[Samba] Security = ADS and uidnumbers
Jonathan Buzzard
jonathan at buzzard.me.uk
Thu Jun 6 03:19:51 MDT 2013
On Thu, 2013-06-06 at 10:25 +0200, steve wrote:
> On Wed, 2013-06-05 at 23:13 +0100, Jonathan Buzzard wrote:
>
> >
> > As far as I can tell sssd does not provide a mechanism for the smbd on
> > at least 3.5 (the 4.x series might be different but the OP is running
> > 3.6) to see an incoming SID and work out the UID.
>
> It would be pretty useless without. It does the same job as nss-ldapd
> and idmap_rid.
Not really, sssd is primarily designed for attaching a Linux/Unix box to
a domain and getting a UID/GID, group membership etc. for a username. I
can attach my Linux workstation to AD and everything is good, and there
is absolutely no need to do anything with a SID. Excepting internally
the libsss_ad backend might want to turn a UID into a SID to check on
group membership. However there would be no need to expose this outside
the backend.
You only need to be able to turn a SID into a UID or GID or username if
you have a Windows client attaching to your Linux/Unix box wanting file
serving.
Looking at the Samba 3.x source (specifically 3.6.15) I can find
absolutely no reference whatsoever to sssd. I am somewhat at a loss to
understand how a smbd process can therefore use sssd to turn a SID into
a UID etc.
For the OP who is running Debian the sssd packages are not a dependency
or even suggested for any of the Samba packages.
So given the OP wants consistent UID's on presumably his Samba file
server running a 3.6.x variant of Samba how does sssd help?
JAB.
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
More information about the samba
mailing list