[Samba] samba4 and sssd and user mapping

Björn JACKE bj at SerNet.DE
Fri Jan 24 08:51:27 MST 2014


On 2014-01-23 at 08:14 -0200 Márcio Merlone sent off:
> Em 22-01-2014 19:04, Björn JACKE escreveu:
> >On 2014-01-20 at 11:25 +0100 Denis Cardon sent off:
> >>on a server running samba4 with sssd for nsswitch mapping, I
> >>realized recently that on windows workstation in the "folder
> >>propery/security tab", users are mapped as "Unix user\userlogin"
> >>instead of "DOMAINNAME\userlogin".
> >(...)
> >Because I read the sssd recommendations so often on the list recently - once
> >more: sssd is NOT the right thing for Samba member server setups.
> 
> Scary. Why you say so? Any rationale?

winbind is interacting with smbd for id mapping and authentication. If you
configured it right, it will work nice, even if you can read rants on winbind
of one or two people in this list over and over again.

sssd supports user authentication for the pam stack nicely but this is not what
smbd needs. sssh also just provides a flat view on the users and groups from an
AD domain with no distinction between local acccounts or accounts from domain A
or domain B.  sssh uses samba libraries but it does not play information back
to smbd like winbind does. As written before you would have to configure idmap
nss and run winbind in addition to sssd but you will still have the problems
with the flat view on the user and group name space. If someone on the list
writes that sssd in Samba member servers is supported, than this is a personal
opinion of that person but this is the opposite what the samba developers tell
you.

The problem that Denis descibed in the beginning of this thread are a result of
such a sssd/smbd misconfiguration. If you see any recommendation about sssd in
combination with smbd member server setups in the wiki, please let me know, so
we can correct it.

Cheers
Björn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20140124/9eb2df81/attachment.pgp>


More information about the samba mailing list