Winbind issue after upgrading from 4.7.x to 4.8.x

miguel.sanders.external at arcelormittal.com miguel.sanders.external at arcelormittal.com
Fri Aug 10 08:22:28 UTC 2018 

Hi

It's a known bug apparently (#13503).

Met vriendelijke groeten
Best regards

*Miguel Sanders*
ArcelorMittal Europe – Flat Products – Business Division North

External collaborator | Midrange UNIX
John Kennedylaan 51 B-9042 Gent
*T* +32 9 347 52 78
*E* gen-sid-ism-cbi-sig at arcelormittal.com
*E* miguel.sanders.external at arcelormittal.com
On 10-08-18 10:19, Rowland Penny via samba-technical wrote:
> **This Message originated from a Non-ArcelorMittal source**
>
>
> On Thu, 9 Aug 2018 16:48:24 -0700
> Jeremy Allison via samba-technical <samba-technical at lists.samba.org>
> wrote:
>
>> On Thu, Aug 09, 2018 at 02:49:06PM +0200, Miguel Sanders via
>> samba-technical wrote:
>>> We are simply missing the else block which should return false
>>> (similar to the 4.7.x code).
>>> Attached a simply patch which solves the issue.
>>>
>>> Review is appreciated
>>>
>>> Many thanks
>>>
>>> --
>>> Met vriendelijke groeten
>>> Best regards
>>>
>>> *Miguel Sanders*
>>> ArcelorMittal Europe – Flat Products – Business Division North
>>>
>>> External collaborator | Midrange UNIX
>>> John Kennedylaan 51 B-9042 Gent
>>> *T* +32 9 347 52 78
>>> *E* gen-sid-ism-cbi-sig at arcelormittal.com
>>> *E* miguel.sanders.external at arcelormittal.com
>>> --- /tmp/winbindd_util.c    2018-06-26 16:42:46.000000000 +0200
>>> +++ winbindd_util.c 2018-08-09 14:43:56.386223278 +0200
>>> @@ -1605,6 +1605,8 @@
>>>              } else if (assume_domain(lp_workgroup())) {
>>>                      fstrcpy(domain, lp_workgroup());
>>>                      fstrcpy(namespace, domain);
>>> +           } else {
>>> +                   return false;
>>>              }
>>>      }
>> In master and 4.9.x this has been fixed by the equivalent of
>> the following:
>>
>> diff --git a/source3/winbindd/winbindd_util.c
>> b/source3/winbindd/winbindd_util.c index aa633419c9a..7a5fb73cdef
>> 100644 --- a/source3/winbindd/winbindd_util.c
>> +++ b/source3/winbindd/winbindd_util.c
>> @@ -1605,6 +1605,8 @@ bool parse_domain_user(const char *domuser,
>>                  } else if (assume_domain(lp_workgroup())) {
>>                          fstrcpy(domain, lp_workgroup());
>>                          fstrcpy(namespace, domain);
>> +               } else {
>> +                       fstrcpy(namespace, lp_netbios_name());
>>                  }
>>          }
>>
>> Can you check this out and see if it also fixes your problem ?
>>
>> Thanks,
>>
>>        Jeremy.
>>
> Hang on here, if you are going to start allowing the same username
> in /etc/password and AD, you will also need to remove 'winbind use
> default domain = yes' and force everybody to to use 'DOMAIN\username'
> when referring to an AD user.
>
> Reason: if there is a user called 'XYZ' in /etc/passwd and another one
> called 'XYZ' in AD and 'winbind use default domain = yes' is set, then
> the user in AD will never be used, this is because 'passwd files
> winbind' will be set in /etc/nsswitch.conf and the search will stop
> after 'files' is searched. Now this may be okay if 'XYZ' in /etc/passwd
> is the same user as 'XYZ' in AD, but what if it isn't ?
>
> If you do remove 'winbind use default domain = yes', I think Andrew
> will be able to hear the screams of protest from Europe and this would
> be for one user who has already been told to make their AD users into
> Unix users and remove them from /etc/passwd.
>
> Rowland
>

More information about the samba-technical mailing list