[Samba] Security = ADS and uidnumbers

Jonathan Buzzard jonathan at buzzard.me.uk
Thu Jun 6 03:19:51 MDT 2013

On Thu, 2013-06-06 at 10:25 +0200, steve wrote:
> On Wed, 2013-06-05 at 23:13 +0100, Jonathan Buzzard wrote:
> > 
> > As far as I can tell sssd does not provide a mechanism for the smbd on 
> > at least 3.5 (the 4.x series might be different but the OP is running 
> > 3.6) to see an incoming SID and work out the UID.
> It would be pretty useless without. It does the same job as nss-ldapd
> and idmap_rid.

Not really, sssd is primarily designed for attaching a Linux/Unix box to
a domain and getting a UID/GID, group membership etc. for a username. I
can attach my Linux workstation to AD and everything is good, and there
is absolutely no need to do anything with a SID. Excepting internally
the libsss_ad backend might want to turn a UID into a SID to check on
group membership. However there would be no need to expose this outside
the backend.

You only need to be able to turn a SID into a UID or GID or username if
you have a Windows client attaching to your Linux/Unix box wanting file

Looking at the Samba 3.x source (specifically 3.6.15) I can find
absolutely no reference whatsoever to sssd. I am somewhat at a loss to
understand how a smbd process can therefore use sssd to turn a SID into
a UID etc.

For the OP who is running Debian the sssd packages are not a dependency
or even suggested for any of the Samba packages. 

So given the OP wants consistent UID's on presumably his Samba file
server running a 3.6.x variant of Samba how does sssd help?


Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

More information about the samba mailing list