[Samba] suddenly change: idmap uid + gid

Andrew Bartlett abartlet at samba.org
Sun Nov 3 21:11:06 UTC 2019

On Sun, 2019-11-03 at 20:57 +0000, Rowland penny wrote:
> > G'Day Rowland,
> > 
> > Are you really sure that is the case?
> > 
> > The "winbind use default domain" code, which I authored, certainly
> > isn't intended to do that.  It changes the formatting at the nss
> > interface to strip the domain\ prefix, allowing local logins with
> > pam
> > etc to avoid typing the domain.
> I suppose it depends on just where the domain is stripped. If it is
> very 
> early on, then DOMAINA\fred and DOMAINB\fred would become fred and
> fred, 
> so how would winbind know which is which ?

It only strips the default domain. All the others are untouched.  It is
(essentially) also only in the getpwnam() and pam codepaths, not in the
SID->ID stuff, we generally avoid going via names as much as possible. 

This is by design.  The while idea of idmap_autorid and idmap_rid is
that we don't want to rely on any remote communication (eg name->sid
calls and reverse) to determine the mapping, as that could fail at the
critical momenet. 

> This is the only reason I can think of that could change the ID.
> Can you think of another reason Andrew ?

As I said, I suspect autorid.tdb is being damanaged or removed.

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

More information about the samba mailing list