[Samba] suddenly change: idmap uid + gid

Andrew Bartlett abartlet at samba.org
Sun Nov 3 21:35:24 UTC 2019 

On Sun, 2019-11-03 at 21:29 +0000, Rowland penny wrote:
> On 03/11/2019 21:11, Andrew Bartlett wrote:
> > On Sun, 2019-11-03 at 20:57 +0000, Rowland penny wrote:
> > > > G'Day Rowland,
> > > > 
> > > > Are you really sure that is the case?
> > > > 
> > > > The "winbind use default domain" code, which I authored,
> > > > certainly
> > > > isn't intended to do that.  It changes the formatting at the
> > > > nss
> > > > interface to strip the domain\ prefix, allowing local logins
> > > > with
> > > > pam
> > > > etc to avoid typing the domain.
> > > 
> > > I suppose it depends on just where the domain is stripped. If it
> > > is
> > > very
> > > early on, then DOMAINA\fred and DOMAINB\fred would become fred
> > > and
> > > fred,
> > > so how would winbind know which is which ?
> > 
> > It only strips the default domain. All the others are
> > untouched.  It is
> > (essentially) also only in the getpwnam() and pam codepaths, not in
> > the
> > SID->ID stuff, we generally avoid going via names as much as
> > possible.
> > 
> > This is by design.  The while idea of idmap_autorid and idmap_rid
> > is
> > that we don't want to rely on any remote communication (eg name-
> > >sid
> > calls and reverse) to determine the mapping, as that could fail at
> > the
> > critical momenet.
> > 
> 
> Then when why does 'man smb.conf' say this (abridged) about 'winbind
> use 
> default domain' ?
> 
> This parameter specifies whether the winbindd(8) daemon should
> operate 
> on users without domain component in their username.
> Users without a domain component are treated as is part of the
> winbindd 
> server's own domain.
> 
> This option should be avoided if possible. It can cause confusion
> about 
> responsibilities for a user or group.
> In many situations it is not clear whether winbind or /etc/passwd
> should 
> be seen as authoritative for a user, likewise for groups.
> 
> This (to me) means, do not use 'winbind use default domain = yes'
> with 
> multiple domains.

The poorly-worded text there is referrin to the difference between the
local 'domain' of the member server itself and the AD domain. 

On real-world member servers there are generally no local users, so
this doesn't come up as much as the manpage fears. 

> I also think that if there is a problem with winbind causing this,
> we 
> would have heard  a lot more about it before now.

Yes, this is a commonly used parameter for the reson I added it, that
is is very helpful.  I think we have likely improved Samba and seen
even less use of local groups since then.

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

More information about the samba mailing list