[Samba] pam_winbind, ssh and cross-forest membership...

Rowland Penny rpenny at samba.org
Tue Jan 18 21:24:34 UTC 2022

On Tue, 2022-01-18 at 19:15 +0100, Marco Gaiarin via samba wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> > Can you provide a link to where Andrew said this ?
> 	https://lists.samba.org/archive/samba/2019-November/226864.html
> and the thread, but probably re-reading now all the stuff probably
> i've
> misinterpreted something.

OK, Andrew wrote:

It only strips the default domain. All the others are untouched.  It is
(essentially) also only in the getpwnam() and pam codepaths, not in the
SID->ID stuff, we generally avoid going via names as much as possible. 

However 'man smb.conf' says this about 'winbind use default domain':

This parameter specifies whether the winbindd(8) daemon should operate
on users without domain component in their username. Users without a
domain component are treated as is part of the winbindd server's own
While this does not benefit Windows users, it makes SSH, FTP and e-mail
function in a way much closer to the way they would in a native unix

This option should be avoided if possible. It can cause confusion about
responsibilities for a user or group. In many situations it is not
clear whether winbind or /etc/passwd should be seen as authoritative
for a user, likewise for groups.

One of those must be wrong, it either uses the default domain (or no
domain) for all users and groups (no matter the origing domain) or it
only works with the users and groups from the default domain.

If you set 'winbind use default domain = yes' in a smb.conf file with
multiple domains, then strange things happen. There is also the fact
that the parameter is 'winbind use default domain', the 'default'
domain (When using the 'rid' or 'ad' backend) is the one that isn't
'*'. How does winbind know what is the 'default' domain if there are
more than one domain that isn't the '*' domain ?

If Andrew is correct, then the 'winbind use default domain' parameter
in 'man smb.conf' needs a much better description.

> > The smb.conf manpage still says this about 'windows use default
> > domain':
> Andrew say something about this. It suffices NOT to have login
> clashes, and
> there's no login clashes.
> Anyway, bount another strange thing about this: domain forest root
> tree DOM.IT,
> four domains joined in forest SUBA.DOM.IT, SUBB, SUBC and SUBD.
> User 'a' of domain SUBA.DOM.IT member also of group 'groupa' in
> forest root tree
> domain DOM.IT.
> In a machien joined to whatever SUB domain (with or without 'winbind
> use default domain =
> yes'), user 'a' result in group 'groupa'; if the machine is joined to
> forest
> root 'DOM.IT', user NOT belong to 'groupa' user.
> I need to dig a bit deeper...

I can lend you a good spade :-D


More information about the samba mailing list