[Samba] suddenly change: idmap uid + gid
abartlet at samba.org
Sun Nov 3 21:35:24 UTC 2019
On Sun, 2019-11-03 at 21:29 +0000, Rowland penny wrote:
> On 03/11/2019 21:11, Andrew Bartlett wrote:
> > On Sun, 2019-11-03 at 20:57 +0000, Rowland penny wrote:
> > > > G'Day Rowland,
> > > >
> > > > Are you really sure that is the case?
> > > >
> > > > The "winbind use default domain" code, which I authored,
> > > > certainly
> > > > isn't intended to do that. It changes the formatting at the
> > > > nss
> > > > interface to strip the domain\ prefix, allowing local logins
> > > > with
> > > > pam
> > > > etc to avoid typing the domain.
> > >
> > > I suppose it depends on just where the domain is stripped. If it
> > > is
> > > very
> > > early on, then DOMAINA\fred and DOMAINB\fred would become fred
> > > and
> > > fred,
> > > so how would winbind know which is which ?
> > It only strips the default domain. All the others are
> > untouched. It is
> > (essentially) also only in the getpwnam() and pam codepaths, not in
> > the
> > SID->ID stuff, we generally avoid going via names as much as
> > possible.
> > This is by design. The while idea of idmap_autorid and idmap_rid
> > is
> > that we don't want to rely on any remote communication (eg name-
> > >sid
> > calls and reverse) to determine the mapping, as that could fail at
> > the
> > critical momenet.
> Then when why does 'man smb.conf' say this (abridged) about 'winbind
> default domain' ?
> This parameter specifies whether the winbindd(8) daemon should
> on users without domain component in their username.
> Users without a domain component are treated as is part of the
> server's own domain.
> This option should be avoided if possible. It can cause confusion
> responsibilities for a user or group.
> In many situations it is not clear whether winbind or /etc/passwd
> be seen as authoritative for a user, likewise for groups.
> This (to me) means, do not use 'winbind use default domain = yes'
> multiple domains.
The poorly-worded text there is referrin to the difference between the
local 'domain' of the member server itself and the AD domain.
On real-world member servers there are generally no local users, so
this doesn't come up as much as the manpage fears.
> I also think that if there is a problem with winbind causing this,
> would have heard a lot more about it before now.
Yes, this is a commonly used parameter for the reson I added it, that
is is very helpful. I think we have likely improved Samba and seen
even less use of local groups since then.
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
More information about the samba