[Samba] Samba4 changing a user's password from linux workstation

Luc Lalonde Luc.Lalonde at polymtl.ca
Tue May 14 13:35:59 UTC 2019 

Hello Rowland,

We’ve been using SSSD with Acitve Directory for a few years now…  It’s been solid for us.

Our Linux clients use the AD-Kerberos via SSSD for secure NFS4 mounts with POSIX attributes defined in AD (uidNumber, gidNumber, unixHomeDirectory, loginShell).

Before putting into production, I tested using Winbind and could not get it to do what I wanted.   If I remember correctly, I had problems with groups.   I didn’t want DOMAIN\groupname…  just groupname to show.   I don’t remember why this was causing me problems… just that this was the main reason.

At the time, I found that the documentation for integrating AD with Linux was best documented… in particular at RedHat:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/summary-direct <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/summary-direct>

They give further reasons for choosing SSSD over Winbind in that document.

Cheers, Luc.

> On May 14, 2019, at 8:13 AM, Rowland penny via samba <samba at lists.samba.org> wrote:
> 
> On 14/05/2019 12:58, Julien TEHERY via samba wrote:
>> I've gotten pretty unhappy with "realmd" and "sssd". They try to hide
>>>> a lot of steps away from the user, but the internal interactions are a
>>>> bit of a "mousetrap" game. When it works, you get the mouse. But if
>>>> any of the many steps are even slightly worn, it becomes erratic or
>>>> fails.
>>>> 
>>> 
>>> 
>>> 
>> Update: In fact i succeeded in reseting user password from a linux workstation with kpasswd through pam_sssd.
>> At the beginning I thought we were prompted directly for new password, but we had to first type in the old one before choosing a new one.
>> 
> kpasswd has nothing to do with sssd, it prompts for the old password, then the new password (twice), it then changes the users password.
> 
> smbpasswd works in the same way (and it works with AD)
> 
> I cannot understand why anybody uses sssd, it is a program that requires separate configuration and does very little that winbind (only one config file) doesn't. Just what does sssd give you, what do you need it for ?
> 
> Rowland
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.samba.org/pipermail/samba/attachments/20190514/3cdeffb3/signature.sig>

More information about the samba mailing list