfo
-i user at domain.tld" returns different results before the first successful
authentication of the user.

Server joined as member to Active Directory, idmapping via tdb2 and rid or
ad - does not seem to make a difference.

On first attempt, the result returns "DOMAIN-REALM+Username", but after 1st
login it switches to "NTDOMAIN+Username" (which is also the correct output).
The tdb files also show the "wrong" info until the login is done (according
to tdbdump comparison). It does not matter if the login happens on a client
or like in my example "locally" via smbclient.

See command output examples:

1st execution after user creation in AD:

# $ wbinfo -i newuser at test.intern

# TEST.INTERN+newuser:*:16777239:16777216::/home/TEST.

Authentication (e.g. here via smbclient):

# $ smbclient \\\\\\sharename -U newuser at test.intern

Execution after 1st login:

# $ wbinfo -i newuser at test.intern

# TEST+newuser:*:16777239:16777216::/home/TEST/newuser:/bin/false


We use the command output to create database entries in a in-house
developed database / application to centrally manage client logins from
various operating systems.

My questions are:

1) Is this expected behaviour or is it influenced by some smb.conf or
krb5.conf option that we are not aware of?

2) Is there a way to query the domain "prefix" of a user which will not
change depending on the fact if the user has ever tried to login to the
server or not?
Does it maybe depend on some command line option?

FYI: getent passwd shows the same behaviour.

Thank you very much for your help and assistance!

More information about the samba-technical mailing list