wbinfo -i output domain realm vs. ntdomain before login

Thu Apr 19 16:32:36 UTC 2018

On Thu, 2018-04-19 at 15:55 +0200, Andreas Schneider via samba-
technical wrote:
> On Thursday, 19 April 2018 14:48:35 CEST Rowland Penny via samba-
> technical 
> wrote:
> > On Thu, 19 Apr 2018 14:29:38 +0200
> > Andreas Schneider via samba-technical <samba-technical at lists.samba.
> > org>
> > 
> > wrote:
> > > On Wednesday, 18 April 2018 18:31:01 CEST Heiner Lesaar via
> > > 
> > > samba-technical wrote:
> > > > Dear all,
> > > > 
> > > > I have posted on samba at lists before and got a hint towards a
> > > > change
> > > > of winbind behaviour since samba 4.7 from a kind subscriber,
> > > > but
> > > > unfortunately the hint towards a change in group membership
> > > > calculation does not really (seem to) relate to my question.
> > > > 
> > > > I would like to be able to get a consistent result when running
> > > > wbinfo -i so that it does not differ between user creation and
> > > > after first login.
> > > > 
> > > > For reference, please see my original request below and thanks
> > > > a
> > > > lot for your help and suggestions!
> > > > 
> > > > Heiner
> > > > 
> > > > 
> > > > On CentOs7 based linux w. different versions of Samba (4.6.x
> > > > from
> > > > CentOS repos, but also Sernet-Samba-4.7.4 and also compiled
> > > > from
> > > > source), "wbinfo -i user at domain.tld" returns different results
> > > > before the first successful authentication of the user.
> > > > 
> > > > Server joined as member to Active Directory, idmapping via tdb2
> > > > and
> > > > rid or ad - does not seem to make a difference.
> > > > 
> > > > On first attempt, the result returns "DOMAIN-REALM+Username",
> > > > but
> > > > after 1st login it switches to "NTDOMAIN+Username" (which is
> > > > also
> > > > the correct output). The tdb files also show the "wrong" info
> > > > until
> > > > the login is done (according to tdbdump comparison). It does
> > > > not
> > > > matter if the login happens on a client or like in my example
> > > > "locally" via smbclient.
> > > > 
> > > > 
> > > > See command output examples:
> > > > 
> > > > #########
> > > > 1st execution after user creation in AD:
> > > > 
> > > > # $ wbinfo -i newuser at test.intern
> > > > 
> > > > # TEST.INTERN+newuser:*:16777239:16777216::/home/TEST.
> > > > INTERN/newuser:/bin/false
> > > > 
> > > > Authentication (e.g. here via smbclient):
> > > > 
> > > > # $ smbclient \\\\127.0.0.1\\sharename -U newuser at test.intern
> > > > 
> > > > Execution after 1st login:
> > > > 
> > > > # $ wbinfo -i newuser at test.intern
> > > > 
> > > > #
> > > > TEST+newuser:*:16777239:16777216::/home/TEST/newuser:/bin/false
> > > > 
> > > > #########
> > > > 
> > > > We use the command output to create database entries in a in-
> > > > house
> > > > developed database / application to centrally manage client
> > > > logins
> > > > from various operating systems.
> > > > 
> > > > My questions are:
> > > > 
> > > > 1) Is this expected behaviour or is it influenced by some
> > > > smb.conf
> > > > or krb5.conf option that we are not aware of?
> > > > 
> > > > 2) Is there a way to query the domain "prefix" of a user which
> > > > will
> > > > not change depending on the fact if the user has ever tried to
> > > > login to the server or not?
> > > > Does it maybe depend on some command line option?
> > > > 
> > > > FYI: getent passwd shows the same behaviour.
> > > > 
> > > > 
> > > > 
> > > > Thank you very much for your help and assistance!
> > > 
> > > This sounds like https://bugzilla.samba.org/show_bug.cgi?id=13369
> > 
> > It also does the same if you only use the username:
> > 
> > rowland at devstation:~$ wbinfo -i unix1
> > SAMDOM.EXAMPLE.COM\unix1:*:10024:10000::/home/unix1:/bin/bash
> 
> I think I have the correct fix now:
> 
> samba-cli01:~ # killall -TERM winbindd; sleep 0.5; rm -f
> /var/log/samba/log.*; 
> rm -f /var/lib/samba/*cache*; winbindd
> samba-cli01:~ # wbinfo -i EARTH+bob1
> EARTH+bob1:*:100001107:100000513::/home/EARTH/bob1:/bin/bash
> 
> 

Hi Andreas, 

I had a look to the attached patches in bugzilla. The LSA LookupNames
is called when the winbind cache is cold and it returns all the
necessary information (the referenced domain name and domain SID to
which the looked up names belongs), so why can't we pass this up to the
caller and use it instead checking the given name format to lookup the
domain name after obtaining the SID?

What do you think about this patch?

Cheers.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: for-4-7-test.patch
Type: text/x-patch
Size: 22689 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180419/31be8ff6/for-4-7-test.bin>