Christian Naumer
2018-Nov-13 14:48 UTC
[Samba] Upgraded to 4.8 - forced to use winbindd - retro how to missing?
I don't know if this still works but it does what you want: https://www.samba.org/samba/docs/current/man-html/idmap_nss.8.html Regards Am 13.11.18 um 15:37 schrieb Rowland Penny via samba:> On Tue, 13 Nov 2018 09:21:14 -0500 > Richard Bollinger <rabollinger at gmail.com> wrote: > >> Prior to 4.8, without winbind in the picture, a windows user named >> "rab", for instance, could be authenticated by AD, but would assume >> the identity of the Unix user "rab", with all of his Unix defined >> groups. >> >> Of course, this is not full emulation of a Windows server experience, >> but nonetheless it is the behavior we wanted and worked well in our >> environment where every AD user who needed access to a Unix server >> had a corresponding Unix ID assigned with that user's uid, gids, >> identical on all the Unix servers. >> >> That is the "legacy" behavior we desire. Is it still possible to >> achieve it with the current version of Samba? >> > > No and why would you want to ? > Doing it your way means that you have to maintain the users & groups in > two places, a total anathema to AD. > > Just set up the Unix domain member correctly and your Windows users & > groups become Unix users & groups, all of them if you use the winbind > 'rid' backend, or, if you use the 'ad' backend, just the ones you give > a uidNumber or gidNumber attribute. > > If you don't want to do this (and I fail to see why you wouldn't want > to), then leave the domain, and set the Samba server up as a standalone > server. > > Rowland >-- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel Aufsichtsratsvorsitzender: Dr. Ludger Mueller
Richard Bollinger
2018-Nov-13 17:24 UTC
[Samba] Upgraded to 4.8 - forced to use winbindd - retro how to missing?
Yes that seems to be working as desired. Thanks much. On Tue, Nov 13, 2018 at 10:50 AM Christian Naumer via samba < samba at lists.samba.org> wrote:> I don't know if this still works but it does what you want: > > https://www.samba.org/samba/docs/current/man-html/idmap_nss.8.html > > > Regards > > > Am 13.11.18 um 15:37 schrieb Rowland Penny via samba: > > On Tue, 13 Nov 2018 09:21:14 -0500 > > Richard Bollinger <rabollinger at gmail.com> wrote: > > > >> Prior to 4.8, without winbind in the picture, a windows user named > >> "rab", for instance, could be authenticated by AD, but would assume > >> the identity of the Unix user "rab", with all of his Unix defined > >> groups. > >> > >> Of course, this is not full emulation of a Windows server experience, > >> but nonetheless it is the behavior we wanted and worked well in our > >> environment where every AD user who needed access to a Unix server > >> had a corresponding Unix ID assigned with that user's uid, gids, > >> identical on all the Unix servers. > >> > >> That is the "legacy" behavior we desire. Is it still possible to > >> achieve it with the current version of Samba? > >> > > > > No and why would you want to ? > > Doing it your way means that you have to maintain the users & groups in > > two places, a total anathema to AD. > > > > Just set up the Unix domain member correctly and your Windows users & > > groups become Unix users & groups, all of them if you use the winbind > > 'rid' backend, or, if you use the 'ad' backend, just the ones you give > > a uidNumber or gidNumber attribute. > > > > If you don't want to do this (and I fail to see why you wouldn't want > > to), then leave the domain, and set the Samba server up as a standalone > > server. > > > > Rowland > > > > -- > Dr. Christian Naumer > Research Scientist > Plattform-Koordinator Bioprozesstechnik > > B.R.A.I.N Aktiengesellschaft > Darmstaedter Str. 34-36, D-64673 Zwingenberg > e-mail cn at brain-biotech.de, homepage www.brain-biotech.de > fon +49-6251-9331-30 / fax +49-6251-9331-11 > > Sitz der Gesellschaft: Zwingenberg/Bergstrasse > Registergericht AG Darmstadt, HRB 24758 > Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel > Aufsichtsratsvorsitzender: Dr. Ludger Mueller > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Richard Bollinger
2018-Nov-28 21:06 UTC
[Samba] Upgraded to 4.8 - forced to use winbindd - retro how to missing?
Well it *almost* works as before. With this stanza and version 4.8.3, access seems to only be granted per the single group listed in a user's entry in /etc/passwd, not including groups listed in /etc/group [global] workgroup = AMERICAS realm = AMERICAS.X.Y security = ADS idmap config * : range = 100000:199999 idmap config AMERICAS : backend = nss idmap config AMERICAS : range = 1000:99999 Thoughts? On Tue, Nov 13, 2018 at 12:24 PM Richard Bollinger <rabollinger at gmail.com> wrote:> Yes that seems to be working as desired. Thanks much. > > On Tue, Nov 13, 2018 at 10:50 AM Christian Naumer via samba < > samba at lists.samba.org> wrote: > >> I don't know if this still works but it does what you want: >> >> https://www.samba.org/samba/docs/current/man-html/idmap_nss.8.html >> >> >> Regards >> >> >> Am 13.11.18 um 15:37 schrieb Rowland Penny via samba: >> > On Tue, 13 Nov 2018 09:21:14 -0500 >> > Richard Bollinger <rabollinger at gmail.com> wrote: >> > >> >> Prior to 4.8, without winbind in the picture, a windows user named >> >> "rab", for instance, could be authenticated by AD, but would assume >> >> the identity of the Unix user "rab", with all of his Unix defined >> >> groups. >> >> >> >> Of course, this is not full emulation of a Windows server experience, >> >> but nonetheless it is the behavior we wanted and worked well in our >> >> environment where every AD user who needed access to a Unix server >> >> had a corresponding Unix ID assigned with that user's uid, gids, >> >> identical on all the Unix servers. >> >> >> >> That is the "legacy" behavior we desire. Is it still possible to >> >> achieve it with the current version of Samba? >> >> >> > >> > No and why would you want to ? >> > Doing it your way means that you have to maintain the users & groups in >> > two places, a total anathema to AD. >> > >> > Just set up the Unix domain member correctly and your Windows users & >> > groups become Unix users & groups, all of them if you use the winbind >> > 'rid' backend, or, if you use the 'ad' backend, just the ones you give >> > a uidNumber or gidNumber attribute. >> > >> > If you don't want to do this (and I fail to see why you wouldn't want >> > to), then leave the domain, and set the Samba server up as a standalone >> > server. >> > >> > Rowland >> > >> >> -- >> Dr. Christian Naumer >> Research Scientist >> Plattform-Koordinator Bioprozesstechnik >> >> B.R.A.I.N Aktiengesellschaft >> Darmstaedter Str. 34-36, D-64673 Zwingenberg >> e-mail cn at brain-biotech.de, homepage www.brain-biotech.de >> fon +49-6251-9331-30 / fax +49-6251-9331-11 >> >> Sitz der Gesellschaft: Zwingenberg/Bergstrasse >> Registergericht AG Darmstadt, HRB 24758 >> Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel >> Aufsichtsratsvorsitzender: Dr. Ludger Mueller >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >
Possibly Parallel Threads
- Upgraded to 4.8 - forced to use winbindd - retro how to missing?
- Upgraded to 4.8 - forced to use winbindd - retro how to missing?
- Upgraded to 4.8 - forced to use winbindd - retro how to missing?
- Upgraded to 4.8 - forced to use winbindd - retro how to missing?
- Upgraded to 4.8 - forced to use winbindd - retro how to missing?