Winbind issue after upgrading from 4.7.x to 4.8.x

Fri Aug 10 08:19:57 UTC 2018

On Thu, 9 Aug 2018 16:48:24 -0700
Jeremy Allison via samba-technical <samba-technical at lists.samba.org>
wrote:

> On Thu, Aug 09, 2018 at 02:49:06PM +0200, Miguel Sanders via
> samba-technical wrote:
> > We are simply missing the else block which should return false
> > (similar to the 4.7.x code).
> > Attached a simply patch which solves the issue.
> > 
> > Review is appreciated
> > 
> > Many thanks
> > 
> > -- 
> > Met vriendelijke groeten
> > Best regards
> > 
> > *Miguel Sanders*
> > ArcelorMittal Europe – Flat Products – Business Division North
> > 
> > External collaborator | Midrange UNIX
> > John Kennedylaan 51 B-9042 Gent
> > *T* +32 9 347 52 78
> > *E* gen-sid-ism-cbi-sig at arcelormittal.com
> > *E* miguel.sanders.external at arcelormittal.com
> 
> > --- /tmp/winbindd_util.c	2018-06-26 16:42:46.000000000 +0200
> > +++ winbindd_util.c	2018-08-09 14:43:56.386223278 +0200
> > @@ -1605,6 +1605,8 @@
> >  		} else if (assume_domain(lp_workgroup())) {
> >  			fstrcpy(domain, lp_workgroup());
> >  			fstrcpy(namespace, domain);
> > +		} else {
> > +			return false;
> >  		}
> >  	}
> 
> In master and 4.9.x this has been fixed by the equivalent of
> the following:
> 
> diff --git a/source3/winbindd/winbindd_util.c
> b/source3/winbindd/winbindd_util.c index aa633419c9a..7a5fb73cdef
> 100644 --- a/source3/winbindd/winbindd_util.c
> +++ b/source3/winbindd/winbindd_util.c
> @@ -1605,6 +1605,8 @@ bool parse_domain_user(const char *domuser,
>                 } else if (assume_domain(lp_workgroup())) {
>                         fstrcpy(domain, lp_workgroup());
>                         fstrcpy(namespace, domain);
> +               } else {
> +                       fstrcpy(namespace, lp_netbios_name());
>                 }
>         }
> 
> Can you check this out and see if it also fixes your problem ?
> 
> Thanks,
> 
> 	Jeremy.
> 

Hang on here, if you are going to start allowing the same username
in /etc/password and AD, you will also need to remove 'winbind use
default domain = yes' and force everybody to to use 'DOMAIN\username'
when referring to an AD user.

Reason: if there is a user called 'XYZ' in /etc/passwd and another one
called 'XYZ' in AD and 'winbind use default domain = yes' is set, then
the user in AD will never be used, this is because 'passwd files
winbind' will be set in /etc/nsswitch.conf and the search will stop
after 'files' is searched. Now this may be okay if 'XYZ' in /etc/passwd
is the same user as 'XYZ' in AD, but what if it isn't ?

If you do remove 'winbind use default domain = yes', I think Andrew
will be able to hear the screams of protest from Europe and this would
be for one user who has already been told to make their AD users into
Unix users and remove them from /etc/passwd.

Rowland