Bug 9780 - winbind use default domain = yes does not working in Samba 4.04
Summary: winbind use default domain = yes does not working in Samba 4.04
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.0.0
Hardware: All Linux
: P5 major (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
: 9726 (view as bug list)
Depends on:
Reported: 2013-04-10 11:36 UTC by chihanlin
Modified: 2017-11-30 17:34 UTC (History)
9 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description chihanlin 2013-04-10 11:36:35 UTC
SAMBA 4.04 running with winbind to be a AD DC.

At the smb.conf setting as:

winbind use default domain = yes

But using the
# getent passwd alanl

The expected result should be:
# getent passwd alanl

It is working at the "Samba 3.6.3, but not working at the "Samba 4.04" DC mode. (i.e. try to run the SAMBA 4.0 as the AD DC but it does not work to trim down the domain name.)

In actual world practice, the win bind use default domain should be applied according to user's will.

Because, a samba box can be an AD DC but also can be a AD client. (AD DC and AD client running in the same machine.)

By running the Samba as AD DC, it can be a AD redundant (to protect AD from crashing).. but also provide extra features that required user authentication against AD.
Comment 1 chihanlin 2013-04-11 11:50:12 UTC
When a SAMBA Box run as a AD DC, the account synchronization will happen almost real time. Therefore, if any application running at the same box of the SAMBA AD DC. The application can authenticate the login user locally without authenticating to the remote AD server (running at the Microsoft Windows Platform). This way, the authentication will be more efficient.

Especially, if the SAMBA AD DC box running with a mail server, when there are SPAM mail attacking, it would have many authentication activity against the local AD DC. Usually, Linux box is more robust than Microsoft Windows platform. Therefore, in this case, the mail service would always run. 

But, if the SAMBA box running in a AD client mode and running as a mail server at the same box. It would have very busy authentication query to the remote Microsoft AD server when a lot of SPAM mails arrived. In this case,  the Microsoft AD services would crash from time to time.

However, since the current release, the "win bind use default domain = yes" is not working accordinly at the AD DC mode. Therefore, it would create DOMAIN\UserAccount, and When SMTP authenticate it, it would get the "DOMAIN\UserAccount"  and create the "DOMAINUserAccount" directory.

And this directory can not be retrievable by the mail server with the user account.(Postfix for example.)

Therefore, it won't be possible to run the Mail server at the same box of the SAMBA AD DC. 

However, with the more powerful hardware box these days, by running the SAMBA AD DC with many applications on the same box will create a lot of interesting scenarios.

For example, "Applicaiton Firewall/Proxy/Switch"... that usually need to have the User authentication... but at the same time, it would run the application at the same box.

This is the benefit of having the "SAMBA AD DC" be able to turn off the domain prefix.
Comment 2 Luc Lalonde 2013-04-16 13:54:32 UTC
I can confirm that this is still not working in 4.0.5.
Comment 3 Jorge Albarenque 2013-08-22 22:08:52 UTC
This is still an ongoing problem on v4.0.9
Comment 4 Fonteneau Simon 2013-09-09 16:04:19 UTC
Nous utilisons les variables %G dans nos nom de partage et cela pose vraiment problème. 

Nous utilisons samba4 pour 1500 utilisateurs. Nous sommes dans l'éducation. 

Nous avons donc été obliger de créer des groupes locaux avec les même guid que dans samba4 pour fonctionner et faire la concordance et ainsi pour utiliser la variable %G correctement.

Mais cela est vraiment un problème.


English :  (sorry for my bad english)

We use the variables% G in our share name and it really is a problem.

We use samba4 to 1500 users. We are in education.

So we were forced to create local groups with the same guid in samba4 to work and do the match and thus to use the variable% G correctly.

But this is really a problem.

Comment 5 Pieter Hollants 2013-12-12 20:48:49 UTC
Still present in 4.1.2.
Comment 6 Björn Jacke 2014-01-28 23:27:59 UTC
*** Bug 9726 has been marked as a duplicate of this bug. ***
Comment 7 Mattias Merilai 2014-05-29 13:27:47 UTC
any hope?
Comment 10 Richard Scott 2015-11-27 14:11:05 UTC
I have this problem on samba-4.1.12-24.el7_1.x86_64
Comment 11 Björn Jacke 2016-07-27 15:42:36 UTC
Samba 4.1 is old and out of support by us. Update to a recent version if you need this to be solved. Current Samba versions use a unified winbind with a more unified feature set.
Comment 12 Rowland Penny 2017-11-30 17:08:07 UTC
Re-opening this bug, we are now at version 4.7.3 and you still get DOMAIN\username on a DC and there is no way to use 'winbind use default domain' on a DC
Comment 13 Stefan Metzmacher 2017-11-30 17:13:50 UTC
(In reply to Rowland Penny from comment #12)

winbind use default domain = yes, is a big mistake
that may work on domain members and maybe NT4 style dc.

But I'll never accept patches to support that "mistake"
on an ADDC.
Comment 14 Rowland Penny 2017-11-30 17:34:54 UTC
I personally wouldn't mind if 'winbind use default domain' went away, I just think that you should get the same username on both DCs and Unix domain members. 

However, users want to use the DC as a fileserver (no matter how often you tell them not to), so there should be some way to get just the username without the DOMAIN as a prefix.

It doesn't help that you can log into the DC as a normal user and get a home directory in /home/DOMAIN/username rather than /home/DOMAIN/DOMAIN\username 

If winbind can just get the username for the home directory, why can it not get the username for getent ?