Bug 1483 - winbind_use_default_domain = YES ignored for valid_users and admin_users (maybe more?) in smb.conf
winbind_use_default_domain = YES ignored for valid_users and admin_users (may...
Status: RESOLVED WONTFIX
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.4
All All
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-06-28 08:18 UTC by Mike Thomas
Modified: 2004-07-07 04:39 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Thomas 2004-06-28 08:18:46 UTC
while having this option set, samba correctly imports the accounts from our ADS
server without the DOMAIN(seperator) prefixed to the username and all unix-like
functionality is, well, hunky-dorey, but when trying to auth against a samba
share , it still looks for the account to be listed as DOMAIN(seperator)USERNAME
instead of just username. Here are relevant conf entries and debug outputs
showing this behavior:

-- smb.conf settings -- 

        
[global]
        netbios name            =       ASGARD
        workgroup               =       CEMS
        security                =       ads
        realm                   =       CEMS.UMN.EDU
        password server         =       PHOENIX
        encrypt passwords       =       yes
        browseable              =       no
        os level                =       0  
        domain master           =       no
        local master            =       no 
        preferred master        =       no
        
        ; winbindd configuration
        winbind separator       =       +   
        winbind enum users      =       yes
        winbind enum groups     =       yes
        winbind use default domain =    yes
        winbind enable local accounts = yes
        template shell          =       /bin/bash
        template homedir        =       /home/%D/%U
        
        idmap uid               =       10000-30000
        idmap gid               =       10000-30000

-- test share used -- 

[test_share]
        comment                 =       Test Share
        path                    =       /tmp
        writeable               =       yes
        valid users             =       cemsadmin
        admin users             =       cemsadmin
        ; enforce file locking
        locking                 =       yes
        ; default file creation permission mask
        ; create mode             =       0644
        ; default directory creation permission mask
        directory mode          =       0770
        browseable              =       yes

-- ADS account used through winbind -- 

[root@asgard source]# getent passwd |grep cemsadmin
cemsadmin:x:10690:10003:cemsadmin:/home/CEMS/cemsadmin:/bin/bash

-- output of smbd showing it looking for CEMS+cemsadmin and not cemsadmin --

[2004/06/28 10:17:54, 5] smbd/service.c:make_connection(783)
  making a connection to 'normal' service test_share
[2004/06/28 10:17:54, 10] lib/username.c:user_in_list(526)
  user_in_list: checking user CEMS+cemsadmin in list
[2004/06/28 10:17:54, 10] lib/username.c:user_in_list(530)
  user_in_list: checking user |CEMS+cemsadmin| against |pirie|
[2004/06/28 10:17:54, 10] lib/username.c:user_in_list(530)
  user_in_list: checking user |CEMS+cemsadmin| against |lstorey|
[2004/06/28 10:17:54, 10] lib/username.c:user_in_list(530)
  user_in_list: checking user |CEMS+cemsadmin| against |mwt|
[2004/06/28 10:17:54, 10] lib/username.c:user_in_list(530)
  user_in_list: checking user |CEMS+cemsadmin| against |cemsadmin|
[2004/06/28 10:17:54, 2] smbd/service.c:make_connection_snum(311)
  user 'CEMS+cemsadmin' (from session setup) not permitted to access this share
(test_share)
[2004/06/28 10:17:54, 3] smbd/error.c:error_packet(118)
  error packet at smbd/reply.c(389) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED

I don't know if this is the intended behavior, if it is, it'd still be nice to
have an option to turn this off. 

Thanks again!
Comment 1 Mike Thomas 2004-06-28 08:36:06 UTC
(In reply to comment #0)

You'll notice it check against some other users that aren't listed in the
test_share, I forgot to reload the conf file totally (I took out those users so
it would just be less output) but I didn't change anything other then that, so
basically, just ignore that part of the output :-)

Thanks!


> while having this option set, samba correctly imports the accounts from our ADS
> server without the DOMAIN(seperator) prefixed to the username and all unix-like
> functionality is, well, hunky-dorey, but when trying to auth against a samba
> share , it still looks for the account to be listed as DOMAIN(seperator)USERNAME
> instead of just username. Here are relevant conf entries and debug outputs
> showing this behavior:
> 
> -- smb.conf settings -- 
> 
>         
> [global]
>         netbios name            =       ASGARD
>         workgroup               =       CEMS
>         security                =       ads
>         realm                   =       CEMS.UMN.EDU
>         password server         =       PHOENIX
>         encrypt passwords       =       yes
>         browseable              =       no
>         os level                =       0  
>         domain master           =       no
>         local master            =       no 
>         preferred master        =       no
>         
>         ; winbindd configuration
>         winbind separator       =       +   
>         winbind enum users      =       yes
>         winbind enum groups     =       yes
>         winbind use default domain =    yes
>         winbind enable local accounts = yes
>         template shell          =       /bin/bash
>         template homedir        =       /home/%D/%U
>         
>         idmap uid               =       10000-30000
>         idmap gid               =       10000-30000
> 
> -- test share used -- 
> 
> [test_share]
>         comment                 =       Test Share
>         path                    =       /tmp
>         writeable               =       yes
>         valid users             =       cemsadmin
>         admin users             =       cemsadmin
>         ; enforce file locking
>         locking                 =       yes
>         ; default file creation permission mask
>         ; create mode             =       0644
>         ; default directory creation permission mask
>         directory mode          =       0770
>         browseable              =       yes
> 
> -- ADS account used through winbind -- 
> 
> [root@asgard source]# getent passwd |grep cemsadmin
> cemsadmin:x:10690:10003:cemsadmin:/home/CEMS/cemsadmin:/bin/bash
> 
> -- output of smbd showing it looking for CEMS+cemsadmin and not cemsadmin --
> 
> [2004/06/28 10:17:54, 5] smbd/service.c:make_connection(783)
>   making a connection to 'normal' service test_share
> [2004/06/28 10:17:54, 10] lib/username.c:user_in_list(526)
>   user_in_list: checking user CEMS+cemsadmin in list
> [2004/06/28 10:17:54, 10] lib/username.c:user_in_list(530)
>   user_in_list: checking user |CEMS+cemsadmin| against |pirie|
> [2004/06/28 10:17:54, 10] lib/username.c:user_in_list(530)
>   user_in_list: checking user |CEMS+cemsadmin| against |lstorey|
> [2004/06/28 10:17:54, 10] lib/username.c:user_in_list(530)
>   user_in_list: checking user |CEMS+cemsadmin| against |mwt|
> [2004/06/28 10:17:54, 10] lib/username.c:user_in_list(530)
>   user_in_list: checking user |CEMS+cemsadmin| against |cemsadmin|
> [2004/06/28 10:17:54, 2] smbd/service.c:make_connection_snum(311)
>   user 'CEMS+cemsadmin' (from session setup) not permitted to access this share
> (test_share)
> [2004/06/28 10:17:54, 3] smbd/error.c:error_packet(118)
>   error packet at smbd/reply.c(389) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
> 
> I don't know if this is the intended behavior, if it is, it'd still be nice to
> have an option to turn this off. 
> 
> Thanks again!

Comment 2 Gerald (Jerry) Carter 2004-07-07 04:39:15 UTC
This is by design.  'winbind  use default domain' should only be 
considered relavant to pam_winbind.so