Hi all, without winbind co actually we have running samba 4.5.16 under Devuan 2.0 (Ascii) as AD member without winbind configured. UID and GID informations coming from NSS (nslcd -> LDAP). LDAP and AD are in sync. After upgrade to Devuan 3.0 (Beowulf) with samba 4.9.5 this constellation does not work anymore. Samba insists on configuring winbind. Can I configure winbind to use 'local' users and groups from NSS? Or any idea how I can get working the 'old' constellation (without winbind)? Regards Thomas -- Karlsruher Institut f?r Technologie (KIT) archIT [IT-Management der Fakult?t Architektur] Dipl.-Ing. Thomas Besser Geb?ude 11.40, Raum 010 | Fon +49 721 608 46024 http://www.arch.kit.edu/fakultaet/it-management.php KIT - Die Forschungsuniversit?t in der Helmholtz-Gemeinschaft
On 30/10/2020 09:20, Thomas Besser via samba wrote:> Hi all, without winbind co > > actually we have running samba 4.5.16 under Devuan 2.0 (Ascii) as AD > member without winbind configured. UID and GID informations coming > from NSS (nslcd -> LDAP). LDAP and AD are in sync.So you will have uidNumber and gidNumber attributes in AD.> > After upgrade to Devuan 3.0 (Beowulf) with samba 4.9.5 this > constellation does not work anymore. Samba insists on configuring > winbind.Yes it does, from Samba >= 4.8.0 with 'security = ADS' in smb.conf , you must run winbind. Before 4.8.0 , smbd could contact AD directly, this facility has now been removed and smbd must go through winbind to contact AD.> > Can I configure winbind to use 'local' users and groups from NSS?No, local users are just that, local users, but you can make AD users into Unix users by using the winbind 'ad' backend. This works quite well. If you want a later version of Samba, see here: http://apt.van-belle.nl/ Just pretend your 'Beowulf' is 'buster', it will work. Rowland
Am 30.10.20 um 10:57 schrieb Rowland penny via samba:> On 30/10/2020 09:20, Thomas Besser via samba wrote: >> actually we have running samba 4.5.16 under Devuan 2.0 (Ascii) as AD >> member without winbind configured. UID and GID informations coming >> from NSS (nslcd -> LDAP). LDAP and AD are in sync. > So you will have uidNumber and gidNumber attributes in AD.No, AD does not have uidNumber and gidNumber. Only LDAP (separate OpenLDAP!) does have this informations. Both, AD and LDAP are provided by identity management system, so are in sync according accounts and groups.>> After upgrade to Devuan 3.0 (Beowulf) with samba 4.9.5 this >> constellation does not work anymore. Samba insists on configuring >> winbind. > Yes it does, from Samba >= 4.8.0 with 'security = ADS' in smb.conf , you > must run winbind. Before 4.8.0 , smbd could contact AD directly, this > facility has now been removed and smbd must go through winbind to > contact AD. >> >> Can I configure winbind to use 'local' users and groups from NSS? > No, local users are just that, local users, but you can make AD users > into Unix users by using the winbind 'ad' backend. This works quite well.Ok, then I would need a winbind 'ldap' backend. Does this exist? Regards Thomas -- Karlsruher Institut f?r Technologie (KIT) archIT [IT-Management der Fakult?t Architektur] Dipl.-Ing. Thomas Besser Geb?ude 11.40, Raum 010 | Fon +49 721 608 46024 http://www.arch.kit.edu/fakultaet/it-management.php KIT - Die Forschungsuniversit?t in der Helmholtz-Gemeinschaft
Am 10/30/20 um 10:20 AM schrieb Thomas Besser via samba:> Can I configure winbind to use 'local' users and groups from NSS?there's idmap_nss that may work for you. -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20201030/7d8c861b/signature.sig>
On 30/10/2020 11:06, Ralph Boehme via samba wrote:> Am 10/30/20 um 10:20 AM schrieb Thomas Besser via samba: >> Can I configure winbind to use 'local' users and groups from NSS? > there's idmap_nss that may work for you. > > -slowAlready mentioned that, problem is it is an allocating backend, unless I am reading the manpage wrong. Rowland