On Sun, 2019-11-03 at 20:57 +0000, Rowland penny wrote:> > > G'Day Rowland, > > > > Are you really sure that is the case? > > > > The "winbind use default domain" code, which I authored, certainly > > isn't intended to do that. It changes the formatting at the nss > > interface to strip the domain\ prefix, allowing local logins with > > pam > > etc to avoid typing the domain. > > I suppose it depends on just where the domain is stripped. If it is > very > early on, then DOMAINA\fred and DOMAINB\fred would become fred and > fred, > so how would winbind know which is which ?It only strips the default domain. All the others are untouched. It is (essentially) also only in the getpwnam() and pam codepaths, not in the SID->ID stuff, we generally avoid going via names as much as possible. This is by design. The while idea of idmap_autorid and idmap_rid is that we don't want to rely on any remote communication (eg name->sid calls and reverse) to determine the mapping, as that could fail at the critical momenet.> This is the only reason I can think of that could change the ID. > > Can you think of another reason Andrew ?As I said, I suspect autorid.tdb is being damanaged or removed. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
On 03/11/2019 21:11, Andrew Bartlett wrote:> On Sun, 2019-11-03 at 20:57 +0000, Rowland penny wrote: >>> G'Day Rowland, >>> >>> Are you really sure that is the case? >>> >>> The "winbind use default domain" code, which I authored, certainly >>> isn't intended to do that. It changes the formatting at the nss >>> interface to strip the domain\ prefix, allowing local logins with >>> pam >>> etc to avoid typing the domain. >> I suppose it depends on just where the domain is stripped. If it is >> very >> early on, then DOMAINA\fred and DOMAINB\fred would become fred and >> fred, >> so how would winbind know which is which ? > It only strips the default domain. All the others are untouched. It is > (essentially) also only in the getpwnam() and pam codepaths, not in the > SID->ID stuff, we generally avoid going via names as much as possible. > > This is by design. The while idea of idmap_autorid and idmap_rid is > that we don't want to rely on any remote communication (eg name->sid > calls and reverse) to determine the mapping, as that could fail at the > critical momenet. >Then when why does 'man smb.conf' say this (abridged) about 'winbind use default domain' ? This parameter specifies whether the winbindd(8) daemon should operate on users without domain component in their username. Users without a domain component are treated as is part of the winbindd server's own domain. This option should be avoided if possible. It can cause confusion about responsibilities for a user or group. In many situations it is not clear whether winbind or /etc/passwd should be seen as authoritative for a user, likewise for groups. This (to me) means, do not use 'winbind use default domain = yes' with multiple domains. I also think that if there is a problem with winbind causing this, we would have heard? a lot more about it before now. Rowland
On Sun, 2019-11-03 at 21:29 +0000, Rowland penny wrote:> On 03/11/2019 21:11, Andrew Bartlett wrote: > > On Sun, 2019-11-03 at 20:57 +0000, Rowland penny wrote: > > > > G'Day Rowland, > > > > > > > > Are you really sure that is the case? > > > > > > > > The "winbind use default domain" code, which I authored, > > > > certainly > > > > isn't intended to do that. It changes the formatting at the > > > > nss > > > > interface to strip the domain\ prefix, allowing local logins > > > > with > > > > pam > > > > etc to avoid typing the domain. > > > > > > I suppose it depends on just where the domain is stripped. If it > > > is > > > very > > > early on, then DOMAINA\fred and DOMAINB\fred would become fred > > > and > > > fred, > > > so how would winbind know which is which ? > > > > It only strips the default domain. All the others are > > untouched. It is > > (essentially) also only in the getpwnam() and pam codepaths, not in > > the > > SID->ID stuff, we generally avoid going via names as much as > > possible. > > > > This is by design. The while idea of idmap_autorid and idmap_rid > > is > > that we don't want to rely on any remote communication (eg name- > > >sid > > calls and reverse) to determine the mapping, as that could fail at > > the > > critical momenet. > > > > Then when why does 'man smb.conf' say this (abridged) about 'winbind > use > default domain' ? > > This parameter specifies whether the winbindd(8) daemon should > operate > on users without domain component in their username. > Users without a domain component are treated as is part of the > winbindd > server's own domain. > > This option should be avoided if possible. It can cause confusion > about > responsibilities for a user or group. > In many situations it is not clear whether winbind or /etc/passwd > should > be seen as authoritative for a user, likewise for groups. > > This (to me) means, do not use 'winbind use default domain = yes' > with > multiple domains.The poorly-worded text there is referrin to the difference between the local 'domain' of the member server itself and the AD domain. On real-world member servers there are generally no local users, so this doesn't come up as much as the manpage fears.> I also think that if there is a problem with winbind causing this, > we > would have heard a lot more about it before now.Yes, this is a commonly used parameter for the reson I added it, that is is very helpful. I think we have likely improved Samba and seen even less use of local groups since then. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba