[Samba] suddenly change: idmap uid + gid

Rowland penny rpenny at samba.org
Sun Nov 3 21:43:30 UTC 2019 

On 03/11/2019 21:35, Andrew Bartlett wrote:
> On Sun, 2019-11-03 at 21:29 +0000, Rowland penny wrote:
>> On 03/11/2019 21:11, Andrew Bartlett wrote:
>>> On Sun, 2019-11-03 at 20:57 +0000, Rowland penny wrote:
>>>>> G'Day Rowland,
>>>>>
>>>>> Are you really sure that is the case?
>>>>>
>>>>> The "winbind use default domain" code, which I authored,
>>>>> certainly
>>>>> isn't intended to do that.  It changes the formatting at the
>>>>> nss
>>>>> interface to strip the domain\ prefix, allowing local logins
>>>>> with
>>>>> pam
>>>>> etc to avoid typing the domain.
>>>> I suppose it depends on just where the domain is stripped. If it
>>>> is
>>>> very
>>>> early on, then DOMAINA\fred and DOMAINB\fred would become fred
>>>> and
>>>> fred,
>>>> so how would winbind know which is which ?
>>> It only strips the default domain. All the others are
>>> untouched.  It is
>>> (essentially) also only in the getpwnam() and pam codepaths, not in
>>> the
>>> SID->ID stuff, we generally avoid going via names as much as
>>> possible.
>>>
>>> This is by design.  The while idea of idmap_autorid and idmap_rid
>>> is
>>> that we don't want to rely on any remote communication (eg name-
>>>> sid
>>> calls and reverse) to determine the mapping, as that could fail at
>>> the
>>> critical momenet.
>>>
>> Then when why does 'man smb.conf' say this (abridged) about 'winbind
>> use
>> default domain' ?
>>
>> This parameter specifies whether the winbindd(8) daemon should
>> operate
>> on users without domain component in their username.
>> Users without a domain component are treated as is part of the
>> winbindd
>> server's own domain.
>>
>> This option should be avoided if possible. It can cause confusion
>> about
>> responsibilities for a user or group.
>> In many situations it is not clear whether winbind or /etc/passwd
>> should
>> be seen as authoritative for a user, likewise for groups.
>>
>> This (to me) means, do not use 'winbind use default domain = yes'
>> with
>> multiple domains.
> The poorly-worded text there is referrin to the difference between the
> local 'domain' of the member server itself and the AD domain.
>
> On real-world member servers there are generally no local users, so
> this doesn't come up as much as the manpage fears.
>
>> I also think that if there is a problem with winbind causing this,
>> we
>> would have heard  a lot more about it before now.
> Yes, this is a commonly used parameter for the reson I added it, that
> is is very helpful.  I think we have likely improved Samba and seen
> even less use of local groups since then.
>
> Andrew Bartlett
>
If this is true, then I expect you really should patch 'man smb.conf' to 
explain just what it does do. I, like a lot of Samba users, do not read 
the Samba code, so all we can do is read the manpages and if they are 
wrong, then, well words fail me.

Rowland

More information about the samba mailing list