[Samba] samba4 and sssd and user mapping

steve steve at steve-ss.com
Thu Jan 23 01:57:07 MST 2014

On Wed, 2014-01-22 at 22:04 +0100, Björn JACKE wrote:
> Hi Denis,
> On 2014-01-20 at 11:25 +0100 Denis Cardon sent off:
> > on a server running samba4 with sssd for nsswitch mapping, I
> > realized recently that on windows workstation in the "folder
> > propery/security tab", users are mapped as "Unix user\userlogin"
> > instead of "DOMAINNAME\userlogin".
> first question I need to ask: which mode do you run samba in? Are you running
> Samba in a AD server mode (samba binary) or do you run Samba in classic mode
> (nmbd/smbd binary)?
> If you run Samba in AD server mode, the best option is currently to use
> only the really needed fileserver functionality, that means usually you should
> not have other shares than the sysvol/netlogon share. Also using winbind in AD
> server mode is not neccessary at all, you will have numeric UIDs on the server
> but that is okay. You also should not use a Windows AD server as a file/print
> server. Set up a member server to do the other file serving tasks.
> If you run Samba in classic mode, then running it along with Winbind is the
> only supported option for a member server.

sssd, nss-ldapd and nss ldap are also supported (and recommended)
alternatives to winbind. Indeed, on the DC winbind does not work for all
of rfc2307 as offered out of the box with the former. 
> On a member server where the source of the AD users is any different NSS source
> than nss_winbind you have to configure the idmap nss backend. Theoretically
> this would also be required if you would use sssd.

No idmap mapping has to be configured for sssd. There is a single
configuration file which most of us here have little if any difficulty
with. Indeed, there is a (albeit rather outdated) howto for sssd in the
samba wiki. Similarly for nss-ldapd.

> Because I read the sssd recommendations so often on the list recently - once
> more: sssd is NOT the right thing for Samba member server setups.

sssd is perfect for samba4 member server setups, not least for its
superb and modern AD backend designed around the Samba4 libraries.

Just my €0.02

> Björn

More information about the samba mailing list