Winbind issue after upgrading from 4.7.x to 4.8.x

Rowland Penny rpenny at
Fri Aug 10 14:27:40 UTC 2018

On Fri, 10 Aug 2018 10:22:28 +0200
Miguel Sanders via samba-technical <samba-technical at>

> Hi
> It's a known bug apparently (#13503).

Yes, it might be, but it also says:

getpwnam resolves local system accounts to AD accounts.

This is normally how the lookup is done:

getent passwd ADDOMAIN/alice
ADDOMAIN/alice:*:100000:100006::/home/ADDOMAIN/Domain Users/alice:/bin/false

This should not resolve to an AD user, unless 'winbind use default domain = yes' is set:

getent passwd alice
ADDOMAIN/alice:*:100000:100006::/home/ADDOMAIN/Domain Users/alice:/bin/false

I would love to see the smb.conf that allows the above.

From my investigations, there are several things wrong with it, one is
'ADDOMAIN/alice', to be correct on Unix, it should be 'ADDOMAIN\\alice'.

You would probably also need 'map untrusted to domain = yes' to stand
any chance of getting this to work, but I cannot. I cannot get any
variation of DOMAIN + separator + alice (with alice in /etc/passwd) to
give any output with 'getent passwd'

As I have already told you, you should not have a user 'XYZ'
in /etc/passwd and a user 'XYZ' in AD, just make the AD user into a
Unix user. In fact, I cannot add a user to /etc/passwd if it already
exists in AD:

root at dc4:~# useradd -M -N rowland
useradd: user 'rowland' already exists
root at dc4:~# getent passwd rowland
root at dc4:~# cat /etc/passwd | grep 'rowland'
root at dc4:~# 
root at dc4:~# 


More information about the samba-technical mailing list