[Samba] Unable to map AD Users to existing local Unix users since 4.8.x
rpenny at samba.org
Thu Jun 4 19:07:41 UTC 2020
On 04/06/2020 19:58, Bivans, Crispin via samba wrote:
> Rowland said:
>>> Is there a set of settings to restore the mapping of AD users to pre-existing Unix Users?
>>> Does the official Samba distributed project source continue to support AD Users mapping to pre-existing Unix Users?
>> I do not think it ever did.
> I found this reference quickly from google describing the previous behavior.
> Winbind was always optional until perhaps recently.
> This functionality I know has worked from early 2000's (roughly 2002) until last year.
> From page:
> "A Samba member of a Windows networking domain (NT4-style or ADS) can be configured to handle identity mapping in a variety of ways. The mechanism it uses depends on whether or not the winbindd daemon is used and how the winbind functionality is configured. The configuration options are briefly described here:
> Winbind is not used; users and groups are local:
> Where winbindd is not used Samba (smbd) uses the underlying UNIX/Linux mechanisms to resolve the identity of incoming network traffic. This is done using the LoginID (account name) in the session setup request and passing it to the getpwnam() system function call. This call is implemented using the name service switch (NSS) mechanism on modern UNIX/Linux systems. By saying "users and groups are local," we are implying that they are stored only on the local system, in the /etc/passwd and /etc/group respectively.
> For example, when the user BERYLIUM\WambatW tries to open a connection to a Samba server the incoming SessionSetupAndX request will make a system call to look up the user WambatW in the /etc/passwd file.
>>> Do we just need to compile our own Samba to get back that functionality?
>> How ? the functionality that let your system work has been removed.
> Can you point me to a Release Changes note that says explicitly that Winbind is now required or that mapping of AD users to local unix accounts has been removed?
Yes, see here:
Samba did a lot of things back in the NT4-style domain days, some of
which dragged into the start of the AD client setups, quite a few of
them were not really a good idea.
More information about the samba