samba - Nov 2018 - Upgraded to 4.8 - forced to use winbindd - retro how to missing?

I don't know if this still works but it does what you want:

https://www.samba.org/samba/docs/current/man-html/idmap_nss.8.html


Regards


Am 13.11.18 um 15:37 schrieb Rowland Penny via samba:
> On Tue, 13 Nov 2018 09:21:14 -0500
> Richard Bollinger <rabollinger at gmail.com> wrote:
> 
>> Prior to 4.8, without winbind in the picture, a windows user named
>> "rab", for instance, could be authenticated by AD, but would
assume
>> the identity of the Unix user "rab", with all of his Unix
defined
>> groups.
>>
>> Of course, this is not full emulation of a Windows server experience,
>> but nonetheless it is the behavior we wanted and worked well in our
>> environment where every AD user who needed access to a Unix server
>> had a corresponding Unix ID assigned with that user's uid, gids,
>> identical on all the Unix servers.
>>
>> That is the "legacy" behavior we desire.  Is it still
possible to
>> achieve it with the current version of Samba?
>>
> 
> No and why would you want to ?
> Doing it your way means that you have to maintain the users & groups in
> two places, a total anathema to AD.
> 
> Just set up the Unix domain member correctly and your Windows users &
> groups become Unix users & groups, all of them if you use the winbind
> 'rid' backend, or, if you use the 'ad' backend, just the
ones you give
> a uidNumber or gidNumber attribute.
> 
> If you don't want to do this (and I fail to see why you wouldn't
want
> to), then leave the domain, and set the Samba server up as a standalone
> server.
> 
> Rowland
> 
-- 
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
Aufsichtsratsvorsitzender: Dr. Ludger Mueller

Yes that seems to be working as desired.  Thanks much.

On Tue, Nov 13, 2018 at 10:50 AM Christian Naumer via samba <
samba at lists.samba.org> wrote:
> I don't know if this still works but it does what you want:
>
> https://www.samba.org/samba/docs/current/man-html/idmap_nss.8.html
>
>
> Regards
>
>
> Am 13.11.18 um 15:37 schrieb Rowland Penny via samba:
> > On Tue, 13 Nov 2018 09:21:14 -0500
> > Richard Bollinger <rabollinger at gmail.com> wrote:
> >
> >> Prior to 4.8, without winbind in the picture, a windows user named
> >> "rab", for instance, could be authenticated by AD, but
would assume
> >> the identity of the Unix user "rab", with all of his
Unix defined
> >> groups.
> >>
> >> Of course, this is not full emulation of a Windows server
experience,
> >> but nonetheless it is the behavior we wanted and worked well in
our
> >> environment where every AD user who needed access to a Unix server
> >> had a corresponding Unix ID assigned with that user's uid,
gids,
> >> identical on all the Unix servers.
> >>
> >> That is the "legacy" behavior we desire.  Is it still
possible to
> >> achieve it with the current version of Samba?
> >>
> >
> > No and why would you want to ?
> > Doing it your way means that you have to maintain the users &
groups in
> > two places, a total anathema to AD.
> >
> > Just set up the Unix domain member correctly and your Windows users
&
> > groups become Unix users & groups, all of them if you use the
winbind
> > 'rid' backend, or, if you use the 'ad' backend, just
the ones you give
> > a uidNumber or gidNumber attribute.
> >
> > If you don't want to do this (and I fail to see why you
wouldn't want
> > to), then leave the domain, and set the Samba server up as a
standalone
> > server.
> >
> > Rowland
> >
>
> --
> Dr. Christian Naumer
> Research Scientist
> Plattform-Koordinator Bioprozesstechnik
>
> B.R.A.I.N Aktiengesellschaft
> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
> fon +49-6251-9331-30  /   fax +49-6251-9331-11
>
> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> Registergericht AG Darmstadt, HRB 24758
> Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
> Aufsichtsratsvorsitzender: Dr. Ludger Mueller
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Well it *almost* works as before.  With this stanza and version 4.8.3,
access seems to only be granted per the single group listed in a user's
entry in /etc/passwd, not including groups listed in /etc/group

[global]
        workgroup = AMERICAS
        realm = AMERICAS.X.Y
        security = ADS
        idmap config * : range = 100000:199999
        idmap config AMERICAS : backend = nss
        idmap config AMERICAS : range = 1000:99999

Thoughts?

On Tue, Nov 13, 2018 at 12:24 PM Richard Bollinger <rabollinger at
gmail.com>
wrote:
> Yes that seems to be working as desired.  Thanks much.
>
> On Tue, Nov 13, 2018 at 10:50 AM Christian Naumer via samba <
> samba at lists.samba.org> wrote:
>
>> I don't know if this still works but it does what you want:
>>
>> https://www.samba.org/samba/docs/current/man-html/idmap_nss.8.html
>>
>>
>> Regards
>>
>>
>> Am 13.11.18 um 15:37 schrieb Rowland Penny via samba:
>> > On Tue, 13 Nov 2018 09:21:14 -0500
>> > Richard Bollinger <rabollinger at gmail.com> wrote:
>> >
>> >> Prior to 4.8, without winbind in the picture, a windows user
named
>> >> "rab", for instance, could be authenticated by AD,
but would assume
>> >> the identity of the Unix user "rab", with all of his
Unix defined
>> >> groups.
>> >>
>> >> Of course, this is not full emulation of a Windows server
experience,
>> >> but nonetheless it is the behavior we wanted and worked well
in our
>> >> environment where every AD user who needed access to a Unix
server
>> >> had a corresponding Unix ID assigned with that user's uid,
gids,
>> >> identical on all the Unix servers.
>> >>
>> >> That is the "legacy" behavior we desire.  Is it
still possible to
>> >> achieve it with the current version of Samba?
>> >>
>> >
>> > No and why would you want to ?
>> > Doing it your way means that you have to maintain the users &
groups in
>> > two places, a total anathema to AD.
>> >
>> > Just set up the Unix domain member correctly and your Windows
users &
>> > groups become Unix users & groups, all of them if you use the
winbind
>> > 'rid' backend, or, if you use the 'ad' backend,
just the ones you give
>> > a uidNumber or gidNumber attribute.
>> >
>> > If you don't want to do this (and I fail to see why you
wouldn't want
>> > to), then leave the domain, and set the Samba server up as a
standalone
>> > server.
>> >
>> > Rowland
>> >
>>
>> --
>> Dr. Christian Naumer
>> Research Scientist
>> Plattform-Koordinator Bioprozesstechnik
>>
>> B.R.A.I.N Aktiengesellschaft
>> Darmstaedter Str. 34-36, D-64673 Zwingenberg
>> e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
>> fon +49-6251-9331-30  /   fax +49-6251-9331-11
>>
>> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
>> Registergericht AG Darmstadt, HRB 24758
>> Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
>> Aufsichtsratsvorsitzender: Dr. Ludger Mueller
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>