Bivans, Crispin
2020-Jun-04 18:58 UTC
[Samba] Unable to map AD Users to existing local Unix users since 4.8.x
Rowland said:>> Is there a set of settings to restore the mapping of AD users to pre-existing Unix Users?>No>> >> Does the official Samba distributed project source continue to support AD Users mapping to pre-existing Unix Users?>I do not think it ever did.I found this reference quickly from google describing the previous behavior. Winbind was always optional until perhaps recently. https://www.samba.org/~ab/output/htmldocs/Samba3-HOWTO/idmapper.html This functionality I know has worked from early 2000's (roughly 2002) until last year. From page: "A Samba member of a Windows networking domain (NT4-style or ADS) can be configured to handle identity mapping in a variety of ways. The mechanism it uses depends on whether or not the winbindd daemon is used and how the winbind functionality is configured. The configuration options are briefly described here: Winbind is not used; users and groups are local: Where winbindd is not used Samba (smbd) uses the underlying UNIX/Linux mechanisms to resolve the identity of incoming network traffic. This is done using the LoginID (account name) in the session setup request and passing it to the getpwnam() system function call. This call is implemented using the name service switch (NSS) mechanism on modern UNIX/Linux systems. By saying "users and groups are local," we are implying that they are stored only on the local system, in the /etc/passwd and /etc/group respectively. For example, when the user BERYLIUM\WambatW tries to open a connection to a Samba server the incoming SessionSetupAndX request will make a system call to look up the user WambatW in the /etc/passwd file. ">> Do we just need to compile our own Samba to get back that functionality?>How ? the functionality that let your system work has been removed.Can you point me to a Release Changes note that says explicitly that Winbind is now required or that mapping of AD users to local unix accounts has been removed? Crispin
Rowland penny
2020-Jun-04 19:07 UTC
[Samba] Unable to map AD Users to existing local Unix users since 4.8.x
On 04/06/2020 19:58, Bivans, Crispin via samba wrote:> Rowland said: > >>> Is there a set of settings to restore the mapping of AD users to pre-existing Unix Users? >> No >>> Does the official Samba distributed project source continue to support AD Users mapping to pre-existing Unix Users? >> I do not think it ever did. > I found this reference quickly from google describing the previous behavior. > Winbind was always optional until perhaps recently. > https://www.samba.org/~ab/output/htmldocs/Samba3-HOWTO/idmapper.html > This functionality I know has worked from early 2000's (roughly 2002) until last year. > > From page: > "A Samba member of a Windows networking domain (NT4-style or ADS) can be configured to handle identity mapping in a variety of ways. The mechanism it uses depends on whether or not the winbindd daemon is used and how the winbind functionality is configured. The configuration options are briefly described here: > > Winbind is not used; users and groups are local: > Where winbindd is not used Samba (smbd) uses the underlying UNIX/Linux mechanisms to resolve the identity of incoming network traffic. This is done using the LoginID (account name) in the session setup request and passing it to the getpwnam() system function call. This call is implemented using the name service switch (NSS) mechanism on modern UNIX/Linux systems. By saying "users and groups are local," we are implying that they are stored only on the local system, in the /etc/passwd and /etc/group respectively. > > For example, when the user BERYLIUM\WambatW tries to open a connection to a Samba server the incoming SessionSetupAndX request will make a system call to look up the user WambatW in the /etc/passwd file. > " > >>> Do we just need to compile our own Samba to get back that functionality? >> How ? the functionality that let your system work has been removed. > Can you point me to a Release Changes note that says explicitly that Winbind is now required or that mapping of AD users to local unix accounts has been removed? > > CrispinYes, see here: https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed#Domain_member_setups_require_winbindd Samba did a lot of things back in the NT4-style domain days, some of which dragged into the start of the AD client setups, quite a few of them were not really a good idea. Rowland
Seemingly Similar Threads
- allow trusted domains
- Unable to map AD Users to existing local Unix users since 4.8.x
- NTLMv1 v. NTLMv2 ; more than one "identity" on a TCP connection
- Error in SNIA spec wrt. SessionSetupAndX response when dialect is NT LM 0.12
- File permissions and packages, openVignette