Winbind changes in 4.6/Change for 4.6.0?

Andrew Bartlett abartlet at samba.org
Mon Mar 6 08:57:31 UTC 2017 

On Mon, 2017-03-06 at 07:33 +0100, Stefan Metzmacher wrote:
> Am 03.03.2017 um 19:09 schrieb Andrew Bartlett:
> > On Fri, 2017-03-03 at 12:12 +0100, Karolin Seeger wrote:
> > > Hi,
> > > 
> > > we just had some internal discussions about the winbind changes
> > > in
> > > Samba
> > > 4.6.0. The removal of the token groups fallback will break
> > > exististing
> > > setups (e.g. domain members where people access files without
> > > Samba
> > > (nfs, ...). There is no workaround!
> > > 
> > > What about re-adding this feature cleanly and for local domains
> > > only
> > > and
> > > disable it by default?
> > > 
> > > Please find attached a patchset from Volker.
> > > "winbind : ask token groups = yes" would restore the old
> > > behaviour.
> > > (I would prefer a documented parameter, but that could be
> > > changed.)
> > > 
> > > Unfortunately, it's pretty late in the release process, but since
> > > the
> > > code is disabled by default, it should not be a big deal...
> > > 
> > > The planned release date for the final release still is Tuesday,
> > > March 7.
> > > Some patches have been added sinc rc4, but it seems to be ok to
> > > go
> > > ahead
> > > with rc5.
> > > 
> > > Opinions?
> > 
> > I really appreciated the move to push this up in the WHATSNEW
> > earlier
> > in the week, and it certainly gave me the same gut feeling of
> > 'ouch,
> > did we really break this with no workaround?'.
> > 
> > I would put it back without the smb.conf option myself, but I'll
> > take
> > anything to avoid dropping sites into unsupported.
> 
> I'd also think we should restore the whole old behavior, also
> returning
> the broken values for trusted domains.
> 
> I don't really care if we have no option at all, one option to enable
> the old behavior or even 2 options to enable it for the primary
> domain
> and other domains separately. If we add options we should add them as
> fully
> documented options (and mark them as deprecated similar to "lsa over
> netlogon").
> 
> But I guess restoring this without option would be the simplest way
> of doing it...

We can always try again for 4.7.  The case about NFS is really
persuasive to me.  I think going back to how things were for 4.5 sounds
the least disruptive, and we think about options to control this in the
4.7 release for September.  

I don't think we will ever get away from this use case, at least in the
single domain/forest, but it seems to me that S4U2Self or tokenGroups
to a GC should be enough for that.

Andrew Bartlett


-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list