Winbind changes in 4.6/Change for 4.6.0?

Fri Mar 3 18:09:30 UTC 2017

On Fri, 2017-03-03 at 12:12 +0100, Karolin Seeger wrote:
> Hi,
> 
> we just had some internal discussions about the winbind changes in
> Samba
> 4.6.0. The removal of the token groups fallback will break
> exististing
> setups (e.g. domain members where people access files without Samba
> (nfs, ...). There is no workaround!
> 
> What about re-adding this feature cleanly and for local domains only
> and
> disable it by default?
> 
> Please find attached a patchset from Volker.
> "winbind : ask token groups = yes" would restore the old behaviour.
> (I would prefer a documented parameter, but that could be changed.)
> 
> Unfortunately, it's pretty late in the release process, but since the
> code is disabled by default, it should not be a big deal...
> 
> The planned release date for the final release still is Tuesday,
> March 7.
> Some patches have been added sinc rc4, but it seems to be ok to go
> ahead
> with rc5.
> 
> Opinions?

I really appreciated the move to push this up in the WHATSNEW earlier
in the week, and it certainly gave me the same gut feeling of 'ouch,
did we really break this with no workaround?'.

I would put it back without the smb.conf option myself, but I'll take
anything to avoid dropping sites into unsupported.

My strong feeling is that while Samba often is used at incredible scale
with large numbers of complex trusts spanning the globe, that the vast
majority of our users do have just one domain, do expect things like
this to work and don't really like being told "we broke this until we
get time to implement X".

Breaking the unreliable use across trusts is one thing, but I think you
are quite right to suggest getting this back.  And much as I hate
slipping, I would rather slip than muck this up.

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba