[Samba] Question regarding default user domain in samba

Andrew Bartlett abartlet at samba.org
Sun Feb 26 18:48:49 MST 2012

On Wed, 2012-02-22 at 12:40 -0600, Daniel Patrick Sullivan wrote:
> Hi, Everybody,
> I sent an email to this list with a couple of questions in it earlier
> this week; this is kind of a 'repeat' question, so I apologize if
> you've read this one already; I wanted to flesh out the details of my
> inquisition a tad bit more in hopes that somebody could potentially
> chime in with an answer as I am afraid that I either a) didn't
> articulate my question in enough detail or b)  didn't ask nicely
> enough the first time :-)
> Ok, so here's my problem; I am working in an environment with an
> Active Directory forest where 100% of our user accounts exist one
> domain and 100% of our computer objects exist in another domain.  I
> have winbind setup with pam & ssh, and everything is working fine.  I
> can authenticate across the trust no problem.  My issue is that whever
> I authenticate, I have to supply the domain name and whatever domain
> separator is configured in smb.conf to get this working.  I know about
> the "use default domain" option in smb.conf, but from what I
> understand this will only "prepend" the default realm, or the domain
> that the computer is actually a domain member of.  So really, I want
> to:
> 1) set the 'use default domain' option (or implement similar functionality) AND
> 2) specify the actual domain that is used (i.e. a domain that is
> trusted, although NOT the domain that the server is actually a member
> of).
> Does anybody know if this is possible?  

No, it is not.  While I originally created 'winbind use default domain',
and I've seen it used exactly how I intended in the multi-protocol NAS
that I now work on, I also understand that others find that is has
caused us challenges in our internal implementation, in particular due
to the ambiguity it creates between local system users and winbind

Therefore, I suspect it will not be extended.  

On the other hand, the views of my colleagues may have changed, and a
clean patch implementing this might help show why this is worth-while. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list