AW: AW: AW: after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore

Rowland Penny repenny241155 at
Thu Jan 29 08:27:04 MST 2015

On 29/01/15 14:48, Dr. Hansjoerg Maurer wrote:
> Hi Roland
> thanks for your explanations.
> I will try to reproduce the force user problem with
>> passwd: files winbind
>> group:  files winbind
> But switching to winbind is no option in this case.
> This organisation has more than 1000 Linux systems connected to AD
> and 6 years ago (when winbind has no offline mode... ) a decision was made to connect them to AD using VAS.
> VAS provides a lot more options than winbind has, eg group policys,
> OU and group filtering, attribute overwriting and so on.
> And both configurations with VAS and idmap_ad or idmap_nss run up to 4.1.16 and do not work any more with 4.2rc4.
> Or beeing more accurate, they still work, but the force user option does not work any more in this case.
> (force group still works)
> I am testing a RC in order to provide early feedback that something is not working any more as expected.
> I do not now if this is a bug, a regression or that certain configurations like the one described in the  manpage of  idmap_nss
> are not supported any more.
> If it is not supported any more, it should be noted in the Release Notes, because it could break running installations.
> Regards
> Hansjörg

This may have something to do with the change of winbind in 4.2, but 
whatever the cause, it is not helping if VAS allows you to have Unix 
users and Domain users with the same name, just how is Unix to know 
which user 'maurerh' is, is it the local user or is the domain user ?

You may be able to replace VAS with sssd, the latest version seems to do 
what VAS does, but you will still have to loose the local unix users as 
any AD Domain user can become a Unix user, so actual local users are not 


More information about the samba-technical mailing list