M BUZZ CRAZE NEWS
// general

login with AD user when "winbind use default domain" not set

By John Parsons

I have a Samba4 domain controller and have added a Ubuntu 16.04 member server to the domain. I'm using samba+winbind for this and everything appears to work. The idmap backend is setup using "ad". Here is the smb.conf for reference.

[global] workgroup = name realm = NAME.DOMAIN.COM netbios name = app02 security = ADS log file = /var/log/samba/%m.log log level = 1 # Default idmap config for local BUILTIN accounts and groups idmap config * : backend = tdb idmap config * : range = 3000-7999 # idmap config for the NAME domain idmap config NAME:backend = ad idmap config NAME:schema_mode = rfc2307 idmap config NAME:range = 10000-999999 # Template settings for login shell and home directory winbind nss info = template template shell = /bin/bash template homedir = /home/%U winbind use default domain = yes

The issue I'm having is related to authenticating (SSH) when I do NOT set winbind use default domain = yes in smb.conf.

When you set this equal to yes the various commands like wbinfo -u, wbinfo -g, getent passwd UserName will return an account WITHOUT the domain name. If you don't set this you get results like Domain\UserName and Domain\Domain Users. The reason you might not want to set this is because it would limit your logins to a single domain.

However, when I remove this setting from smb.conf I can no longer login. I suspect it is a formatting issue when trying to provide domain\username at the SSH login. I've tried domain\username, domain+username, username, and username@domain. All have failed.

Does anyone know how to get SSH logins working for these AD users when winbind use default domain is not set?

1 Answer

Figured out the problem

I was removing the winbind use default domain setting in smb.conf and then running sudo smbcontrol all reload-config. I figured this would be enough to set everything straight, but it wasn't.

For whatever reason winbind wasn't updating. I need to stop the service, clear the cache, and restart.

service winbind stop
net cache flush
service winbind start

Strange enough, once I did this the problem hasn't resurfaced. Now I can change the winbind use default domain setting and/or the winbind separator, run sudo smbcontrol all reload-config, and the login credentials change and work.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

More in general

"Zoraya ter Beek, age 29, just died by assisted suicide in the Netherlands. She was physically healthy, but psychologically depressed. It's an abomination that an entire society would actively facilitate, even encourage, someone ending their own life because they had no hope. Th…"

"Absolutely my pleasure, mate. It is a really incredible piece, and if it’s not featured in Substack Reads I will immediately raise a militia and….uh….then we’ll stand around grumbling and handing out leaflets (I’m British, this is how we do over here). Magically well done. And…"