wbinfo -i output domain realm vs. ntdomain before login
Andreas Schneider
asn at samba.org
Thu Apr 19 12:29:38 UTC 2018
On Wednesday, 18 April 2018 18:31:01 CEST Heiner Lesaar via samba-technical
wrote:
> Dear all,
>
> I have posted on samba at lists before and got a hint towards a change of
> winbind behaviour since samba 4.7 from a kind subscriber, but unfortunately
> the hint towards a change in group membership calculation does not really
> (seem to) relate to my question.
>
> I would like to be able to get a consistent result when running wbinfo -i
> so that it does not differ between user creation and after first login.
>
> For reference, please see my original request below and thanks a lot for
> your help and suggestions!
>
> Heiner
>
>
> On CentOs7 based linux w. different versions of Samba (4.6.x from CentOS
> repos, but also Sernet-Samba-4.7.4 and also compiled from source), "wbinfo
> -i user at domain.tld" returns different results before the first successful
> authentication of the user.
>
> Server joined as member to Active Directory, idmapping via tdb2 and rid or
> ad - does not seem to make a difference.
>
> On first attempt, the result returns "DOMAIN-REALM+Username", but after 1st
> login it switches to "NTDOMAIN+Username" (which is also the correct output).
> The tdb files also show the "wrong" info until the login is done (according
> to tdbdump comparison). It does not matter if the login happens on a client
> or like in my example "locally" via smbclient.
>
>
> See command output examples:
>
> #########
> 1st execution after user creation in AD:
>
> # $ wbinfo -i newuser at test.intern
>
> # TEST.INTERN+newuser:*:16777239:16777216::/home/TEST.
> INTERN/newuser:/bin/false
>
> Authentication (e.g. here via smbclient):
>
> # $ smbclient \\\\127.0.0.1\\sharename -U newuser at test.intern
>
> Execution after 1st login:
>
> # $ wbinfo -i newuser at test.intern
>
> # TEST+newuser:*:16777239:16777216::/home/TEST/newuser:/bin/false
>
> #########
>
> We use the command output to create database entries in a in-house
> developed database / application to centrally manage client logins from
> various operating systems.
>
> My questions are:
>
> 1) Is this expected behaviour or is it influenced by some smb.conf or
> krb5.conf option that we are not aware of?
>
> 2) Is there a way to query the domain "prefix" of a user which will not
> change depending on the fact if the user has ever tried to login to the
> server or not?
> Does it maybe depend on some command line option?
>
> FYI: getent passwd shows the same behaviour.
>
>
>
> Thank you very much for your help and assistance!
This sounds like https://bugzilla.samba.org/show_bug.cgi?id=13369
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list