samba - Dec 2017 - sendmail getting domain\user as email userId

On Fri, 01 Dec 2017 03:12:46 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:
> On Thu, 30 Nov 2017 17:09:56 +0000 Rowland Penny <rpenny at
samba.org>
> wrote:
> >
> [deleted]
> > > Comments:
> > > 
> > > This "bug" has been hanging around in Samba since
April, 2013,
> > > https://bugzilla.samba.org/show_bug.cgi?id=9780 It is currently
> > > marked as RESOLVED FIXED by Andrew Bartlett of as 2016-07-28, but
> > > it is clearly not solved. Anyone running `getent passwd` or
> > > `wbinfo` on the AD/DC will get "DOMAIN/user" instead of
"user".
> > > Therefore, not solved.
> > > 
> > > This functionality is inconsistent with the values returned by
the
> > > same commands on a domain member. 
> > > 
> > > It currently breaks authentication for various facilities on the
> > > AD/DC, not limited to mail MTAs and MDAs. 
> > > 
> > > I've found a number of postings on this list about this
problem.
> > > Some people, (Mike E. (posting Thu Jul 21 12:30:40 2016) have
> > > found other work-arounds including using sssd in nsswitch.conf
> > > instead of winbind.  There are 10 postings on the bug report for
> > > people having the same problem including another (Luc Lalonde)
> > > who also switched to sssd. 
> > > 
> > > I believe this is a problem in the real-world and should be more
> > > urgently addressed by the Samba team. I think this is a
> > > fundamental piece of Samba4 and it should work correctly.
> > > 
> > > My two cents worth.
> > > 
> > > --Mark
> > > 
> > > -----Original Message-----
> > > Date: Wed, 29 Nov 2017 10:48:06 -0500
> > > To: samba at lists.samba.org
> > > Subject: Re: [Samba] sendmail getting domain\user as email userId
> > > 
> > > [deleted]
> > > 
> >
> > I have re-opened the bug report, the problem is that the devs
don't
> > see it as a problem, whilst a lot of users do :-(
> >
> > Rowland
> >
> 
> Thanks Rowland. As a developer myself, I generally consider my users
> problems to be MY problems!
> 
> --Mark
> 
The problem is, the bug report was quickly closed again as 'WONTFIX'
so, though I hate saying this, please investigate nlscd use on the DC.

Rowland

On Fri, 1 Dec 2017 08:31:18 +0000 Rowland Penny <rpenny at samba.org>
wrote:
> > > > -----Original Message-----
> > > > Date: Wed, 29 Nov 2017 10:48:06 -0500
> > > > To: samba at lists.samba.org
> > > > Subject: Re: [Samba] sendmail getting domain\user as email
userId
> > > > 
> > > > [deleted]
> > > > 
> > >
> > > I have re-opened the bug report, the problem is that the devs
don't
> > > see it as a problem, whilst a lot of users do :-(
> > >
> > > Rowland
> > >
> > 
> > Thanks Rowland. As a developer myself, I generally consider my users
> > problems to be MY problems!
> > 
> > --Mark
> > 
>
> The problem is, the bug report was quickly closed again as
'WONTFIX'
> so, though I hate saying this, please investigate nlscd use on the DC.
>
> Rowland
>
Yeah, I saw that, and I read the developer's comment. Frankly, I don't
get it. Seems to me
winbind behaviour should be the same, AD/DC or domain member. And it should
deliver to programs
the id they expect (w/o domain name), regardless of the use being made. I
don't see the benefit
for any use of adding the domain to the Id unless there is some odd circumstance
that an
installation has more than one domain and the same user Id -- in which case this
should be the
exception rather than the rule.

Oh well ...

I'll investigate your nlscd suggestion.

THX --Mark

On Fri, 01 Dec 2017 03:47:26 -0500
Mark Foley via samba <samba at lists.samba.org>
wrote:
> 
> Yeah, I saw that, and I read the developer's comment. Frankly, I
> don't get it. Seems to me winbind behaviour should be the same, AD/DC
> or domain member. And it should deliver to programs the id they
> expect (w/o domain name), regardless of the use being made. I don't
> see the benefit for any use of adding the domain to the Id unless
> there is some odd circumstance that an installation has more than one
> domain and the same user Id -- in which case this should be the
> exception rather than the rule.
> 
> Oh well ...
> 
> I'll investigate your nlscd suggestion.
> 
I can sort of understand the decision, you can use trusted domains with
Samba and if you use 'winbind use default domain = yes' and you have a
user in DOMA called 'fred' and a user in DOMB called 'fred',
winbind
would treat these as being the same user. Even if the DOMA users full
name is 'Fred Bloggs' and the DOMB users full name is 'Fred
Doe', that
is, they are two different people.

Perhaps we need a parameter called 'winbind remove our domain from
users & groups' ;-)

Rowland