The Samba-Bugzilla – Bug 9780
winbind use default domain = yes does not working in Samba 4.04
Last modified: 2017-11-30 17:34:54 UTC
SAMBA 4.04 running with winbind to be a AD DC.
At the smb.conf setting as:
winbind use default domain = yes
But using the
# getent passwd alanl
The expected result should be:
# getent passwd alanl
It is working at the "Samba 3.6.3, but not working at the "Samba 4.04" DC mode. (i.e. try to run the SAMBA 4.0 as the AD DC but it does not work to trim down the domain name.)
In actual world practice, the win bind use default domain should be applied according to user's will.
Because, a samba box can be an AD DC but also can be a AD client. (AD DC and AD client running in the same machine.)
By running the Samba as AD DC, it can be a AD redundant (to protect AD from crashing).. but also provide extra features that required user authentication against AD.
When a SAMBA Box run as a AD DC, the account synchronization will happen almost real time. Therefore, if any application running at the same box of the SAMBA AD DC. The application can authenticate the login user locally without authenticating to the remote AD server (running at the Microsoft Windows Platform). This way, the authentication will be more efficient.
Especially, if the SAMBA AD DC box running with a mail server, when there are SPAM mail attacking, it would have many authentication activity against the local AD DC. Usually, Linux box is more robust than Microsoft Windows platform. Therefore, in this case, the mail service would always run.
But, if the SAMBA box running in a AD client mode and running as a mail server at the same box. It would have very busy authentication query to the remote Microsoft AD server when a lot of SPAM mails arrived. In this case, the Microsoft AD services would crash from time to time.
However, since the current release, the "win bind use default domain = yes" is not working accordinly at the AD DC mode. Therefore, it would create DOMAIN\UserAccount, and When SMTP authenticate it, it would get the "DOMAIN\UserAccount" and create the "DOMAINUserAccount" directory.
And this directory can not be retrievable by the mail server with the user account.(Postfix for example.)
Therefore, it won't be possible to run the Mail server at the same box of the SAMBA AD DC.
However, with the more powerful hardware box these days, by running the SAMBA AD DC with many applications on the same box will create a lot of interesting scenarios.
For example, "Applicaiton Firewall/Proxy/Switch"... that usually need to have the User authentication... but at the same time, it would run the application at the same box.
This is the benefit of having the "SAMBA AD DC" be able to turn off the domain prefix.
I can confirm that this is still not working in 4.0.5.
This is still an ongoing problem on v4.0.9
Nous utilisons les variables %G dans nos nom de partage et cela pose vraiment problème.
Nous utilisons samba4 pour 1500 utilisateurs. Nous sommes dans l'éducation.
Nous avons donc été obliger de créer des groupes locaux avec les même guid que dans samba4 pour fonctionner et faire la concordance et ainsi pour utiliser la variable %G correctement.
Mais cela est vraiment un problème.
English : (sorry for my bad english)
We use the variables% G in our share name and it really is a problem.
We use samba4 to 1500 users. We are in education.
So we were forced to create local groups with the same guid in samba4 to work and do the match and thus to use the variable% G correctly.
But this is really a problem.
Still present in 4.1.2.
*** Bug 9726 has been marked as a duplicate of this bug. ***
I have this problem on samba-4.1.12-24.el7_1.x86_64
Samba 4.1 is old and out of support by us. Update to a recent version if you need this to be solved. Current Samba versions use a unified winbind with a more unified feature set.
Re-opening this bug, we are now at version 4.7.3 and you still get DOMAIN\username on a DC and there is no way to use 'winbind use default domain' on a DC
(In reply to Rowland Penny from comment #12)
winbind use default domain = yes, is a big mistake
that may work on domain members and maybe NT4 style dc.
But I'll never accept patches to support that "mistake"
on an ADDC.
I personally wouldn't mind if 'winbind use default domain' went away, I just think that you should get the same username on both DCs and Unix domain members.
However, users want to use the DC as a fileserver (no matter how often you tell them not to), so there should be some way to get just the username without the DOMAIN as a prefix.
It doesn't help that you can log into the DC as a normal user and get a home directory in /home/DOMAIN/username rather than /home/DOMAIN/DOMAIN\username
If winbind can just get the username for the home directory, why can it not get the username for getent ?