[Samba] Domain member (2k8R2) server, problem mapping Kerberos/NSS users

[George]

> I don't see where I'd need any "mapping magic" at this point and why the
> incoming user shouldn't be just passed to NSS without another mapping
> layer inbetween. The IDs are thanks to SSSD as NSS backend consistent
> throughout the whole infrastructure.

Hi!

As per I understand the documentation, without winbind running (and
without any related options on smb.conf), smbd should fall back to use
local or NSS for resolving everything, exactly as you say.

As per I was able to test myself, and as per several lists posts, this
doesn't work the way one would expect. I have just made a quick test
by disabling winbind on a member server, and user mappings on the
Windows side do not work as expected (it looks like Samba can't match
the AD user with the "NSS retrieved user"). Devs have mentioned on
several oppportunities that winbind should be running anyway, as it
provides smbd with this kind of info. All this makes sense, if smbd
would be able to fully interact with NSS directly, what would be the
purpose of the NSS idmap backend??

My setup is exactly like what you are trying to achieve. I use sssd to
keep the Unix mapping consistent on every server (works great, getent
passwd is consistent everywhere). Still, on member servers I had to
configure winbind nss idmap properly, otherwise I was not able to
properly set permissions on the shares.

Anyway, I don't know if this is the source of the issues you mentioned
on your first post...

Best regards.

George