On Sun, 2019-11-03 at 21:29 +0000, Rowland penny wrote:> On 03/11/2019 21:11, Andrew Bartlett wrote: > > On Sun, 2019-11-03 at 20:57 +0000, Rowland penny wrote: > > > > G'Day Rowland, > > > > > > > > Are you really sure that is the case? > > > > > > > > The "winbind use default domain" code, which I authored, > > > > certainly > > > > isn't intended to do that. It changes the formatting at the > > > > nss > > > > interface to strip the domain\ prefix, allowing local logins > > > > with > > > > pam > > > > etc to avoid typing the domain. > > > > > > I suppose it depends on just where the domain is stripped. If it > > > is > > > very > > > early on, then DOMAINA\fred and DOMAINB\fred would become fred > > > and > > > fred, > > > so how would winbind know which is which ? > > > > It only strips the default domain. All the others are > > untouched. It is > > (essentially) also only in the getpwnam() and pam codepaths, not in > > the > > SID->ID stuff, we generally avoid going via names as much as > > possible. > > > > This is by design. The while idea of idmap_autorid and idmap_rid > > is > > that we don't want to rely on any remote communication (eg name- > > >sid > > calls and reverse) to determine the mapping, as that could fail at > > the > > critical momenet. > > > > Then when why does 'man smb.conf' say this (abridged) about 'winbind > use > default domain' ? > > This parameter specifies whether the winbindd(8) daemon should > operate > on users without domain component in their username. > Users without a domain component are treated as is part of the > winbindd > server's own domain. > > This option should be avoided if possible. It can cause confusion > about > responsibilities for a user or group. > In many situations it is not clear whether winbind or /etc/passwd > should > be seen as authoritative for a user, likewise for groups. > > This (to me) means, do not use 'winbind use default domain = yes' > with > multiple domains.The poorly-worded text there is referrin to the difference between the local 'domain' of the member server itself and the AD domain. On real-world member servers there are generally no local users, so this doesn't come up as much as the manpage fears.> I also think that if there is a problem with winbind causing this, > we > would have heard a lot more about it before now.Yes, this is a commonly used parameter for the reson I added it, that is is very helpful. I think we have likely improved Samba and seen even less use of local groups since then. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
On 03/11/2019 21:35, Andrew Bartlett wrote:> On Sun, 2019-11-03 at 21:29 +0000, Rowland penny wrote: >> On 03/11/2019 21:11, Andrew Bartlett wrote: >>> On Sun, 2019-11-03 at 20:57 +0000, Rowland penny wrote: >>>>> G'Day Rowland, >>>>> >>>>> Are you really sure that is the case? >>>>> >>>>> The "winbind use default domain" code, which I authored, >>>>> certainly >>>>> isn't intended to do that. It changes the formatting at the >>>>> nss >>>>> interface to strip the domain\ prefix, allowing local logins >>>>> with >>>>> pam >>>>> etc to avoid typing the domain. >>>> I suppose it depends on just where the domain is stripped. If it >>>> is >>>> very >>>> early on, then DOMAINA\fred and DOMAINB\fred would become fred >>>> and >>>> fred, >>>> so how would winbind know which is which ? >>> It only strips the default domain. All the others are >>> untouched. It is >>> (essentially) also only in the getpwnam() and pam codepaths, not in >>> the >>> SID->ID stuff, we generally avoid going via names as much as >>> possible. >>> >>> This is by design. The while idea of idmap_autorid and idmap_rid >>> is >>> that we don't want to rely on any remote communication (eg name- >>>> sid >>> calls and reverse) to determine the mapping, as that could fail at >>> the >>> critical momenet. >>> >> Then when why does 'man smb.conf' say this (abridged) about 'winbind >> use >> default domain' ? >> >> This parameter specifies whether the winbindd(8) daemon should >> operate >> on users without domain component in their username. >> Users without a domain component are treated as is part of the >> winbindd >> server's own domain. >> >> This option should be avoided if possible. It can cause confusion >> about >> responsibilities for a user or group. >> In many situations it is not clear whether winbind or /etc/passwd >> should >> be seen as authoritative for a user, likewise for groups. >> >> This (to me) means, do not use 'winbind use default domain = yes' >> with >> multiple domains. > The poorly-worded text there is referrin to the difference between the > local 'domain' of the member server itself and the AD domain. > > On real-world member servers there are generally no local users, so > this doesn't come up as much as the manpage fears. > >> I also think that if there is a problem with winbind causing this, >> we >> would have heard a lot more about it before now. > Yes, this is a commonly used parameter for the reson I added it, that > is is very helpful. I think we have likely improved Samba and seen > even less use of local groups since then. > > Andrew Bartlett >If this is true, then I expect you really should patch 'man smb.conf' to explain just what it does do. I, like a lot of Samba users, do not read the Samba code, so all we can do is read the manpages and if they are wrong, then, well words fail me. Rowland
On 03/11/2019 21:43, Rowland penny via samba wrote:> On 03/11/2019 21:35, Andrew Bartlett wrote: >> On Sun, 2019-11-03 at 21:29 +0000, Rowland penny wrote: >>> On 03/11/2019 21:11, Andrew Bartlett wrote: >>>> On Sun, 2019-11-03 at 20:57 +0000, Rowland penny wrote: >>>>>> G'Day Rowland, >>>>>> >>>>>> Are you really sure that is the case? >>>>>> >>>>>> The "winbind use default domain" code, which I authored, >>>>>> certainly >>>>>> isn't intended to do that.? It changes the formatting at the >>>>>> nss >>>>>> interface to strip the domain\ prefix, allowing local logins >>>>>> with >>>>>> pam >>>>>> etc to avoid typing the domain. >>>>> I suppose it depends on just where the domain is stripped. If it >>>>> is >>>>> very >>>>> early on, then DOMAINA\fred and DOMAINB\fred would become fred >>>>> and >>>>> fred, >>>>> so how would winbind know which is which ? >>>> It only strips the default domain. All the others are >>>> untouched.? It is >>>> (essentially) also only in the getpwnam() and pam codepaths, not in >>>> the >>>> SID->ID stuff, we generally avoid going via names as much as >>>> possible. >>>> >>>> This is by design.? The while idea of idmap_autorid and idmap_rid >>>> is >>>> that we don't want to rely on any remote communication (eg name- >>>>> sid >>>> calls and reverse) to determine the mapping, as that could fail at >>>> the >>>> critical momenet. >>>> >>> Then when why does 'man smb.conf' say this (abridged) about 'winbind >>> use >>> default domain' ? >>> >>> This parameter specifies whether the winbindd(8) daemon should >>> operate >>> on users without domain component in their username. >>> Users without a domain component are treated as is part of the >>> winbindd >>> server's own domain. >>> >>> This option should be avoided if possible. It can cause confusion >>> about >>> responsibilities for a user or group. >>> In many situations it is not clear whether winbind or /etc/passwd >>> should >>> be seen as authoritative for a user, likewise for groups. >>> >>> This (to me) means, do not use 'winbind use default domain = yes' >>> with >>> multiple domains. >> The poorly-worded text there is referrin to the difference between the >> local 'domain' of the member server itself and the AD domain. >> >> On real-world member servers there are generally no local users, so >> this doesn't come up as much as the manpage fears. >> >>> I also think that if there is a problem with winbind causing this, >>> we >>> would have heard? a lot more about it before now. >> Yes, this is a commonly used parameter for the reson I added it, that >> is is very helpful.? I think we have likely improved Samba and seen >> even less use of local groups since then. >> >> Andrew Bartlett >> > If this is true, then I expect you really should patch 'man smb.conf' > to explain just what it does do. I, like a lot of Samba users, do not > read the Samba code, so all we can do is read the manpages and if they > are wrong, then, well words fail me. > > Rowland > > >After reading the Samba source, I can see what I previously thought (from reading 'man smb.conf) was wrong, 'winbind use default domain = yes' only affects the domain set in 'workgroup =', any other domains are ignored I thought it affected all domains because it says this in 'man smb.conf': winbind use default domain (G) This parameter specifies whether the winbindd(8) daemon should operate on users without domain component in their username. But 'winbind use default domain' is really 'winbind use default domain but only for the the domain set in `workgroup =`' I now find myself wondering just what else isn't quite correct with the Samba man pages ? Rowland