samba - May 2002 - NT user name doesn't match unix username when winbindd is running

We are testing winbind and security=domain to authenticate NT users on our
UNIX box in samba (v2.2.3a).  Winbind is working correctly. Wbinfo shows
users as domainname+username (we are using "+" as the separator), 
however,
the NT usernames aren't automatically mapping to their corresponding UNIX
usernames as expected.  Perhaps I don't understand how this is supposed to
work?

> Message: 4
> From: "Wieprecht, Karen M." <Karen.Wieprecht@jhuapl.edu>
> To: "'samba@samba.org'" <samba@samba.org>
> Date: Tue, 11 Jun 2002 09:49:27 -0400
> Subject: [Samba] NT user name doesn't match unix username when winbindd
is runnin
>  g
> 
> Samba team,
> 
> I posted the following message on May 30 to comp.protocols.smb,  but no one
> has responded to the posting as of yet,  so I thought I'd try this
email
> list.  
> 
> 
> We are testing winbind and security=domain to authenticate NT users on
> our UNIX box in samba (v2.2.3a).  Winbind is working correctly.  Wbinfo
> shows 
> users as domainname+username (we are using "+" as the
> separator),  however,  the NT usernames aren't automatically mapping
> to their corresponding UNIX usernames as expected.  Perhaps I don't
> understand how this is supposed to work?
> 
>>From what I understand,  security=domain WITHOUT winbind requires a
> corresponding UNIX user (or dummy entry in the password file) for each
> NT user who you want to authenticate. This works for us,  my NT karen
> account gets matched to my Unix Karen account, new files I create from
> the PC side get assigned the correct Unix UID,  my login directory is
> shared via [HOMES] correctly, etc as long as I don't run winbindd.
> 
> However, when I turn on winbindd,  the NT karen account now gets
> mapped to "domainname+karen" instead of "karen", so
UID's don't match,
>  and my home login directory isn't being shared to my NT Karen
> account. Aren't the NT user names supposed to map to the UNIX user
> name if one exists? We want the features of winbind so we don't have
> to have a corresponding UNIX account for each NT user,  but we want
> matching usernames to map automatically for those users who DO have
> accounts on both sides.  It works when winbind is not running,  why
> doesn't this work when I run winbind?  Is there some other parameter I
> have to set to make this happen?

It is best to actually end up using one authentication db, IMHO. But you 
should be able to solve your problem by:

1)Upgrading samba-2.2.4
2)Setting "winbind use default domain = yes" in the global section of 
smb.conf

Now, winbind users for the domain specified in the "workgroup = " 
parameter will not get the winbind or winbind seperator prepended to 
their usernam.

Buchan

-- 
|----------------Registered Linux User #182071-----------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7