default value for "winbind separator"

Wed Feb 7 19:13:22 UTC 2024

Hello,

up this point I never ever used or noticed the default setting of the 
"winbind separator" I only know that it was "+" in the early days of 
Samba. Now that I tried to get GPOs (for smb_conf) running on a DC the 
following was happend:

I created the GPO, linked the gpo and then did a "samba-gpupdate 
--force" that changes my smb.conf in that way, that all possible options 
were written into my smb.conf. Including "winbind separator = \"
Up to the point where I did a "testparm" I did not notice the "winbind 
separator = \" option. But as testparm was showing:
-----------
ERROR: the 'winbind separator' parameter must be a single character.
-----------

I did a "testparm | grep winbind " and I saw:
-----------
-------------
root at addc01:~# grep winbind /etc/samba/smb.conf
...
         winbind sealed pipes = Yes
         winbind separator = \
         winbind use default domain = No
...
-----------
the problem here is that the default character for the winbind separator 
is the backslash. but the backslash quotes the next character und the 
next character is the LF so the LF is now a "normal" character followed 
by " winbind use default domain = No". so for testparm the line looks like:
winbind separator = winbind use default domain = No

And that's wrong. In the early days of Samba the setting was "winbind 
separator = + ".

Is there a reason why the character was changed? A nice side effect is:

-----------------
  root at addc01:~# getent group sshlogin
EXAMPLEwsshlogin:x:3000016:EXAMPLEwskania
-----------------

it sould be:
-----------------
root at addc01:~# getent group sshlogin
EXAMPLE\sshlogin:x:3000016:EXAMPLE\skania
-----------------

So now the backslash is replaced with the "w" from "winbind use default 
domain = No"

I removed the option "winbinds separator = \" but the next time 
samba-gpupdate is running the parameter ist back again. When I change 
the backslash with a "+" getent is showing the "+" as the separator.

So the backslash makes sense, but not putting all default values into 
smb.conf when running samba-gpupdate on a DC.
Or write a workaround for testparm :-) to hide the problem.

Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3477 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20240207/0cc9f5da/smime.bin>