Richard Bollinger
2018-Nov-28 21:06 UTC
[Samba] Upgraded to 4.8 - forced to use winbindd - retro how to missing?
Well it *almost* works as before. With this stanza and version 4.8.3, access seems to only be granted per the single group listed in a user's entry in /etc/passwd, not including groups listed in /etc/group [global] workgroup = AMERICAS realm = AMERICAS.X.Y security = ADS idmap config * : range = 100000:199999 idmap config AMERICAS : backend = nss idmap config AMERICAS : range = 1000:99999 Thoughts? On Tue, Nov 13, 2018 at 12:24 PM Richard Bollinger <rabollinger at gmail.com> wrote:> Yes that seems to be working as desired. Thanks much. > > On Tue, Nov 13, 2018 at 10:50 AM Christian Naumer via samba < > samba at lists.samba.org> wrote: > >> I don't know if this still works but it does what you want: >> >> samba.org/samba/docs/current/man-html/idmap_nss.8.html >> >> >> Regards >> >> >> Am 13.11.18 um 15:37 schrieb Rowland Penny via samba: >> > On Tue, 13 Nov 2018 09:21:14 -0500 >> > Richard Bollinger <rabollinger at gmail.com> wrote: >> > >> >> Prior to 4.8, without winbind in the picture, a windows user named >> >> "rab", for instance, could be authenticated by AD, but would assume >> >> the identity of the Unix user "rab", with all of his Unix defined >> >> groups. >> >> >> >> Of course, this is not full emulation of a Windows server experience, >> >> but nonetheless it is the behavior we wanted and worked well in our >> >> environment where every AD user who needed access to a Unix server >> >> had a corresponding Unix ID assigned with that user's uid, gids, >> >> identical on all the Unix servers. >> >> >> >> That is the "legacy" behavior we desire. Is it still possible to >> >> achieve it with the current version of Samba? >> >> >> > >> > No and why would you want to ? >> > Doing it your way means that you have to maintain the users & groups in >> > two places, a total anathema to AD. >> > >> > Just set up the Unix domain member correctly and your Windows users & >> > groups become Unix users & groups, all of them if you use the winbind >> > 'rid' backend, or, if you use the 'ad' backend, just the ones you give >> > a uidNumber or gidNumber attribute. >> > >> > If you don't want to do this (and I fail to see why you wouldn't want >> > to), then leave the domain, and set the Samba server up as a standalone >> > server. >> > >> > Rowland >> > >> >> -- >> Dr. Christian Naumer >> Research Scientist >> Plattform-Koordinator Bioprozesstechnik >> >> B.R.A.I.N Aktiengesellschaft >> Darmstaedter Str. 34-36, D-64673 Zwingenberg >> e-mail cn at brain-biotech.de, homepage brain-biotech.de >> fon +49-6251-9331-30 / fax +49-6251-9331-11 >> >> Sitz der Gesellschaft: Zwingenberg/Bergstrasse >> Registergericht AG Darmstadt, HRB 24758 >> Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel >> Aufsichtsratsvorsitzender: Dr. Ludger Mueller >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: lists.samba.org/mailman/options/samba > >
Rowland Penny
2018-Nov-28 21:17 UTC
[Samba] Upgraded to 4.8 - forced to use winbindd - retro how to missing?
On Wed, 28 Nov 2018 16:06:01 -0500 Richard Bollinger via samba <samba at lists.samba.org> wrote:> Well it *almost* works as before. With this stanza and version 4.8.3, > access seems to only be granted per the single group listed in a > user's entry in /etc/passwd, not including groups listed in /etc/group > > [global] > workgroup = AMERICAS > realm = AMERICAS.X.Y > security = ADS > idmap config * : range = 100000:199999 > idmap config AMERICAS : backend = nss > idmap config AMERICAS : range = 1000:99999 > > Thoughts?You mean apart from thinking 'I wouldn't use idmap_nss' ? ;-) It should be '100000-199999' not '100000:19999' You will also need winbind running. Rowland
Richard Bollinger
2018-Nov-28 21:48 UTC
[Samba] Upgraded to 4.8 - forced to use winbindd - retro how to missing?
winbind is running and I fixed the ranges. testparm seems happy now. Same result. Any other suggestions? On Wed, Nov 28, 2018 at 4:18 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Wed, 28 Nov 2018 16:06:01 -0500 > Richard Bollinger via samba <samba at lists.samba.org> wrote: > > > Well it *almost* works as before. With this stanza and version 4.8.3, > > access seems to only be granted per the single group listed in a > > user's entry in /etc/passwd, not including groups listed in /etc/group > > > > [global] > > workgroup = AMERICAS > > realm = AMERICAS.X.Y > > security = ADS > > idmap config * : range = 100000:199999 > > idmap config AMERICAS : backend = nss > > idmap config AMERICAS : range = 1000:99999 > > > > Thoughts? > > You mean apart from thinking 'I wouldn't use idmap_nss' ? ;-) > > It should be '100000-199999' not '100000:19999' > > You will also need winbind running. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/options/samba
Apparently Analagous Threads
- Upgraded to 4.8 - forced to use winbindd - retro how to missing?
- Upgraded to 4.8 - forced to use winbindd - retro how to missing?
- Upgraded to 4.8 - forced to use winbindd - retro how to missing?
- Upgraded to 4.8 - forced to use winbindd - retro how to missing?
- Upgraded to 4.8 - forced to use winbindd - retro how to missing?