[Samba] suddenly change: idmap uid + gid
Rowland penny
rpenny at samba.org
Sun Nov 3 21:29:05 UTC 2019
On 03/11/2019 21:11, Andrew Bartlett wrote:
> On Sun, 2019-11-03 at 20:57 +0000, Rowland penny wrote:
>>> G'Day Rowland,
>>>
>>> Are you really sure that is the case?
>>>
>>> The "winbind use default domain" code, which I authored, certainly
>>> isn't intended to do that. It changes the formatting at the nss
>>> interface to strip the domain\ prefix, allowing local logins with
>>> pam
>>> etc to avoid typing the domain.
>> I suppose it depends on just where the domain is stripped. If it is
>> very
>> early on, then DOMAINA\fred and DOMAINB\fred would become fred and
>> fred,
>> so how would winbind know which is which ?
> It only strips the default domain. All the others are untouched. It is
> (essentially) also only in the getpwnam() and pam codepaths, not in the
> SID->ID stuff, we generally avoid going via names as much as possible.
>
> This is by design. The while idea of idmap_autorid and idmap_rid is
> that we don't want to rely on any remote communication (eg name->sid
> calls and reverse) to determine the mapping, as that could fail at the
> critical momenet.
>
Then when why does 'man smb.conf' say this (abridged) about 'winbind use
default domain' ?
This parameter specifies whether the winbindd(8) daemon should operate
on users without domain component in their username.
Users without a domain component are treated as is part of the winbindd
server's own domain.
This option should be avoided if possible. It can cause confusion about
responsibilities for a user or group.
In many situations it is not clear whether winbind or /etc/passwd should
be seen as authoritative for a user, likewise for groups.
This (to me) means, do not use 'winbind use default domain = yes' with
multiple domains.
I also think that if there is a problem with winbind causing this, we
would have heard a lot more about it before now.
Rowland
More information about the samba
mailing list