wbinfo -i output domain realm vs. ntdomain before login

Andreas Schneider asn at samba.org
Thu Apr 19 12:29:38 UTC 2018 

On Wednesday, 18 April 2018 18:31:01 CEST Heiner Lesaar via samba-technical 
wrote:
> Dear all,
> 
> I have posted on samba at lists before and got a hint towards a change of
> winbind behaviour since samba 4.7 from a kind subscriber, but unfortunately
> the hint towards a change in group membership calculation does not really
> (seem to) relate to my question.
> 
> I would like to be able to get a consistent result when running wbinfo -i
> so that it does not differ between user creation and after first login.
> 
> For reference, please see my original request below and thanks a lot for
> your help and suggestions!
> 
> Heiner
> 
> 
> On CentOs7 based linux w. different versions of Samba (4.6.x from CentOS
> repos, but also Sernet-Samba-4.7.4 and also compiled from source), "wbinfo
> -i user at domain.tld" returns different results before the first successful
> authentication of the user.
> 
> Server joined as member to Active Directory, idmapping via tdb2 and rid or
> ad - does not seem to make a difference.
> 
> On first attempt, the result returns "DOMAIN-REALM+Username", but after 1st
> login it switches to "NTDOMAIN+Username" (which is also the correct output).
> The tdb files also show the "wrong" info until the login is done (according
> to tdbdump comparison). It does not matter if the login happens on a client
> or like in my example "locally" via smbclient.
> 
> 
> See command output examples:
> 
> #########
> 1st execution after user creation in AD:
> 
> # $ wbinfo -i newuser at test.intern
> 
> # TEST.INTERN+newuser:*:16777239:16777216::/home/TEST.
> INTERN/newuser:/bin/false
> 
> Authentication (e.g. here via smbclient):
> 
> # $ smbclient \\\\127.0.0.1\\sharename -U newuser at test.intern
> 
> Execution after 1st login:
> 
> # $ wbinfo -i newuser at test.intern
> 
> # TEST+newuser:*:16777239:16777216::/home/TEST/newuser:/bin/false
> 
> #########
> 
> We use the command output to create database entries in a in-house
> developed database / application to centrally manage client logins from
> various operating systems.
> 
> My questions are:
> 
> 1) Is this expected behaviour or is it influenced by some smb.conf or
> krb5.conf option that we are not aware of?
> 
> 2) Is there a way to query the domain "prefix" of a user which will not
> change depending on the fact if the user has ever tried to login to the
> server or not?
> Does it maybe depend on some command line option?
> 
> FYI: getent passwd shows the same behaviour.
> 
> 
> 
> Thank you very much for your help and assistance!

This sounds like https://bugzilla.samba.org/show_bug.cgi?id=13369

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org

More information about the samba-technical mailing list