Winbind issue after upgrading from 4.7.x to 4.8.x

[Rowland Penny]

On Fri, 10 Aug 2018 10:22:28 +0200
Miguel Sanders via samba-technical <samba-technical at lists.samba.org>
wrote:

> Hi
> 
> It's a known bug apparently (#13503).
> 

Yes, it might be, but it also says:

[quote]
getpwnam resolves local system accounts to AD accounts.


This is normally how the lookup is done:

getent passwd ADDOMAIN/alice
ADDOMAIN/alice:*:100000:100006::/home/ADDOMAIN/Domain Users/alice:/bin/false


This should not resolve to an AD user, unless 'winbind use default domain = yes' is set:

getent passwd alice
ADDOMAIN/alice:*:100000:100006::/home/ADDOMAIN/Domain Users/alice:/bin/false
[/quote]

I would love to see the smb.conf that allows the above.

From my investigations, there are several things wrong with it, one is
'ADDOMAIN/alice', to be correct on Unix, it should be 'ADDOMAIN\\alice'.

You would probably also need 'map untrusted to domain = yes' to stand
any chance of getting this to work, but I cannot. I cannot get any
variation of DOMAIN + separator + alice (with alice in /etc/passwd) to
give any output with 'getent passwd'

As I have already told you, you should not have a user 'XYZ'
in /etc/passwd and a user 'XYZ' in AD, just make the AD user into a
Unix user. In fact, I cannot add a user to /etc/passwd if it already
exists in AD:

root at dc4:~# useradd -M -N rowland
useradd: user 'rowland' already exists
root at dc4:~# getent passwd rowland
SAMDOM\rowland:*:10000:10000::/home/rowland:/bin/bash
root at dc4:~# cat /etc/passwd | grep 'rowland'
root at dc4:~# 
root at dc4:~# 

Rowland