When using multiple domain-name separators, winbindd can return the wrong result for an invalid query. More specifically, the result for the local domain is returned, even when a trusted domain has been specified. One way to demonstrace that is through the selftest environment: SELFTEST_TESTENV=ad_member make testenv $ bin/wbinfo -n ADDOMAIN/Administrator S-1-5-21-393092391-124448896-2709144-500 SID_USER (1) -> correct result $ bin/wbinfo -n ADDOMAIN//Administrator S-1-5-21-393092391-124448896-2709144-500 SID_USER (1) -> unexpected result, the syntax of the query is incorrect $ bin/wbinfo -n INVALID/Administrator failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name INVALID/Administrator -> correct result $ bin/wbinfo -n INVALID//Administrator S-1-5-21-393092391-124448896-2709144-500 SID_USER (1) -> wrong result The same can also be seen when using rpcclient, but i have not been able to recreate this in a selftest environment with the configured winbind separator character. This is the query to a Samba domain member: $ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "example\administrator"' example\administrator S-1-5-21-2745666129-1984454212-2075974874-500 (User: 1) -> correct result $ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "example\\administrator"' example\\administrator S-1-5-21-2745666129-1984454212-2075974874-500 (User: 1) -> unexpected result, the syntax of the query is incorrect $ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "subdom\administrator"' subdom\administrator S-1-5-21-3412315737-4225092418-116001797-500 (User: 1) -> correct result $ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "subdom\\administrator"' subdom\\administrator S-1-5-21-2745666129-1984454212-2075974874-500 (User: 1) -> wrong result, should be sid for subdom domain, not joined example domain Comparing that to the query of a Windows domain member: $ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.184 -c 'lookupnames "example\administrator"' example\administrator S-1-5-21-2745666129-1984454212-2075974874-500 (User: 1) $ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.184 -c 'lookupnames "example\\administrator"' result was NT_STATUS_NONE_MAPPED $ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.184 -c 'lookupnames "subdom\administrator"' subdom\administrator S-1-5-21-3412315737-4225092418-116001797-500 (User: 1) $ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.184 -c 'lookupnames "subdom\\administrator"' result was NT_STATUS_NONE_MAPPED
https://lists.samba.org/archive/samba-technical/2018-February/125910.html
With the proposed patch applied on the Samba domain member, the rpcclient result also matches the Windows domain member: $ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "example\administrator"' example\administrator S-1-5-21-2745666129-1984454212-2075974874-500 (User: 1) $ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "example\\administrator"' result was NT_STATUS_NONE_MAPPED $ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "subdom\administrator"' subdom\administrator S-1-5-21-3412315737-4225092418-116001797-500 (User: 1) $ bin/rpcclient -s st/client/client.conf -U'EXAMPLE\Administrator'%pw 10.11.12.234 -c 'lookupnames "subdom\\administrator"' result was NT_STATUS_NONE_MAPPED
Created attachment 14110 [details] patches for 4.7
Created attachment 14111 [details] patches for 4.8
Karolin, please add the patches to the relevant branches. Thanks!
(In reply to Andreas Schneider from comment #5) Pushed to autobuild-v4-[7,8]-test.
(In reply to Karolin Seeger from comment #6) Pushed to both branches. Closing out bug report. Thanks!