The Samba-Bugzilla – Bug 5748
winbind prefixes group members with the domain but not the users
Last modified: 2008-11-26 07:35:21 UTC
I'm trying to replace an existing nss_ldap setup with winbind, and I've got it set with winbind use default domain = yes. I've cast about for a separate configuration for this but I didn't find anything.. So:
$ getent passwd jgg
$ getent group wsudoers
Oops. The users in the group list should not be prefixed with the domain. This causes various sorts of subtle breakage. Interestingly the pam module seems to get it right, but things like sudo and id do not work:
$ id jgg
uid=2009(jgg) gid=1000(orc) groups=1000(orc),4(adm)
wbinfo doesn't seem to work too well either:
$ wbinfo --group-info wsudoers
Maybe that is expected wbinfo output?
This is the smb.conf:
workgroup = ORCORP
realm = ADS.ORCORP.CA
os level = 0
log level = 3
security = ads
password server = ads0.ads.orcorp.ca
use kerberos keytab = true
idmap domains = ORCORP
idmap config ORCORP:backend = ad
idmap config ORCORP:readonly = yes
idmap config ORCORP:default = yes
idmap config ORCORP:range = 1000-11000
idmap config ORCORP:schema_mode = rfc2307
idmap alloc backend = tdb
idmap alloc config:range = 300000000 - 310000000
winbind nss info = rfc2307
winbind use default domain = yes
winbind offline logon = yes
winbind refresh tickets = yes
winbind normalize names = yes
encrypt passwords = true
dns proxy = no
log file = /var/log/samba/log.%m
panic action = /usr/share/samba/panic-action %d
obey pam restrictions = yes
guest account = nobody
invalid users = root
unix charset = "UTF8"
name resolve order = lmhosts host wins bcast
This is on ubuntu gutsy using a compilation from the ibex packaging
Obnox, I think you are already working on a fix for that one, right?
Right, I am working on a fix for this.
Fixes have gone into the v3-2-test v3-3-test and master branches.
Will go into one of the next bugfix releases.
Domain prefix is now consistently added or not added according to
winbindd use default domain.
Please reopen if bug persists.