[Samba] samba4 and sssd and user mapping

[Björn JACKE]

Hi Denis,

On 2014-01-20 at 11:25 +0100 Denis Cardon sent off:
> on a server running samba4 with sssd for nsswitch mapping, I
> realized recently that on windows workstation in the "folder
> propery/security tab", users are mapped as "Unix user\userlogin"
> instead of "DOMAINNAME\userlogin".

first question I need to ask: which mode do you run samba in? Are you running
Samba in a AD server mode (samba binary) or do you run Samba in classic mode
(nmbd/smbd binary)?

If you run Samba in AD server mode, the best option is currently to use
only the really needed fileserver functionality, that means usually you should
not have other shares than the sysvol/netlogon share. Also using winbind in AD
server mode is not neccessary at all, you will have numeric UIDs on the server
but that is okay. You also should not use a Windows AD server as a file/print
server. Set up a member server to do the other file serving tasks.

If you run Samba in classic mode, then running it along with Winbind is the
only supported option for a member server.

On a member server where the source of the AD users is any different NSS source
than nss_winbind you have to configure the idmap nss backend. Theoretically
this would also be required if you would use sssd.

Because I read the sssd recommendations so often on the list recently - once
more: sssd is NOT the right thing for Samba member server setups.

Björn