samba-3.6.23-20 and 'winbind use default domain'

Issue

The option 'winbind use default domain' serves the following purpose:

This parameter specifies whether the winbindd(8) daemon should operate on users without domain component in their
username. Users without a domain component are treated as is part of the winbindd server's own domain. While this does
not benefit Windows users, it makes SSH, FTP and e-mail function in a way much closer to the way they would in a native
unix system.
This option should be avoided if possible. It can cause confusion about responsibilities for a user or group. In many
situations it is not clear whether winbind or /etc/passwd should be seen as authoritative for a user, likewise for
groups.

Starting with samba-3.6.23-20 this option now affects user and group names that are placed in a usermap file or listed in the smb.conf. This results in a change in behavior for the following scenarios:

• A domain user under the default domain is mapped to a user of the same name that has been resolved by nss before winbind. For example, an smbuser file entry of "user1 = DOMAIN+user1". This is a collision that will always result in the DOMAIN+user1 uid being used for the session. Take care to ensure that you do not have name collisions with winbind users and groups with those resolved by nss before winbind.
• Users and groups specified in shares for 'force user', 'valid users', etc will assume the default domain when smbd performs a lookup on the name.
• A domain user or group with the name 'root' should not be used. If using 'winbind use default domain' and winbind discovers these, they will collide with the system root and cause smbd to fail.

The 'winbind use default domain' option should be used with caution, and is mostly useful on servers that need a simple domain logon to RHEL services under a single domain. A server that services Windows clients, has sub-domains, or requires a special mapping of domain users should leave it disabled.