samba - Nov 2018 - Upgraded to 4.8 - forced to use winbindd - retro how to missing?

Well it *almost* works as before.  With this stanza and version 4.8.3,
access seems to only be granted per the single group listed in a user's
entry in /etc/passwd, not including groups listed in /etc/group

[global]
        workgroup = AMERICAS
        realm = AMERICAS.X.Y
        security = ADS
        idmap config * : range = 100000:199999
        idmap config AMERICAS : backend = nss
        idmap config AMERICAS : range = 1000:99999

Thoughts?

On Tue, Nov 13, 2018 at 12:24 PM Richard Bollinger <rabollinger at
gmail.com>
wrote:
> Yes that seems to be working as desired.  Thanks much.
>
> On Tue, Nov 13, 2018 at 10:50 AM Christian Naumer via samba <
> samba at lists.samba.org> wrote:
>
>> I don't know if this still works but it does what you want:
>>
>> https://www.samba.org/samba/docs/current/man-html/idmap_nss.8.html
>>
>>
>> Regards
>>
>>
>> Am 13.11.18 um 15:37 schrieb Rowland Penny via samba:
>> > On Tue, 13 Nov 2018 09:21:14 -0500
>> > Richard Bollinger <rabollinger at gmail.com> wrote:
>> >
>> >> Prior to 4.8, without winbind in the picture, a windows user
named
>> >> "rab", for instance, could be authenticated by AD,
but would assume
>> >> the identity of the Unix user "rab", with all of his
Unix defined
>> >> groups.
>> >>
>> >> Of course, this is not full emulation of a Windows server
experience,
>> >> but nonetheless it is the behavior we wanted and worked well
in our
>> >> environment where every AD user who needed access to a Unix
server
>> >> had a corresponding Unix ID assigned with that user's uid,
gids,
>> >> identical on all the Unix servers.
>> >>
>> >> That is the "legacy" behavior we desire.  Is it
still possible to
>> >> achieve it with the current version of Samba?
>> >>
>> >
>> > No and why would you want to ?
>> > Doing it your way means that you have to maintain the users &
groups in
>> > two places, a total anathema to AD.
>> >
>> > Just set up the Unix domain member correctly and your Windows
users &
>> > groups become Unix users & groups, all of them if you use the
winbind
>> > 'rid' backend, or, if you use the 'ad' backend,
just the ones you give
>> > a uidNumber or gidNumber attribute.
>> >
>> > If you don't want to do this (and I fail to see why you
wouldn't want
>> > to), then leave the domain, and set the Samba server up as a
standalone
>> > server.
>> >
>> > Rowland
>> >
>>
>> --
>> Dr. Christian Naumer
>> Research Scientist
>> Plattform-Koordinator Bioprozesstechnik
>>
>> B.R.A.I.N Aktiengesellschaft
>> Darmstaedter Str. 34-36, D-64673 Zwingenberg
>> e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
>> fon +49-6251-9331-30  /   fax +49-6251-9331-11
>>
>> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
>> Registergericht AG Darmstadt, HRB 24758
>> Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
>> Aufsichtsratsvorsitzender: Dr. Ludger Mueller
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

On Wed, 28 Nov 2018 16:06:01 -0500
Richard Bollinger via samba <samba at lists.samba.org> wrote:
> Well it *almost* works as before.  With this stanza and version 4.8.3,
> access seems to only be granted per the single group listed in a
> user's entry in /etc/passwd, not including groups listed in /etc/group
> 
> [global]
>         workgroup = AMERICAS
>         realm = AMERICAS.X.Y
>         security = ADS
>         idmap config * : range = 100000:199999
>         idmap config AMERICAS : backend = nss
>         idmap config AMERICAS : range = 1000:99999
> 
> Thoughts?
You mean apart from thinking 'I wouldn't use idmap_nss' ? ;-)

It should be '100000-199999' not '100000:19999'

You will also need winbind running.

Rowland

winbind is running and I fixed the ranges.  testparm seems happy now.  Same
result.

Any other suggestions?

On Wed, Nov 28, 2018 at 4:18 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 28 Nov 2018 16:06:01 -0500
> Richard Bollinger via samba <samba at lists.samba.org> wrote:
>
> > Well it *almost* works as before.  With this stanza and version 4.8.3,
> > access seems to only be granted per the single group listed in a
> > user's entry in /etc/passwd, not including groups listed in
/etc/group
> >
> > [global]
> >         workgroup = AMERICAS
> >         realm = AMERICAS.X.Y
> >         security = ADS
> >         idmap config * : range = 100000:199999
> >         idmap config AMERICAS : backend = nss
> >         idmap config AMERICAS : range = 1000:99999
> >
> > Thoughts?
>
> You mean apart from thinking 'I wouldn't use idmap_nss' ? ;-)
>
> It should be '100000-199999' not '100000:19999'
>
> You will also need winbind running.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba