[Samba] winbind use default domain problem after upgrade
perttu.aaltonen at mac.com
Wed Mar 10 16:46:55 UTC 2021
> On 10. Mar 2021, at 18.28, Rowland penny via samba <samba at lists.samba.org> wrote:
> On 10/03/2021 15:31, Perttu Aaltonen via samba wrote:
>> Perhaps I’ve misunderstood the “winbind use default domain” parameter. According to the smb.conf manual it doesn’t apply to “Windows users” meaning SMB clients.
> It doesn't say that, it says that it 'does not benefit Windows users', which has a different meaning. If you log into a Unix domain member as an AD user, your username wil be displayed as 'username' if 'winbind use default domain = yes' is set in smb.conf. If it isn't there, or it is set to 'no', then it will be displayed as 'DOMAIN\username' (note: this is the only way that users are displayed 0n Samba DC's, even if the line is added to smb.conf)
>> It also doesn’t seem to have any effect on the user mapping when authenticating through the SMB connection. On a working system I can connect without providing the domain part even with “winbind use default domain = no”. It doesn’t matter if I provide the "DOMAIN\” or not and the authentication succeeds. But on an updated system the automatic mapping doesn’t work anymore and I’m not sure what affects it when the smb.conf file is identical.
> It probably will work in the way you describe, so you may be having a problem and are describing it incorrectly, if so, what isn't working ?
My assumption was that “winbind use default domain” affects the user mapping when they authenticate an SMB connection. So if the user hasn’t provided the domain part it will add the domain/workgroup part automatically. But now in my testing it seems that it doesn’t actually affect this. Setting it to ’no’ doesn’t block authenticating with only the username part and I can see in the log that “\user” is still mapped to “DOMAIN\user”.
This is how it works for me in Samba 4.10.5. I’m trying to find the exact version where authenticating with only the username part breaks for me and while doing that I noticed this. That this parameter doesn’t appear to work the way I thought it would, meaning it affecting the mapping of the username to domain user.
More information about the samba