[Samba] Different behaviour of winbind in 4.8.3

Rowland Penny rpenny at samba.org
Mon Jul 2 08:20:37 UTC 2018


On Mon, 2 Jul 2018 08:53:31 +0200
Tino Müller via samba <samba at lists.samba.org> wrote:

> Hi list,
> 
> the behaviour of winbind changed in Samba version 4.8.3.
> 
> Having this nsswitch.conf:
> # cat /etc/nsswitch.conf
> passwd:                 compat winbind cache
> group:                  compat winbind cache
> shadow:                 compat
> 
> hosts:                  files dns
> networks:               files
> 
> protocols:              db files
> services:               db files
> ethers:                 db files
> rpc:                    db files
> 
> netgroup:               nis
> 
> and this smb.conf:
> # cat /etc/samba/smb.conf
> [global]
>         kerberos method = secrets and keytab
>         log file = /var/log/samba/log.%m
>         max log size = 1000
>         realm = SPREADSHIRT.PRIVATE
>         security = ADS
>         server role = member server
>         server string = %h server (Samba, Ubuntu)
>         winbind expand groups = 5
>         winbind offline logon = Yes
>         winbind separator = +
>         workgroup = SPREADSHIRT
>         idmap config * : range = 10000 - 19999
>         idmap config spreadshirt : range = 1000000 - 19999999
>         idmap config spreadshirt : backend = rid
>         idmap config * : backend = tdb
> 
> There is a user in the domain SPREADSHIRT with the name tmutest.
> 
> With Samba 4.8.2 and lower:
> # id tmutest
> id: ‘tmutest’: no such user
> 
> # id SPREADSHIRT+tmutest
> uid=1102339(SPREADSHIRT+tmutest) gid=1000513(SPREADSHIRT+domain users)
> groups=1000513(SPREADSHIRT+domain
> users),1102339(SPREADSHIRT+tmutest),10001(BUILTIN+users)
> 
> 
> With Samba 4.8.3:
> # id tmutest
> uid=1102339(SPREADSHIRT+tmutest) gid=1000513(SPREADSHIRT+domain users)
> groups=1000513(SPREADSHIRT+domain
> users),1102339(SPREADSHIRT+tmutest),10001(BUILTIN+users)
> 
> root at toolbox01 [lej] ~ # id SPREADSHIRT+tmutest
> uid=1102339(SPREADSHIRT+tmutest) gid=1000513(SPREADSHIRT+domain users)
> groups=1000513(SPREADSHIRT+domain
> users),1102339(SPREADSHIRT+tmutest),10001(BUILTIN+users)
> 
> Is this intended?
> Is it possible to change the behaviour back to pre-4.8.3 by
> configuration change?
> 
> Thank you.
> 
> Best,
> Tino
> 

You don't have 'winbind use default domain = yes' so you should have to
use the domain name to get a result.

Can you try this with 'getent passwd tmutest', if this returns output
on 4.8.3, then it is a Samba problem, if it doesn't, it is an 'id'
problem.

The only thing that changed between 4.8.2 & 4.8.3 and seems to be
possibly relevant is this:

https://bugzilla.samba.org/show_bug.cgi?id=13369

Unless you can see something I missed here:

https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed#Changes_since_4.8.2:

Rowland



More information about the samba mailing list