AW: AW: AW: after an upgrade from 4.1.6 to 4.2.0rc4 with security = ADS "force user" did not work anymore
Rowland Penny
repenny241155 at gmail.com
Thu Jan 29 08:27:04 MST 2015
On 29/01/15 14:48, Dr. Hansjoerg Maurer wrote:
> Hi Roland
>
> thanks for your explanations.
> I will try to reproduce the force user problem with
>
>> passwd: files winbind
>> group: files winbind
> But switching to winbind is no option in this case.
> This organisation has more than 1000 Linux systems connected to AD
> and 6 years ago (when winbind has no offline mode... ) a decision was made to connect them to AD using VAS.
> VAS provides a lot more options than winbind has, eg group policys,
> OU and group filtering, attribute overwriting and so on.
>
> And both configurations with VAS and idmap_ad or idmap_nss run up to 4.1.16 and do not work any more with 4.2rc4.
> Or beeing more accurate, they still work, but the force user option does not work any more in this case.
> (force group still works)
>
> I am testing a RC in order to provide early feedback that something is not working any more as expected.
>
> I do not now if this is a bug, a regression or that certain configurations like the one described in the manpage of idmap_nss
> are not supported any more.
> If it is not supported any more, it should be noted in the Release Notes, because it could break running installations.
>
> Regards
>
> Hansjörg
>
>
This may have something to do with the change of winbind in 4.2, but
whatever the cause, it is not helping if VAS allows you to have Unix
users and Domain users with the same name, just how is Unix to know
which user 'maurerh' is, is it the local user or is the domain user ?
You may be able to replace VAS with sssd, the latest version seems to do
what VAS does, but you will still have to loose the local unix users as
any AD Domain user can become a Unix user, so actual local users are not
required.
Rowland
More information about the samba-technical
mailing list