Samba is AD member server with security=ADS. Domain controller is Windows 2000 with SFU schema extension. idmap plugin is ad.so. Using libnss_winbind.so for group and passwd in nsswitch.conf. When setting "windind use default domain" to Yes, wbinfo -u retreives all domain users without preceeding domain name: heliotrop{root}[/development]: /opt/samba/bin/wbinfo -u Administrator Gast IWAM_JADE IUSR_JADE krbtgt moik peng TsInternetUser ingres visionet karlramsauer malden schmidt root zack neu t1000 zissi depp IWAM_JASPIS IUSR_JASPIS ldapproxy wheras wbinfo -g retreives all domain groups with preceeding domain: EDELSTEIN\domänencomputer EDELSTEIN\domänencontroller EDELSTEIN\schema-admins EDELSTEIN\organisations-admins EDELSTEIN\zertifikatherausgeber EDELSTEIN\domänen-admins EDELSTEIN\domänen-benutzer EDELSTEIN\domänen-gäste EDELSTEIN\richtlinien-ersteller-besitzer EDELSTEIN\dnsupdateproxy EDELSTEIN\anaamb EDELSTEIN\test EDELSTEIN\users_korund EDELSTEIN\jade-vnc EDELSTEIN\superusers EDELSTEIN\users EDELSTEIN\esx_admins This behaviour changed from 3.0.22 to 3.0.23 In the source if found that changing the last parameter (BOOL can_assume) of the calls to fill_domain_username in nsswitch/winbindd_group.c from False to True gives back the old behaviour, but I'm not shure if this breaks some other code: diff -r -u samba-3.0.23.orig/source/nsswitch/winbindd_group.c samba-3.0.23/source/nsswitch/winbindd_group.c --- samba-3.0.23.orig/source/nsswitch/winbindd_group.c Fri Jun 23 15:16:50 2006 +++ samba-3.0.23/source/nsswitch/winbindd_group.c Tue Jul 11 18:10:12 2006 @@ -42,7 +42,7 @@ { fstring full_group_name; - fill_domain_username( full_group_name, dom_name, gr_name, False); + fill_domain_username( full_group_name, dom_name, gr_name, True); gr->gr_gid = unix_gid; @@ -146,7 +146,7 @@ /* Append domain name */ - fill_domain_username(name, domain->name, the_name, False); + fill_domain_username(name, domain->name, the_name, True); len = strlen(name); @@ -752,7 +752,7 @@ /* Fill in group entry */ fill_domain_username(domain_group_name, ent->domain_name, - name_list[ent->sam_entry_index].acct_name, False); + name_list[ent->sam_entry_index].acct_name, True); result = fill_grent(&group_list[group_list_ndx], ent->domain_name, @@ -929,7 +929,7 @@ groups.sam_entries)[i].acct_name; fstring name; - fill_domain_username(name, domain->name, group_name, False); + fill_domain_username(name, domain->name, group_name, True); /* Append to extra data */ memcpy(&extra_data[extra_data_len], name, strlen(name)); smb.conf: [global] unix charset = ISO-8859-15 workgroup = EDELSTEIN realm = EDELSTEIN.DE security = ADS use kerberos keytab = Yes log level = 0 wins server = 192.168.0.23, 192.168.0.223 ldap ssl = no ldap timeout = 2 pid directory = /opt/samba/localvar/locks idmap backend = ad idmap uid = 100-60000 idmap gid = 100-60000 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = sfu create mask = 0740 directory mask = 0750
I can't remember for sure, but I would trust the current code. I believe this was an expected change and things need to be tested thoroughly before reverting anything. Note that 'winbind use default domain = yes' is really only intended for usernames anyways. Does the current behavior actually break anything in your setup? Or are you just noting it as a difference from 3.0.22?
It would break our current installations because some groups which are held in active directory are used on the solaris side and referenced there without the domain prefix.
What was the intention of the change to not have "winbind use default domain" retreive groups without domain prefix? And I forgot to say that the output of getent group displayed the group members with the domain prefix: heliotrop{root}[/]: getent group "EDELSTEIN\users" EDELSTEIN\users:x:2000:EDELSTEIN\neu,EDELSTEIN\zack
How are you referring to groups? Configuration files ?
Yes configuration files e.g. automounter maps which retreive the primary group of the user mounts the users Homedirectory to somithing like: /home/<primary gid>/<uid>/ and configurations like sudo which depend on the group membership of the users executing the sudo command.
This was an intentional change... http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&rev=14403 Can I just say once again how much I hate "winbind use default domain'?
Created attachment 2031 [details] proposed patch Please try this patch. No promises.
patch doesn't compile.....wait and I'll work on this some more tomorrow.
Anything new to this bug? Does my patch break anything?
Created attachment 2051 [details] restore winbind default domain behavior for groups Re-enable stripping of domain of group names. 'winbind nest groups' does still work for domain users. However, this will break 'winbind nested groups' for local users. There is no way around it. The problem is the winbindd_getgroups() preprends the domain name before calling lookupname() which fails to find a local (unqualified) user. See http://lists.samba.org/archive/samba-technical/2006-July/048320.html for details.
checked in for 3.0.23a.