The Samba-Bugzilla – Bug 9780
winbind use default domain = yes does not working in Samba 4.04
Last modified: 2016-07-28 07:51:41 UTC
SAMBA 4.04 running with winbind to be a AD DC.
At the smb.conf setting as:
winbind use default domain = yes
But using the
# getent passwd alanl
The expected result should be:
# getent passwd alanl
It is working at the "Samba 3.6.3, but not working at the "Samba 4.04" DC mode. (i.e. try to run the SAMBA 4.0 as the AD DC but it does not work to trim down the domain name.)
In actual world practice, the win bind use default domain should be applied according to user's will.
Because, a samba box can be an AD DC but also can be a AD client. (AD DC and AD client running in the same machine.)
By running the Samba as AD DC, it can be a AD redundant (to protect AD from crashing).. but also provide extra features that required user authentication against AD.
When a SAMBA Box run as a AD DC, the account synchronization will happen almost real time. Therefore, if any application running at the same box of the SAMBA AD DC. The application can authenticate the login user locally without authenticating to the remote AD server (running at the Microsoft Windows Platform). This way, the authentication will be more efficient.
Especially, if the SAMBA AD DC box running with a mail server, when there are SPAM mail attacking, it would have many authentication activity against the local AD DC. Usually, Linux box is more robust than Microsoft Windows platform. Therefore, in this case, the mail service would always run.
But, if the SAMBA box running in a AD client mode and running as a mail server at the same box. It would have very busy authentication query to the remote Microsoft AD server when a lot of SPAM mails arrived. In this case, the Microsoft AD services would crash from time to time.
However, since the current release, the "win bind use default domain = yes" is not working accordinly at the AD DC mode. Therefore, it would create DOMAIN\UserAccount, and When SMTP authenticate it, it would get the "DOMAIN\UserAccount" and create the "DOMAINUserAccount" directory.
And this directory can not be retrievable by the mail server with the user account.(Postfix for example.)
Therefore, it won't be possible to run the Mail server at the same box of the SAMBA AD DC.
However, with the more powerful hardware box these days, by running the SAMBA AD DC with many applications on the same box will create a lot of interesting scenarios.
For example, "Applicaiton Firewall/Proxy/Switch"... that usually need to have the User authentication... but at the same time, it would run the application at the same box.
This is the benefit of having the "SAMBA AD DC" be able to turn off the domain prefix.
I can confirm that this is still not working in 4.0.5.
This is still an ongoing problem on v4.0.9
Nous utilisons les variables %G dans nos nom de partage et cela pose vraiment problème.
Nous utilisons samba4 pour 1500 utilisateurs. Nous sommes dans l'éducation.
Nous avons donc été obliger de créer des groupes locaux avec les même guid que dans samba4 pour fonctionner et faire la concordance et ainsi pour utiliser la variable %G correctement.
Mais cela est vraiment un problème.
English : (sorry for my bad english)
We use the variables% G in our share name and it really is a problem.
We use samba4 to 1500 users. We are in education.
So we were forced to create local groups with the same guid in samba4 to work and do the match and thus to use the variable% G correctly.
But this is really a problem.
Still present in 4.1.2.
*** Bug 9726 has been marked as a duplicate of this bug. ***
We've decided not to use WINBIND and switch to SSD for Active Directory integration for our Linux clients and servers... We were able to bypass this bug in this way.
s/SSD/SSSD/ in previous post.
I have this problem on samba-4.1.12-24.el7_1.x86_64
Samba 4.1 is old and out of support by us. Update to a recent version if you need this to be solved. Current Samba versions use a unified winbind with a more unified feature set.