[Samba] wbinfo -i output different before 1st authentication

Heiner Lesaar heiner.lesaar at googlemail.com
Sun Mar 11 15:48:53 UTC 2018

Dear all,

on CentOs7 based linux w. different versions of Samba (4.6.x from CentOS
repos, but also Sernet-Samba-4.7.4 and also compiled from source), "wbinfo
-i user at domain.tld" returns different results before the first successful
authentication of the user.

Server joined as member to Active Directory, idmapping via tdb2.

On first attempt, the result returns "DOMAIN-REALM+Username", but after 1st
login it switches to "NTDOMAIN+Username" (which is also the correct output).
The tdb files also show the "wrong" info until the login is done (according
to tdbdump comparison). It does not matter if the login happens on a client
or like in my example "locally" via smbclient.

See command output examples:

1st execution after user creation in AD:

# $ wbinfo -i newuser at test.intern

# TEST.INTERN+newuser:*:16777239:16777216::/home/TEST.

Authentication (e.g. here via smbclient):

# $ smbclient \\\\\\sharename -U newuser at test.intern

Execution after 1st login:

# $ wbinfo -i newuser at test.intern

# TEST+newuser:*:16777239:16777216::/home/TEST/newuser:/bin/false


We use the command output to create database entries in a in-house
developed database / application to centrally manage client logins from
various operating systems.

My questions are:

1) Is this expected behaviour or is it influenced by some smb.conf or
krb5.conf option that we are not aware of?

2) Is there a way to query the domain "prefix" of a user which will not
change depending on the fact if the user has ever tried to login to the
server or not?
Does it maybe depend on some command line option?

FYI: getent passwd shows the same behaviour.

Thank you very much for your help and assistance!


More information about the samba mailing list