Winbind changes in 4.6/Change for 4.6.0?
Karolin Seeger
kseeger at samba.org
Mon Mar 6 07:21:22 UTC 2017
Hi,
On 03/06/2017 07:33 AM, Stefan Metzmacher wrote:
> Am 03.03.2017 um 19:09 schrieb Andrew Bartlett:
>> On Fri, 2017-03-03 at 12:12 +0100, Karolin Seeger wrote:
>>> Hi,
>>>
>>> we just had some internal discussions about the winbind changes in
>>> Samba
>>> 4.6.0. The removal of the token groups fallback will break
>>> exististing
>>> setups (e.g. domain members where people access files without Samba
>>> (nfs, ...). There is no workaround!
>>>
>>> What about re-adding this feature cleanly and for local domains only
>>> and
>>> disable it by default?
>>>
>>> Please find attached a patchset from Volker.
>>> "winbind : ask token groups = yes" would restore the old behaviour.
>>> (I would prefer a documented parameter, but that could be changed.)
>>>
>>> Unfortunately, it's pretty late in the release process, but since the
>>> code is disabled by default, it should not be a big deal...
>>>
>>> The planned release date for the final release still is Tuesday,
>>> March 7.
>>> Some patches have been added sinc rc4, but it seems to be ok to go
>>> ahead
>>> with rc5.
>>>
>>> Opinions?
>>
>> I really appreciated the move to push this up in the WHATSNEW earlier
>> in the week, and it certainly gave me the same gut feeling of 'ouch,
>> did we really break this with no workaround?'.
>>
>> I would put it back without the smb.conf option myself, but I'll take
>> anything to avoid dropping sites into unsupported.
>
> I'd also think we should restore the whole old behavior, also returning
> the broken values for trusted domains.
>
> I don't really care if we have no option at all, one option to enable
> the old behavior or even 2 options to enable it for the primary domain
> and other domains separately. If we add options we should add them as fully
> documented options (and mark them as deprecated similar to "lsa over
> netlogon").
>
> But I guess restoring this without option would be the simplest way
> of doing it...
>
> metze
if we are going to stick to the current schedule, the release will be
shipped tomorrow. That means, we have to push the patches to autobuild
now. Shall I take Volker's patches as they were attached to the first
mail, or is anyone working on the proposals mentioned above?
Undocumented parametric option or documented parameter?
Cheers,
Karo
--
Karolin Seeger https://samba.org/~kseeger/
Release Manager Samba Team https://samba.org
Team Lead Samba SerNet https://sernet.de
More information about the samba-technical
mailing list