Bug 9780 - winbind use default domain = yes does not working in Samba 4.04
winbind use default domain = yes does not working in Samba 4.04
Status: RESOLVED FIXED
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.0.0
All Linux
: P5 major
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
: 9726 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-04-10 11:36 UTC by chihanlin
Modified: 2016-07-28 07:51 UTC (History)
8 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description chihanlin 2013-04-10 11:36:35 UTC
SAMBA 4.04 running with winbind to be a AD DC.

At the smb.conf setting as:

winbind use default domain = yes

But using the
# getent passwd alanl
HOME\alanl:*:3000016:3000012::/home/HOME/alanl:/bin/bash

The expected result should be:
# getent passwd alanl
alanl:*:1105:1103:rowland:/home/HOME/alanl:/bin/bash

It is working at the "Samba 3.6.3, but not working at the "Samba 4.04" DC mode. (i.e. try to run the SAMBA 4.0 as the AD DC but it does not work to trim down the domain name.)

In actual world practice, the win bind use default domain should be applied according to user's will.

Because, a samba box can be an AD DC but also can be a AD client. (AD DC and AD client running in the same machine.)

By running the Samba as AD DC, it can be a AD redundant (to protect AD from crashing).. but also provide extra features that required user authentication against AD.
Comment 1 chihanlin 2013-04-11 11:50:12 UTC
When a SAMBA Box run as a AD DC, the account synchronization will happen almost real time. Therefore, if any application running at the same box of the SAMBA AD DC. The application can authenticate the login user locally without authenticating to the remote AD server (running at the Microsoft Windows Platform). This way, the authentication will be more efficient.

Especially, if the SAMBA AD DC box running with a mail server, when there are SPAM mail attacking, it would have many authentication activity against the local AD DC. Usually, Linux box is more robust than Microsoft Windows platform. Therefore, in this case, the mail service would always run. 

But, if the SAMBA box running in a AD client mode and running as a mail server at the same box. It would have very busy authentication query to the remote Microsoft AD server when a lot of SPAM mails arrived. In this case,  the Microsoft AD services would crash from time to time.

However, since the current release, the "win bind use default domain = yes" is not working accordinly at the AD DC mode. Therefore, it would create DOMAIN\UserAccount, and When SMTP authenticate it, it would get the "DOMAIN\UserAccount"  and create the "DOMAINUserAccount" directory.

And this directory can not be retrievable by the mail server with the user account.(Postfix for example.)

Therefore, it won't be possible to run the Mail server at the same box of the SAMBA AD DC. 

However, with the more powerful hardware box these days, by running the SAMBA AD DC with many applications on the same box will create a lot of interesting scenarios.

For example, "Applicaiton Firewall/Proxy/Switch"... that usually need to have the User authentication... but at the same time, it would run the application at the same box.

This is the benefit of having the "SAMBA AD DC" be able to turn off the domain prefix.
Comment 2 Luc Lalonde 2013-04-16 13:54:32 UTC
I can confirm that this is still not working in 4.0.5.
Comment 3 Jorge Albarenque 2013-08-22 22:08:52 UTC
This is still an ongoing problem on v4.0.9
Comment 4 Fonteneau Simon 2013-09-09 16:04:19 UTC
Nous utilisons les variables %G dans nos nom de partage et cela pose vraiment problème. 

Nous utilisons samba4 pour 1500 utilisateurs. Nous sommes dans l'éducation. 

Nous avons donc été obliger de créer des groupes locaux avec les même guid que dans samba4 pour fonctionner et faire la concordance et ainsi pour utiliser la variable %G correctement.

Mais cela est vraiment un problème.

Simon 

English :  (sorry for my bad english)

We use the variables% G in our share name and it really is a problem.

We use samba4 to 1500 users. We are in education.

So we were forced to create local groups with the same guid in samba4 to work and do the match and thus to use the variable% G correctly.

But this is really a problem.

Simon
Comment 5 Pieter Hollants 2013-12-12 20:48:49 UTC
Still present in 4.1.2.
Comment 6 Björn Jacke 2014-01-28 23:27:59 UTC
*** Bug 9726 has been marked as a duplicate of this bug. ***
Comment 7 Mattias Merilai 2014-05-29 13:27:47 UTC
any hope?
Comment 8 Luc Lalonde 2014-05-29 14:03:16 UTC
We've decided not to use WINBIND and switch to SSD for Active Directory integration for our Linux clients and servers... We were able to bypass this bug in this way.
Comment 9 Luc Lalonde 2014-05-29 14:04:00 UTC
s/SSD/SSSD/  in previous post.
Comment 10 Richard Scott 2015-11-27 14:11:05 UTC
I have this problem on samba-4.1.12-24.el7_1.x86_64
Comment 11 Björn Jacke 2016-07-27 15:42:36 UTC
Samba 4.1 is old and out of support by us. Update to a recent version if you need this to be solved. Current Samba versions use a unified winbind with a more unified feature set.