while having this option set, samba correctly imports the accounts from our ADS server without the DOMAIN(seperator) prefixed to the username and all unix-like functionality is, well, hunky-dorey, but when trying to auth against a samba share , it still looks for the account to be listed as DOMAIN(seperator)USERNAME instead of just username. Here are relevant conf entries and debug outputs showing this behavior: -- smb.conf settings -- [global] netbios name = ASGARD workgroup = CEMS security = ads realm = CEMS.UMN.EDU password server = PHOENIX encrypt passwords = yes browseable = no os level = 0 domain master = no local master = no preferred master = no ; winbindd configuration winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind enable local accounts = yes template shell = /bin/bash template homedir = /home/%D/%U idmap uid = 10000-30000 idmap gid = 10000-30000 -- test share used -- [test_share] comment = Test Share path = /tmp writeable = yes valid users = cemsadmin admin users = cemsadmin ; enforce file locking locking = yes ; default file creation permission mask ; create mode = 0644 ; default directory creation permission mask directory mode = 0770 browseable = yes -- ADS account used through winbind -- [root@asgard source]# getent passwd |grep cemsadmin cemsadmin:x:10690:10003:cemsadmin:/home/CEMS/cemsadmin:/bin/bash -- output of smbd showing it looking for CEMS+cemsadmin and not cemsadmin -- [2004/06/28 10:17:54, 5] smbd/service.c:make_connection(783) making a connection to 'normal' service test_share [2004/06/28 10:17:54, 10] lib/username.c:user_in_list(526) user_in_list: checking user CEMS+cemsadmin in list [2004/06/28 10:17:54, 10] lib/username.c:user_in_list(530) user_in_list: checking user |CEMS+cemsadmin| against |pirie| [2004/06/28 10:17:54, 10] lib/username.c:user_in_list(530) user_in_list: checking user |CEMS+cemsadmin| against |lstorey| [2004/06/28 10:17:54, 10] lib/username.c:user_in_list(530) user_in_list: checking user |CEMS+cemsadmin| against |mwt| [2004/06/28 10:17:54, 10] lib/username.c:user_in_list(530) user_in_list: checking user |CEMS+cemsadmin| against |cemsadmin| [2004/06/28 10:17:54, 2] smbd/service.c:make_connection_snum(311) user 'CEMS+cemsadmin' (from session setup) not permitted to access this share (test_share) [2004/06/28 10:17:54, 3] smbd/error.c:error_packet(118) error packet at smbd/reply.c(389) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED I don't know if this is the intended behavior, if it is, it'd still be nice to have an option to turn this off. Thanks again!
(In reply to comment #0) You'll notice it check against some other users that aren't listed in the test_share, I forgot to reload the conf file totally (I took out those users so it would just be less output) but I didn't change anything other then that, so basically, just ignore that part of the output :-) Thanks! > while having this option set, samba correctly imports the accounts from our ADS > server without the DOMAIN(seperator) prefixed to the username and all unix-like > functionality is, well, hunky-dorey, but when trying to auth against a samba > share , it still looks for the account to be listed as DOMAIN(seperator)USERNAME > instead of just username. Here are relevant conf entries and debug outputs > showing this behavior: > > -- smb.conf settings -- > > > [global] > netbios name = ASGARD > workgroup = CEMS > security = ads > realm = CEMS.UMN.EDU > password server = PHOENIX > encrypt passwords = yes > browseable = no > os level = 0 > domain master = no > local master = no > preferred master = no > > ; winbindd configuration > winbind separator = + > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind enable local accounts = yes > template shell = /bin/bash > template homedir = /home/%D/%U > > idmap uid = 10000-30000 > idmap gid = 10000-30000 > > -- test share used -- > > [test_share] > comment = Test Share > path = /tmp > writeable = yes > valid users = cemsadmin > admin users = cemsadmin > ; enforce file locking > locking = yes > ; default file creation permission mask > ; create mode = 0644 > ; default directory creation permission mask > directory mode = 0770 > browseable = yes > > -- ADS account used through winbind -- > > [root@asgard source]# getent passwd |grep cemsadmin > cemsadmin:x:10690:10003:cemsadmin:/home/CEMS/cemsadmin:/bin/bash > > -- output of smbd showing it looking for CEMS+cemsadmin and not cemsadmin -- > > [2004/06/28 10:17:54, 5] smbd/service.c:make_connection(783) > making a connection to 'normal' service test_share > [2004/06/28 10:17:54, 10] lib/username.c:user_in_list(526) > user_in_list: checking user CEMS+cemsadmin in list > [2004/06/28 10:17:54, 10] lib/username.c:user_in_list(530) > user_in_list: checking user |CEMS+cemsadmin| against |pirie| > [2004/06/28 10:17:54, 10] lib/username.c:user_in_list(530) > user_in_list: checking user |CEMS+cemsadmin| against |lstorey| > [2004/06/28 10:17:54, 10] lib/username.c:user_in_list(530) > user_in_list: checking user |CEMS+cemsadmin| against |mwt| > [2004/06/28 10:17:54, 10] lib/username.c:user_in_list(530) > user_in_list: checking user |CEMS+cemsadmin| against |cemsadmin| > [2004/06/28 10:17:54, 2] smbd/service.c:make_connection_snum(311) > user 'CEMS+cemsadmin' (from session setup) not permitted to access this share > (test_share) > [2004/06/28 10:17:54, 3] smbd/error.c:error_packet(118) > error packet at smbd/reply.c(389) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED > > I don't know if this is the intended behavior, if it is, it'd still be nice to > have an option to turn this off. > > Thanks again!
This is by design. 'winbind use default domain' should only be considered relavant to pam_winbind.so