As of RC3 and RC4, I've noticed that winbindd's wb_getpwuid function
is using the form <FQDN-domain><winbind-seperator><username>,
and
before, it was simply
<NetBIOS-domain><winbind-seperator><username>.
The net effect of what I'm seeing is that users which have a UNIX
account locally on the samba box and also a domain account are being
authenticated against the AD DC, but their UIDs are getting resolved
to the local UNIX UIDs rather than AD UIDs.
Here's a snippet of the winbind log (level 5) from an XP Home box (not
a domain member):
[2003/09/15 15:46:49, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(112)
[ 6439]: getpwnam genosha-neil
[2003/09/15 15:46:49, 3] nsswitch/winbindd_ads.c:sequence_number(778)
ads: fetch sequence_number for GENOSHA
[2003/09/15 15:46:49, 5] libads/ldap_utils.c:ads_do_search_retry(52)
Search for (objectclass=*) gave 1 replies
[2003/09/15 15:46:49, 3] nsswitch/winbindd_ads.c:name_to_sid(312)
ads: name_to_sid
[2003/09/15 15:46:49, 5] libads/ldap_utils.c:ads_do_search_retry(52)
Search for
(|(sAMAccountName=neil)(userPrincipalName=neil@GENOSHA.ENFUSION-GROUP.COM))
gave 1 replies
[2003/09/15 15:46:49, 3] libads/ads_ldap.c:ads_name_to_sid(82)
ads name_to_sid mapped neil
[2003/09/15 15:46:50, 3] nsswitch/winbindd_misc.c:winbindd_ping(208)
[ 6439]: ping
[2003/09/15 15:46:50, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(112)
[ 6439]: getpwnam genosha-neil
[2003/09/15 15:46:50, 3] nsswitch/winbindd_ads.c:name_to_sid(312)
ads: name_to_sid
[2003/09/15 15:46:50, 5] libads/ldap_utils.c:ads_do_search_retry(52)
Search for
(|(sAMAccountName=neil)(userPrincipalName=neil@GENOSHA.ENFUSION-GROUP.COM))
gave 1 replies
>From XP SP1 boxes that are domain members:
[2003/09/15 15:49:17, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(112)
[ 6453]: getpwnam genosha.enfusion-group.com-adrian
[2003/09/15 15:49:17, 5]
nsswitch/winbindd_user.c:winbindd_getpwnam(140)
no such domain: GENOSHA.ENFUSION
[2003/09/15 15:49:17, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(112)
[ 6453]: getpwnam GENOSHA.ENFUSION-GROUP.COM-adrian
[2003/09/15 15:49:17, 5]
nsswitch/winbindd_user.c:winbindd_getpwnam(140)
no such domain: GENOSHA.ENFUSION
[2003/09/15 15:49:17, 3]
nsswitch/winbindd_user.c:winbindd_getpwnam(112)
[ 6453]: getpwnam GENOSHA.ENFUSION-GROUP.COM-ADRIAN
[2003/09/15 15:49:17, 5]
nsswitch/winbindd_user.c:winbindd_getpwnam(140)
no such domain: GENOSHA.ENFUSION
[2003/09/15 15:49:23, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(231)
[ 6455]: request interface version
[2003/09/15 15:49:23, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(267)
[ 6455]: request location of privileged pipe
[2003/09/15 15:49:23, 5] nsswitch/winbindd.c:winbind_client_read(462)
read failed on sock 19, pid 6455: EOF
[2003/09/15 15:49:23, 3]
nsswitch/winbindd_user.c:winbindd_getpwuid(213)
[ 6455]: getpwuid 20007
[2003/09/15 15:49:23, 4] nsswitch/winbindd_acct.c:wb_getpwuid(413)
wb_getpwuid: failed to locate uid == 20007
At this point, I'm authenticated as the UNIX UID and have access via
samba, but smbstatus shows the wrong username (the non-domain user).
Anyone know how I can fix this?
--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian/
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[rogue.genosha.enfusion-group.com] 3:55pm up 4 days, 17:09, 3 users