[Samba] Using SSSD + AD with Samba seems to require Winbind be running
Rowland penny
rpenny at samba.org
Wed Aug 12 13:49:11 UTC 2020
On 12/08/2020 14:26, Robert Marcano via samba wrote:
>
> Wrong: see
> https://github.com/samba-team/samba/blob/master/source3/winbindd/winbindd_dual.c#L1821
> if Kerberos keytab is used, machine password is never updated
> periodically
Wrong, but to be honest it depends on which keytab you are referring to,
if, as you said, it is 'kerberos method = secrets and keytab', then the
keytab is one in memory and the default setting of 'machine password
timeout = 604800' will cause winbind to change the machine password
every 7 days.
>
> No one is talking about brokenness, SSSD is able to update the
> password, if one change the password (SSSD), the other one need to
> know (Samba). It is a new feature of SSSD to notify Samba about the
> change.
It is broken if you end up with two different machine passwords ;-)
>
> Note: people love to say that Red Hat discourage the usage of Samba of
> that they don't care (or things like that) but adding these features
> to SSSD shows otherwise, they care, they don't support Samba as an AD
> server but they do as a member server.
Never said they don't care, just that it seems like they do not want you
to use Samba. Here is an example, you are running Centos 7 with Samba as
a PDC with LDAP and smbldap-tools (something that I advise upgrading
from, but hey, I understand that not everyone can in the short term and
Samba still supports them), you cannot upgrade to Centos 8, why ?
because Openldap and smbldap-tools are no longer provided.
>
>> I do not understand why the red-hat tools are used on a Samba server,
>> what is wrong with the Samba tools ? rds.
>
You never really explained what is wrong with the Samba tools.
Rowland
More information about the samba
mailing list