samba - Sep 2003 - winbindd using FQDN domain name now?

As of RC3 and RC4, I've noticed that winbindd's wb_getpwuid function
is using the form <FQDN-domain><winbind-seperator><username>,
and
before, it was simply
<NetBIOS-domain><winbind-seperator><username>.

The net effect of what I'm seeing is that users which have a UNIX
account locally on the samba box and also a domain account are being
authenticated against the AD DC, but their UIDs are getting resolved
to the local UNIX UIDs rather than AD UIDs.

Here's a snippet of the winbind log (level 5) from an XP Home box (not
a domain member):

[2003/09/15 15:46:49, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(112)
  [ 6439]: getpwnam genosha-neil
[2003/09/15 15:46:49, 3] nsswitch/winbindd_ads.c:sequence_number(778)
  ads: fetch sequence_number for GENOSHA
[2003/09/15 15:46:49, 5] libads/ldap_utils.c:ads_do_search_retry(52)
  Search for (objectclass=*) gave 1 replies
[2003/09/15 15:46:49, 3] nsswitch/winbindd_ads.c:name_to_sid(312)
  ads: name_to_sid
[2003/09/15 15:46:49, 5] libads/ldap_utils.c:ads_do_search_retry(52)
  Search for
(|(sAMAccountName=neil)(userPrincipalName=neil@GENOSHA.ENFUSION-GROUP.COM))
gave 1 replies
[2003/09/15 15:46:49, 3] libads/ads_ldap.c:ads_name_to_sid(82)
  ads name_to_sid mapped neil
[2003/09/15 15:46:50, 3] nsswitch/winbindd_misc.c:winbindd_ping(208)
  [ 6439]: ping
[2003/09/15 15:46:50, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(112)
  [ 6439]: getpwnam genosha-neil
[2003/09/15 15:46:50, 3] nsswitch/winbindd_ads.c:name_to_sid(312)
  ads: name_to_sid
[2003/09/15 15:46:50, 5] libads/ldap_utils.c:ads_do_search_retry(52)
  Search for
(|(sAMAccountName=neil)(userPrincipalName=neil@GENOSHA.ENFUSION-GROUP.COM))
gave 1 replies
>From XP SP1 boxes that are domain members:
[2003/09/15 15:49:17, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(112)
  [ 6453]: getpwnam genosha.enfusion-group.com-adrian
[2003/09/15 15:49:17, 5]
nsswitch/winbindd_user.c:winbindd_getpwnam(140)
  no such domain: GENOSHA.ENFUSION
[2003/09/15 15:49:17, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(112)
  [ 6453]: getpwnam GENOSHA.ENFUSION-GROUP.COM-adrian
[2003/09/15 15:49:17, 5]
nsswitch/winbindd_user.c:winbindd_getpwnam(140)
  no such domain: GENOSHA.ENFUSION
[2003/09/15 15:49:17, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(112)
  [ 6453]: getpwnam GENOSHA.ENFUSION-GROUP.COM-ADRIAN
[2003/09/15 15:49:17, 5]
nsswitch/winbindd_user.c:winbindd_getpwnam(140)
  no such domain: GENOSHA.ENFUSION
[2003/09/15 15:49:23, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(231)
  [ 6455]: request interface version
[2003/09/15 15:49:23, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(267)
  [ 6455]: request location of privileged pipe
[2003/09/15 15:49:23, 5] nsswitch/winbindd.c:winbind_client_read(462)
  read failed on sock 19, pid 6455: EOF
[2003/09/15 15:49:23, 3]
nsswitch/winbindd_user.c:winbindd_getpwuid(213)
  [ 6455]: getpwuid 20007
[2003/09/15 15:49:23, 4] nsswitch/winbindd_acct.c:wb_getpwuid(413)
  wb_getpwuid: failed to locate uid == 20007

At this point, I'm authenticated as the UNIX UID and have access via
samba, but smbstatus shows the wrong username (the non-domain user).

Anyone know how I can fix this?

--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian/
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[rogue.genosha.enfusion-group.com] 3:55pm up 4 days, 17:09, 3 users

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry for the delayed repsonse...

Adrian Chung wrote:
| As of RC3 and RC4, I've noticed that winbindd's wb_getpwuid function
| is using the form
<FQDN-domain><winbind-seperator><username>, and
| before, it was simply
<NetBIOS-domain><winbind-seperator><username>.

This is due to new code in smbd that grabs the domain name
from the krb5 principal name.

| The net effect of what I'm seeing is that users which have a UNIX
| account locally on the samba box and also a domain account are being
| authenticated against the AD DC, but their UIDs are getting resolved
| to the local UNIX UIDs rather than AD UIDs.
....
|
|>From XP SP1 boxes that are domain members:
|
| [2003/09/15 15:49:17, 3]
| nsswitch/winbindd_user.c:winbindd_getpwnam(112)
|   [ 6453]: getpwnam genosha.enfusion-group.com-adrian
| [2003/09/15 15:49:17, 5]
| nsswitch/winbindd_user.c:winbindd_getpwnam(140)
|   no such domain: GENOSHA.ENFUSION
| [2003/09/15 15:49:17, 3]
| nsswitch/winbindd_user.c:winbindd_getpwnam(112)
|   [ 6453]: getpwnam GENOSHA.ENFUSION-GROUP.COM-adrian
| [2003/09/15 15:49:17, 5]
| nsswitch/winbindd_user.c:winbindd_getpwnam(140)
|   no such domain: GENOSHA.ENFUSION

You have the wionbind separator set to '-' don't you?
The probl;em here is that you have a '-' in the realm name.





cheers, jerry
~ ----------------------------------------------------------------------
~ Hewlett-Packard            ------------------------- http://www.hp.com
~ SAMBA Team                 ---------------------- http://www.samba.org
~ GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
~ "You can never go home again, Oatman, but I guess you can shop
there."
~                            --John Cusack - "Grosse Point Blank"
(1997)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/gsEtIR7qMdg1EfYRAuI4AKDQSJXPNEYIJG/9esHfYjq1zd00LACfTfbp
VCx/Q3LUEB64othe3hsB8Hg=6D86
-----END PGP SIGNATURE-----