wbinfo -i output domain realm vs. ntdomain before login

Heiner Lesaar heiner.lesaar at googlemail.com
Thu Apr 19 12:23:25 UTC 2018


Thanks a lot, Rowland!


I didnĀ“t check who was replying - apologies for the "kind subscriber"
comment - at least I used "kind" ;)

To answer your question, we are connecting from various clients (Win7,
Win10, OSX)  and see this behaviour on several machines (not just one
particular) and it is reproducible.

The smb.conf file:

#####

[global]

log level=7

realm=DOMAIN.INTERN

netbios name=EXAMPLE

workgroup=ELEMENTS

server string=EXAMPLE SMB

log file=/var/log/samba/log.%m

max log size=5000

security=ads

passdb backend=tdbsam

load printers=no

printing=bsd

printcap name=/dev/null

map to guest=bad user

enable core files=no

server signing=disabled

client signing=disabled

nt acl support=no

max xmit=1048576

block size=4096

aio read size=1

aio write size=1

map system=no

map archive=no

map read only=no

dns proxy=no

wins proxy=no

hide dot files=yes

ntlm auth=yes

idmap config * : range=16777216-33554431

idmap config * : backend=tdb2

idmap config NTDOMAIN : range=43554431-56666666

idmap config NTDOMAIN : backend=rid

winbind offline logon=false

winbind separator=+

winbind enum users=yes

winbind enum groups=yes

winbind use default domain=no

winbind nested groups=yes

winbind refresh tickets=yes

winbind expand groups=1

auth methods=sam winbind


[benchmark]

comment=

path=/data/snfs1/benchmark

guest ok=yes

browseable=yes

create mask=0777

directory mask=0777

read only=no

follow symlinks=yes

wide links=no

###

####################################


Thank you very much for your help and assistance! This behaviour is driving
us mad already for a couple of weeks :D

Many regards,

Heiner

---------- Weitergeleitete Nachricht ----------
From: Rowland Penny <rpenny at samba.org>
To: samba-technical at lists.samba.org
Cc:
Bcc:
Date: Wed, 18 Apr 2018 17:51:21 +0100
Subject: Re: wbinfo -i output domain realm vs. ntdomain before login
On Wed, 18 Apr 2018 18:31:01 +0200
Heiner Lesaar via samba-technical <samba-technical at lists.samba.org>
wrote:

> Dear all,
>
> I have posted on samba at lists before and got a hint towards a change of
> winbind behaviour since samba 4.7 from a kind subscriber,

I am a bit more than a subscriber ;-)
But what I said, as far as group membership is concerned, is correct.

>but
> unfortunately the hint towards a change in group membership
> calculation does not really (seem to) relate to my question.
>
> I would like to be able to get a consistent result when running
> wbinfo -i so that it does not differ between user creation and after
> first login.
>
> For reference, please see my original request below and thanks a lot
> for your help and suggestions!
>
> Heiner
>
>
> On CentOs7 based linux w. different versions of Samba (4.6.x from
> CentOS repos, but also Sernet-Samba-4.7.4 and also compiled from
> source), "wbinfo -i user at domain.tld" returns different results before
> the first successful authentication of the user.
>
> Server joined as member to Active Directory, idmapping via tdb2 and
> rid or ad - does not seem to make a difference.
>
> On first attempt, the result returns "DOMAIN-REALM+Username", but
> after 1st login it switches to "NTDOMAIN+Username"

Now this is the strange part, I never see this, what are you connecting
from and if it is a Unix machine, can we see your smb.conf.

Rowland


More information about the samba-technical mailing list