On Thu, 31 Aug 2017 16:27:12 +0200 mathias dufresne <infractory at gmail.com> wrote:> PS: the short way to explain %u is adding domain/workgroup to > username is the fact we are using trust relationship? >Probably, what you have to get your head around is this: The users 'fred', 'DOMAINA\fred' and 'DOMAINB\fred' are all different users. Winbind will report them as such. I will leave you to work something out from that ;-) Rowland
2017-08-31 16:34 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Thu, 31 Aug 2017 16:27:12 +0200 > mathias dufresne <infractory at gmail.com> wrote: > > > PS: the short way to explain %u is adding domain/workgroup to > > username is the fact we are using trust relationship? > > > > Probably, what you have to get your head around is this: > > The users 'fred', 'DOMAINA\fred' and 'DOMAINB\fred' are all different > users. Winbind will report them as such. >I expect that using "winbind use default domain = yes" DOMAINA\fred could be same user as DOMAINB\fred as they both should be named "fred", they both should be the first "fred" of the list retrieved by "getent passwd" when enumeration is permitted.> > I will leave you to work something out from that ;-) > > Rowland > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
2017-08-31 16:44 GMT+02:00 mathias dufresne <infractory at gmail.com>:> > > 2017-08-31 16:34 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org> > : > >> On Thu, 31 Aug 2017 16:27:12 +0200 >> mathias dufresne <infractory at gmail.com> wrote: >> >> > PS: the short way to explain %u is adding domain/workgroup to >> > username is the fact we are using trust relationship? >> > >> >> Probably, what you have to get your head around is this: >> >> The users 'fred', 'DOMAINA\fred' and 'DOMAINB\fred' are all different >> users. Winbind will report them as such. >> > > I expect that using "winbind use default domain = yes" DOMAINA\fred could > be same user as DOMAINB\fred as they both should be named "fred", they both > should be the first "fred" of the list retrieved by "getent passwd" when > enumeration is permitted. >Forget it. My conf does not access to others domains users. I missed something but as I don't know how are configured these trust relationship, I'll stop making useless noise here ^^> > >> >> I will leave you to work something out from that ;-) >> >> Rowland >> >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
On Thu, 31 Aug 2017 16:44:56 +0200 mathias dufresne <infractory at gmail.com> wrote:> 2017-08-31 16:34 GMT+02:00 Rowland Penny via samba > <samba at lists.samba.org>: > > > On Thu, 31 Aug 2017 16:27:12 +0200 > > mathias dufresne <infractory at gmail.com> wrote: > > > > > PS: the short way to explain %u is adding domain/workgroup to > > > username is the fact we are using trust relationship? > > > > > > > Probably, what you have to get your head around is this: > > > > The users 'fred', 'DOMAINA\fred' and 'DOMAINB\fred' are all > > different users. Winbind will report them as such. > > > > I expect that using "winbind use default domain = yes" DOMAINA\fred > could be same user as DOMAINB\fred as they both should be named > "fred", they both should be the first "fred" of the list retrieved by > "getent passwd" when enumeration is permitted. >Well, yes but no ;-) Lets put it this way, user 'DOMAINA\fred' could be 'Fred Flintstone' and user 'DOMAINB\fred' could be 'Fred Bloggs', they have the same samaccountname (in different domains), but are actually different people. If you use 'winbind use default domain = yes' they will become the same 'fred'. Fred Flintstone is the boss and as such needs to see everything, Fred Bloggs is employed to sweep the floor, do you really want Mr Bloggs to see all of the bosses files ? Rowland