Bug 5748 - winbind prefixes group members with the domain but not the users
Summary: winbind prefixes group members with the domain but not the users
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.2.2
Hardware: x86 Linux
: P3 normal
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
Depends on:
Reported: 2008-09-09 14:17 UTC by Jason Gunthorpe
Modified: 2008-11-26 07:35 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Jason Gunthorpe 2008-09-09 14:17:07 UTC
I'm trying to replace an existing nss_ldap setup with winbind, and I've got it set with winbind use default domain = yes. I've cast about for a separate configuration for this but I didn't find anything.. So:

$ getent passwd jgg
jgg:x:2009:1000:Jason Gunthorpe,,,:/home/jgg:/bin/bash
$ getent group wsudoers

Oops. The users in the group list should not be prefixed with the domain. This causes various sorts of subtle breakage. Interestingly the pam module seems to get it right, but things like sudo and id do not work:

$ id jgg
uid=2009(jgg) gid=1000(orc) groups=1000(orc),4(adm)

wbinfo doesn't seem to work too well either:
$ wbinfo --group-info wsudoers

Maybe that is expected wbinfo output?

This is the smb.conf:
workgroup = ORCORP
os level = 0
log level = 3

security = ads
password server = ads0.ads.orcorp.ca
use kerberos keytab = true

idmap domains = ORCORP
idmap config ORCORP:backend = ad
idmap config ORCORP:readonly = yes
idmap config ORCORP:default = yes
idmap config ORCORP:range = 1000-11000
idmap config ORCORP:schema_mode = rfc2307

idmap alloc backend = tdb
idmap alloc config:range        = 300000000 - 310000000

winbind nss info = rfc2307
winbind use default domain = yes
winbind offline logon = yes
winbind refresh tickets = yes
winbind normalize names = yes

encrypt passwords = true
dns proxy = no
log file = /var/log/samba/log.%m
panic action = /usr/share/samba/panic-action %d
obey pam restrictions = yes
guest account = nobody
invalid users = root
unix charset = "UTF8"

name resolve order = lmhosts host wins bcast

This is on ubuntu gutsy using a compilation from the ibex packaging
Comment 1 Karolin Seeger 2008-09-21 22:30:26 UTC
Obnox, I think you are already working on a fix for that one, right?
Comment 2 Michael Adam 2008-09-22 03:44:48 UTC
Right, I am working on a fix for this.
Comment 3 Michael Adam 2008-11-26 07:35:21 UTC
Fixes have gone into the v3-2-test v3-3-test and master branches.
Will go into one of the next bugfix releases.
Domain prefix is now consistently added or not added according to
winbindd use default domain.

Please reopen if bug persists.