I have a Samba4 domain controller and have added a Ubuntu 16.04 member server to the domain. I'm using samba+winbind for this and everything appears to work. The idmap backend is setup using "ad". Here is the smb.conf for reference.
[global]
workgroup = name
realm = NAME.DOMAIN.COM
netbios name = app02
security = ADS
log file = /var/log/samba/%m.log
log level = 1
# Default idmap config for local BUILTIN accounts and groups
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# idmap config for the NAME domain
idmap config NAME:backend = ad
idmap config NAME:schema_mode = rfc2307
idmap config NAME:range = 10000-999999
# Template settings for login shell and home directory
winbind nss info = template
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
The issue I'm having is related to authenticating (SSH) when I do NOT set winbind use default domain = yes in smb.conf.
When you set this equal to yes the various commands like wbinfo -u, wbinfo -g, getent passwd UserName will return an account WITHOUT the domain name. If you don't set this you get results like Domain\UserName and Domain\Domain Users. The reason you might not want to set this is because it would limit your logins to a single domain.
However, when I remove this setting from smb.conf I can no longer login. I suspect it is a formatting issue when trying to provide domain\username at the SSH login. I've tried domain\username, domain+username, username, and username@domain. All have failed.
Does anyone know how to get SSH logins working for these AD users when winbind use default domain is not set?
