[Samba] 'winbind use default domain' doesn't appear to work with ntlm_auth

Rowland Penny rpenny at samba.org
Wed Jun 14 08:34:44 UTC 2017


On Wed, 14 Jun 2017 06:58:18 +0000
David Herselman <dhe at syrex.co> wrote:

> Hi Rowland,
> 
> I did enable NTLMv1 to provide necessary support for pppd for PPTP
> VPN connections and that's working as expected. 

OK, but I suggest you find a more secure way of doing things.

> I however do not
> find any release notes pertaining to 'winbind use default domain =
> yes' no longer working on a Samba DC. 

This could be, as far as I am aware, it has never worked on a DC.

> The Samba man pages appear to
> detail options which apply to winbindd
> (https://www.samba.org/samba/docs/man/manpages/winbindd.8.html),
> which includes the 'winbind use default domain' option. The only
> reference to this not working on a Samba DC was a post I stumbled on
> from a while ago where the claim wasn't substantiated and indicated
> that none of the winbind options in smb.conf applied.

There isn't anything in 'man smb.conf' either, but there is this in the
release notes for 4.6.0:

ID Mapping

We discovered that the majority of users have an invalid or incorrect
ID mapping configuration. We implemented checks in the 'testparm' tool
to validate the ID mapping configuration. You should run it and check
if it prints any warnings or errors after upgrading! If it does you
should fix them. See the 'IDENTITY MAPPING CONSIDERATIONS' section in
the smb.conf manpage. There are some ID mapping backends which are not
allowed to be used for the default backend. Winbind will no longer
start if an invalid backend is configured as the default backend.

To avoid problems in future we advise all users to run 'testparm' after
changing the smb.conf file! 

> 
> Everything worked perfectly on 4.4.5, could you point me somewhere
> where this was discussed and possibly a work around, as it breaks
> legacy mail processing?

Can you prove it worked on 4.4.5, if so, there must have been a
regression and you could try filing a bug report. I must however point
out again, that ''winbind use default domain = yes' never worked for me
on a DC, so I never tried setting it. It may be that a change
unintentionally made it work, but another later change stopped it
working again.
 
> 
> Are the ntlm_auth problems pertaining to the following debug not an
> issue and as such acceptable?: [2017/06/12 15:46:21.303848,  1,
> pid=31947, effective(0, 0), real(0, 0),
> class=winbind] ../source3/winbindd/winbindd_cm.c:3272(cm_connect_netlogon_transport)
> rpccli_create_netlogon_creds failed for DOMAIN-01, unable to create
> NETLOGON credentials: NT_STATUS_NO_MEMORY

Something like this is never acceptable, provide Samba is set up
correctly in the first place.

> 
> PS: Apologies about the late reply, I only discovered your reply on
> the samba mailing list archive. It would appear that it takes a while
> before new subscribers start receiving messages...
> 

Do not worry about replying late, you were faster than a lot of
people ;-)

Unless something has changed, you should start receiving messages
almost immediately, but it looks like whatever the problem was, you
are now getting them.

Rowland
 



More information about the samba mailing list