[Samba] suddenly change: idmap uid + gid

Rowland penny rpenny at samba.org
Sun Nov 3 21:29:05 UTC 2019

On 03/11/2019 21:11, Andrew Bartlett wrote:
> On Sun, 2019-11-03 at 20:57 +0000, Rowland penny wrote:
>>> G'Day Rowland,
>>> Are you really sure that is the case?
>>> The "winbind use default domain" code, which I authored, certainly
>>> isn't intended to do that.  It changes the formatting at the nss
>>> interface to strip the domain\ prefix, allowing local logins with
>>> pam
>>> etc to avoid typing the domain.
>> I suppose it depends on just where the domain is stripped. If it is
>> very
>> early on, then DOMAINA\fred and DOMAINB\fred would become fred and
>> fred,
>> so how would winbind know which is which ?
> It only strips the default domain. All the others are untouched.  It is
> (essentially) also only in the getpwnam() and pam codepaths, not in the
> SID->ID stuff, we generally avoid going via names as much as possible.
> This is by design.  The while idea of idmap_autorid and idmap_rid is
> that we don't want to rely on any remote communication (eg name->sid
> calls and reverse) to determine the mapping, as that could fail at the
> critical momenet.
Then when why does 'man smb.conf' say this (abridged) about 'winbind use 
default domain' ?

This parameter specifies whether the winbindd(8) daemon should operate 
on users without domain component in their username.
Users without a domain component are treated as is part of the winbindd 
server's own domain.

This option should be avoided if possible. It can cause confusion about 
responsibilities for a user or group.
In many situations it is not clear whether winbind or /etc/passwd should 
be seen as authoritative for a user, likewise for groups.

This (to me) means, do not use 'winbind use default domain = yes' with 
multiple domains.

I also think that if there is a problem with winbind causing this, we 
would have heard  a lot more about it before now.


More information about the samba mailing list