samba - Jun 2020 - Unable to map AD Users to existing local Unix users since 4.8.x

Rowland said:
>> Is there a set of settings to restore the mapping of AD users to
pre-existing Unix Users?
>No
>>
>> Does the official Samba distributed project source continue to support
AD Users mapping to pre-existing Unix Users?
>I do not think it ever did.
I found this reference quickly from google describing the previous behavior.
Winbind was always optional until perhaps recently.
https://www.samba.org/~ab/output/htmldocs/Samba3-HOWTO/idmapper.html
This functionality I know has worked from early 2000's (roughly 2002) until
last year.

From page:
"A Samba member of a Windows networking domain (NT4-style or ADS) can be
configured to handle identity mapping in a variety of ways. The mechanism it
uses depends on whether or not the winbindd daemon is used and how the winbind
functionality is configured. The configuration options are briefly described
here:

Winbind is not used; users and groups are local:
Where winbindd is not used Samba (smbd) uses the underlying UNIX/Linux
mechanisms to resolve the identity of incoming network traffic. This is done
using the LoginID (account name) in the session setup request and passing it to
the getpwnam() system function call. This call is implemented using the name
service switch (NSS) mechanism on modern UNIX/Linux systems. By saying
"users and groups are local," we are implying that they are stored
only on the local system, in the /etc/passwd and /etc/group respectively.

For example, when the user BERYLIUM\WambatW tries to open a connection to a
Samba server the incoming SessionSetupAndX request will make a system call to
look up the user WambatW in the /etc/passwd file.
"
>> Do we just need to compile our own Samba to get back that
functionality?
>How ? the functionality that let your system work has been removed.
Can you point me to a Release Changes note that says explicitly that Winbind is
now required or that mapping of AD users to local unix accounts has been
removed?

Crispin

On 04/06/2020 19:58, Bivans, Crispin via samba wrote:
> Rowland said:
>
>>> Is there a set of settings to restore the mapping of AD users to
pre-existing Unix Users?
>> No
>>> Does the official Samba distributed project source continue to
support AD Users mapping to pre-existing Unix Users?
>> I do not think it ever did.
> I found this reference quickly from google describing the previous
behavior.
> Winbind was always optional until perhaps recently.
> https://www.samba.org/~ab/output/htmldocs/Samba3-HOWTO/idmapper.html
> This functionality I know has worked from early 2000's (roughly 2002)
until last year.
>
>  From page:
> "A Samba member of a Windows networking domain (NT4-style or ADS) can
be configured to handle identity mapping in a variety of ways. The mechanism it
uses depends on whether or not the winbindd daemon is used and how the winbind
functionality is configured. The configuration options are briefly described
here:
>
> Winbind is not used; users and groups are local:
> Where winbindd is not used Samba (smbd) uses the underlying UNIX/Linux
mechanisms to resolve the identity of incoming network traffic. This is done
using the LoginID (account name) in the session setup request and passing it to
the getpwnam() system function call. This call is implemented using the name
service switch (NSS) mechanism on modern UNIX/Linux systems. By saying
"users and groups are local," we are implying that they are stored
only on the local system, in the /etc/passwd and /etc/group respectively.
>
> For example, when the user BERYLIUM\WambatW tries to open a connection to a
Samba server the incoming SessionSetupAndX request will make a system call to
look up the user WambatW in the /etc/passwd file.
> "
>
>>> Do we just need to compile our own Samba to get back that
functionality?
>> How ? the functionality that let your system work has been removed.
> Can you point me to a Release Changes note that says explicitly that
Winbind is now required or that mapping of AD users to local unix accounts has
been removed?
>
> Crispin
Yes, see here:

https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed#Domain_member_setups_require_winbindd

Samba did a lot of things back in the NT4-style domain days, some of 
which dragged into the start of the AD client setups, quite a few of 
them were not really a good idea.

Rowland