wbinfo -i output domain realm vs. ntdomain before login
Andreas Schneider
asn at samba.org
Thu Apr 19 13:55:57 UTC 2018
On Thursday, 19 April 2018 14:48:35 CEST Rowland Penny via samba-technical
wrote:
> On Thu, 19 Apr 2018 14:29:38 +0200
> Andreas Schneider via samba-technical <samba-technical at lists.samba.org>
>
> wrote:
> > On Wednesday, 18 April 2018 18:31:01 CEST Heiner Lesaar via
> >
> > samba-technical wrote:
> > > Dear all,
> > >
> > > I have posted on samba at lists before and got a hint towards a change
> > > of winbind behaviour since samba 4.7 from a kind subscriber, but
> > > unfortunately the hint towards a change in group membership
> > > calculation does not really (seem to) relate to my question.
> > >
> > > I would like to be able to get a consistent result when running
> > > wbinfo -i so that it does not differ between user creation and
> > > after first login.
> > >
> > > For reference, please see my original request below and thanks a
> > > lot for your help and suggestions!
> > >
> > > Heiner
> > >
> > >
> > > On CentOs7 based linux w. different versions of Samba (4.6.x from
> > > CentOS repos, but also Sernet-Samba-4.7.4 and also compiled from
> > > source), "wbinfo -i user at domain.tld" returns different results
> > > before the first successful authentication of the user.
> > >
> > > Server joined as member to Active Directory, idmapping via tdb2 and
> > > rid or ad - does not seem to make a difference.
> > >
> > > On first attempt, the result returns "DOMAIN-REALM+Username", but
> > > after 1st login it switches to "NTDOMAIN+Username" (which is also
> > > the correct output). The tdb files also show the "wrong" info until
> > > the login is done (according to tdbdump comparison). It does not
> > > matter if the login happens on a client or like in my example
> > > "locally" via smbclient.
> > >
> > >
> > > See command output examples:
> > >
> > > #########
> > > 1st execution after user creation in AD:
> > >
> > > # $ wbinfo -i newuser at test.intern
> > >
> > > # TEST.INTERN+newuser:*:16777239:16777216::/home/TEST.
> > > INTERN/newuser:/bin/false
> > >
> > > Authentication (e.g. here via smbclient):
> > >
> > > # $ smbclient \\\\127.0.0.1\\sharename -U newuser at test.intern
> > >
> > > Execution after 1st login:
> > >
> > > # $ wbinfo -i newuser at test.intern
> > >
> > > # TEST+newuser:*:16777239:16777216::/home/TEST/newuser:/bin/false
> > >
> > > #########
> > >
> > > We use the command output to create database entries in a in-house
> > > developed database / application to centrally manage client logins
> > > from various operating systems.
> > >
> > > My questions are:
> > >
> > > 1) Is this expected behaviour or is it influenced by some smb.conf
> > > or krb5.conf option that we are not aware of?
> > >
> > > 2) Is there a way to query the domain "prefix" of a user which will
> > > not change depending on the fact if the user has ever tried to
> > > login to the server or not?
> > > Does it maybe depend on some command line option?
> > >
> > > FYI: getent passwd shows the same behaviour.
> > >
> > >
> > >
> > > Thank you very much for your help and assistance!
> >
> > This sounds like https://bugzilla.samba.org/show_bug.cgi?id=13369
>
> It also does the same if you only use the username:
>
> rowland at devstation:~$ wbinfo -i unix1
> SAMDOM.EXAMPLE.COM\unix1:*:10024:10000::/home/unix1:/bin/bash
I think I have the correct fix now:
samba-cli01:~ # killall -TERM winbindd; sleep 0.5; rm -f /var/log/samba/log.*;
rm -f /var/lib/samba/*cache*; winbindd
samba-cli01:~ # wbinfo -i EARTH+bob1
EARTH+bob1:*:100001107:100000513::/home/EARTH/bob1:/bin/bash
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list