Bug 15906 - samba-gpupdate breaks login using smb.conf for winbind use default domain
Summary: samba-gpupdate breaks login using smb.conf for winbind use default domain
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.19.5
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-09-05 12:51 UTC by Jeremy Tucker
Modified: 2025-11-05 17:16 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Tucker 2025-09-05 12:51:14 UTC 
When I run samba-gpupdate --force for the first time, the following two lines are problematic/not working for login.

winbind separator = \
winbind use default domain = Yes

If I manually update to "winbind separator = \\" (which is already set in active directory), I can login with domain\username, but not just username even though winbind use default domain = Yes is set.

If I run samba-gpupdate --force again, the two lines look like the following:


winbind separator = winbind use default domain = Yes
winbind use default domain = No

Now I can login only with domainwusername and not just username

Again, if I manually update smb.conf I can login but only with domain\username
Comment 1 Douglas Bagnall 2025-09-05 22:32:25 UTC 
Is this the same as https://bugzilla.samba.org/show_bug.cgi?id=15768 ?
Comment 2 Douglas Bagnall 2025-09-05 22:33:43 UTC 
(In reply to Douglas Bagnall from comment #1)
> Is this the same as https://bugzilla.samba.org/show_bug.cgi?id=15768 ?

or, rather, the second comment thereof.
Comment 3 Douglas Bagnall 2025-09-05 22:38:34 UTC 
email thread:
https://lists.samba.org/archive/samba-technical/2024-February/138727.html
in which source3/loadparm gets blamed.
Comment 4 Jeremy Tucker 2025-09-08 11:34:31 UTC 
It is similar to the other issue, but I really want it to work with default domain setting to Yes which is not working even when set.
Comment 5 Rowland Penny 2025-09-14 07:46:51 UTC 
(In reply to Jeremy Tucker from comment #4)
Where are you setting these parameters:

winbind separator = \
winbind use default domain = Yes

In a Samba AD DCs smb.conf or in a Unix domain members smb.conf ?

They only work on a Unix domain member, they have never worked on a DC, it is one of the reasons why you shouldn't use a DC as a fileserver.
Comment 6 Jeremy Tucker 2025-09-19 12:53:40 UTC 
I am making these settings on a Windows Domain Controller in Group Policy.  I'm doing samba-gpupdate --force to get the new parameters from the dc, so this is in the domain member's smb.conf where the parameters aren't working.
Comment 7 David Mulder 2025-11-05 17:05:35 UTC 
This is a bug in the way the s4 loadparam dumps the 'winbind separator' parameter. This group policy extension applies smb.conf parameters by loading the existing parameters via loadparam, then setting the new settings, and dumping that content to the smb.conf. The s4 loadparam does a really poor job at jump the parameters, it seems.

At least I *think* it's the s4 lp. It's whatever lp is in the py `SambaOptions`.
Comment 8 David Mulder 2025-11-05 17:16:40 UTC 
Second problem is that lp.dump() apparently is ignoring the `show_defaults` parameter. The smb.conf gp extension sets that flag to `false`, but `dump` still dumps the default parameters anyway.